Shipping must not underestimate physical risk posed by cyber-attack
THE London P&I Club says the physical risk to ships from
cyber-attack may not be
as well understood by shipowners as those threats posed to
traditional back-office functions such as accounting, payments and banking.
In
an article in the club’s latest StopLoss
Bulletin, Philip Roche, a partner
with Norton Rose Fulbright, notes that good cyber hygiene, up-to-date
firewalls, penetration testing and staff training are routinely deployed in the
shipping industry to counter the back-office threat. But he warns that the
physical risk to ships themselves is less well-understood by owners.
“Although it might be said that the risk is currently low”, says
Roche, “cyber-attacks potentially pose a serious risk to the overall
operability of a ship because of the increasing use of onboard IT, even where
there is no single network controlling numerous systems and where internet
connectivity is low. Examples of such technologies in common use are the
Automated Identification System (AIS), Electronic Chart Display &
Information System (ECDIS), Global Navigation Satellite System (GNSS) and
E-Navigation Systems (E-Nav).
“Although cyber-attacks can occur deliberately, it seems that
currently the risk is principally from the inadvertent introduction of viruses
and the like into key systems. For example, a crewman charging a mobile phone from
a USB port in the ECDIS system causing a virus to render the system entirely
inoperable. The ship’s maintenance and propulsion systems are exposed to the
same hacking/malware risks and the consequences of cyber-attacks might be
potentially severe if key systems are lost at crucial times.”
Roche
acknowledges that cyber-attacks causing physical damage are still thankfully
rare, not least because of the comparative invisibility of shipping to the
general public, and the existence of a number of far easier targets for cyber
criminals. But he warns that, because ships’ systems are centrally controlled, because
connectivity with the shore is continuous, and because maintenance and
diagnostics are increasingly carried out via USB ports in equipment, the risk
will only increase.
Roche
concludes, “It is time for shipping to consider these issues proactively. It is
a matter of applying tried and trusted risk assessment methodology. Consider
the risks, weigh the consequences and put proportionate steps in place to
reduce that risk. IT and cyber-attacks are outside most marine professionals’ experience,
and so help has to be sought from experienced IT consultants.”
Labels: AIS, cyber-attack, easy target, ECDIS, London P and I Club, maintenance and propulsion systems, ship operations, shore connectivity, threat, viruses
<< Home