Partner Philip Thomas and associate Voirrey Davies discuss the importance of cybersecurity in shipping. Some of the topics include the risks, examples of cyberattacks and tips on how to prevent them.

----more----

Transcript:

Intro: Trading Straits brings legal and business insights at the intersection of the shipping and energy sectors. This podcast series offers trends, developments, challenges and topics of interest from Reed Smith litigation, regulatory and finance lawyers across our network of global offices. If you have any questions about the topics discussed on this podcast, please do contact our speakers.

Voirrey: Welcome back to Trading Straits. My name is Voirrey Davies and I'm an associate in the transportation group based in our London office. I'm joined today by Philip Thomas, who's a partner in our emerging technologies team, also based in London. And we're going to be talking to you today about shipping and cybersecurity, with the key question being, what do I need to know? So Philip, I think we should kick it off with the main part of the podcast, which is what is cybersecurity?

Philip: So I think of cybersecurity as being how people, organizations, and even governments protect themselves against cyber attacks, and also how they mitigate the impact of those attacks occurring. To me, cybersecurity is distinct from cyber risk. When I think about cyber risk, I think about the risk of adverse consequences flowing from a cyber breach, so financial loss, business disruption, and so forth. And it's also distinct from data breach. We often find people using cyber breach and data breach interchangeably. A data breach typically has the theft or acquisition of data as its main focus, whereas a cyber breach is broader and may involve the data breach, but may not have data as the main focus. So you're aware of cyber incidents in the shipping sector, do you have any examples of what those cyber incidents look like and any recent examples to share

Voirrey: Yeah absolutely. I mean as you said there's a quite big difference really between the data breach and then some sort of cyber attack that has happened. Back in 2017 there was a widely publicized cyber attack on Maersk, which essentially paralyzed their global network. And that was a ransomware attack. So these are things that are happening. And more recently, we've been seeing a lot of GPS spoofing. This is nothing new, but there's definitely been an uptick in those kind of matters, particularly from hostile states. It has a really big impact on the actual navigation system of the vessels that are out at sea. Not only are we seeing things to do with assets at sea, we're also seeing attacks on infrastructure in ports. The advent of kind of these really clever crane systems in container ports means that they are quite susceptible to any type of cyber attack that could render them unable to operate. And, you know, thinking of it on a kind of a wider basis. If you don't take your cyber security seriously in the shipping industry, then you can be very exposed. The impact of a cyber attack in shipping can be much more serious than in other sectors, because it can impact the safety and the seaworthiness of vessels, which essentially could mean life or death situations or significant damage to the asset, to the environment, to the cargo on board. Where we've seen with GPS spoofing, vessels can be led into hostile territory and potentially seized which is you know an absolute nightmare for everybody involved in that sort of situation. With this advent of real-time data to vessels directly into the navigation systems it's yet another access route for you know a hostile entity to try and kind of get into the cyber system of those vessels and as you know some of the examples I've just discussed there, organizations can be held to ransom. Ransomware is called that for that very reason. And unless you pay up, you can't get control of your systems or your vessels. And sometimes even if you do pay up, you don't get the assets back to you. And you've mentioned earlier that it can be very expensive, these kind of mistakes, Philip. So what can companies do to try and prevent these attacks?

Philip: I think there's a lot companies can do. The starting point, I think, is to get ahead of the technological risk. And by that, I mean being proactive about using the latest technology to safeguard against attacks and also ensuring that your personnel are appropriately trained in the use of that technology. One of the major weaknesses, I guess, from a cybersecurity risk perspective, is your people, because cybercriminals will often target people in these attacks, perceiving them to be a vulnerability within an organization. And so much of what we read about the cybersecurity attacks are really the product of somebody inadvertently clicking on a link or opening an attachment that they weren't expecting or not taking care. It's far more rare for these incidents to be as a result of an employee doing something willful or intentional. But it only takes one inadvertent mistake for systems to become paralyzed. You may remember recently we had the CrowdStrike incident where IT systems were unavailable for a day. And many people immediately assumed that that was as a result of a cyber attack. In the event it wasn't but that that is the kind of impact a cyber breach can cause which means that you're locked out of your system for a day and as you mentioned in the shipping context it can be very serious, it can cost an awful lot to remedy if you think about supply chains for example. It can impact not only your organization but a lot of linked organizations who are reliant on you. So it is serious and it needs to be taken seriously. And so to answer your question, how best to protect against it, it's really a combination of technological security measures, staff training, awareness programs, maybe even dummy runs. We've seen many organizations run test cyber breaches to see how they would respond in practice. And also having policies in place to make sure that your staff your contractors, your visitors, are all rowing in the same direction and taking a consistent approach to your security.

Voirrey: Yeah it's interesting actually what you say there about kind of dummy runs because actually something that from my time at sea we used to do what were called “tabletop exercises” where you would kind of pretend that there was some sort of major disaster that had happened and you would be liaising with the head office and the emergency response team shore side and kind of practicing what you would do. So is that the kind of thing that you think companies could be doing with regards to cyber attacks as well?

Philip: I think it's very useful to do that because one of the issues with a cyber attack is that it happens suddenly and you have to make decisions urgently and under pressure and I guess a dummy run is one way to test how you would respond under pressure. The other point to say is that there's a spectrum of reasonable decisions you could take in that scenario and many people would make different decisions but you're not really going to know until you're under some pressure and it's a safe environment to do so because it isn't of course, a real world attack, but it runs you through your responses and also tests your knowledge of the organization's processes and protocols.

Voirrey: Yeah, I think really the kind of key issue is training and personnel. And, you know, I know that I used to go off to training centers and do week-long courses on environmental aspects, on ship handling, you know, those kind of things. and where cybersecurity is relatively new, particularly as far as the shipping industry is concerned, you know, the shipping industry traditionally has always been quite slow to react to new things that come out. You know, for example, you know, it took the Titanic before we got SOLAS and other kind of major disasters for key legislation. And that kind of ties in, I think, with this need to kind of get ahead of the game, which you mentioned earlier, and get those kind of training plans out in place. An incident that I know about personally with regards to a cyber breach or attack was definitely going back to what you said about the carelessness over malevolence. So when I was at sea, I heard a story which was about an officer who had, taken a USB stick from the ship to an internet cafe. Now this USB stick was what was being used to provide the updates for the electronic charts on board. So what would usually happen is you plug your USB stick into the bridge computer, you would download the updates from the internet through a specific site and then you would plug the USB stick into your ECDIS, hit update and hope it all went well. Sometimes you had to do that a couple of times, but, you know, generally you would get there. And what he had done is he had taken the ECDIS USB stick, and he'd gone ashore to an internet cafe, where he plugged it in, because he was downloading documents, photographs, you know, whatever he was doing. And he then came back on the ship, and proceeded to use the USB stick to do the next ECDIS update. What he didn't know was that he had not only downloaded the photos and the documents that he had intended to, but he'd also downloaded a computer virus. What then happened was, of course, he uploaded the computer virus not only onto the bridge computer, but also into the ECDIS. And that meant that the entire ECDIS navigation system crashed, couldn't be used. That meant the ship couldn't sail anywhere because it didn't have any navigational charts and that rendered the ship unseaworthy and the vessel was then significantly delayed whilst they then had to try and fix it and you know that just goes to show that people can really be