In part 1 of the series, partner Philip Thomas and associate Voirrey Davies highlighted the importance of cybersecurity in shipping. In part 2, they share tips on how to handle a breach, and provide their thoughts on the future of autonomous shipping.

----more----

Transcript: 

Intro: Trading Straits brings legal and business insights at the intersection of the shipping and energy sectors. This podcast series offers trends, developments, challenges and topics of interest from Reed Smith litigation, regulatory and finance lawyers across our network of global offices. If you have any questions about the topics discussed on this podcast, please do contact our speakers.

Voirrey: Welcome back to Trading Straits. My name is Voirrey Davies and I am an associate in our transportation industry group based in our London office. I am joined once again today by Philip Thomas, partner in our emerging tech team, also based out of London. And this is our second podcast in our two-part series on shipping and cybersecurity. Just as a brief recap of our last podcast we thought it would be helpful just to go over again the definition of what cybersecurity actually is in the context of what we're talking about so cybersecurity is the steps taken by an organization both with regards to people and technology to prevent cyber attacks from occurring or to minimize their effect and as we talked about in our last podcast this differs from a data breach in various ways which we won't go into again but please feel free to listen to our podcast from last time if you want some more information on that. Our key takeaways from the last podcast were that it's just vital to be prepared ahead of time. You don't want to be dealing with a breach with nothing in place. People are often the weak link in any sector not just within transportation but any industry area and it's not because people seek to act maliciously it's just because hostile parties tend to target people so this is why training and robust policies for everybody in your team which includes people working as we would say at the pointy end so on the ships or driving the planes is of utmost importance and today what we're going to talk about is what happens when, despite all your best efforts, the most robust of policies, there has been a cyber attack and a corresponding cyber breach. I think really what the difficulty is, is trying to think about a cyber attack, because it can have just as big an impact as a physical casualty, like a fire or grounding, but it can be really difficult to envisage how it can actually affect a ship or a port infrastructure or shipping company. I mean, Philip, I don't know about you, but I personally think it's quite difficult to imagine something intangible like a cyber attack.

Philip: Absolutely. So I think, I mean, cyber attacks can take very different shapes and forms. In a transportation context, they can have a significant disruptive effect. And as we mentioned on our last podcast, it can even, in some instances, be a matter of life or death, particularly where the attack involves challenges to the safety of personnel. I mean, in terms of real world consequences, there's a raft of things to take into account. First of all, there's the disruption that the incident occurs. There's a cost of remedying it. There's additional management time that could be taken up in trying to resolve it. You've got issues of reputational damage, potentially, because if you're seen to be an organization that suffers or at least is vulnerable to cyber attacks, that can impact your perception in the market. And it can also put you on the radar with regulators for all the wrong reasons. A recent example, although not a cyber attack specifically, was the CrowdStrike outage, which, as many of you will know, exposed the vulnerability of people's IT systems when you're reliant on a single service provider or a limited number of service providers. In that instance, the disruption came as a result of an update that wasn't carried out properly, but it has the same disruptive effect where systems went offline for most of a day. Airline flights were canceled, businesses were disrupted. And so that just gives a bit of a flavor of how bad it can be.

Voirrey: Yeah, I mean, I think the CrowdStrike incident was just, it was a really great example of how the world can just grind to a halt. You know with one issue with one company you know it just really got it into the news and I think you know whilst there was a lot of fears that it was a cyber attack you know to find out it was probably a bit of a relief to find out really that it was just an update that had kind of gone wrong and while you were talking there I was kind of having to think about, some more specific cyber attacks that I can think about was related to assets, so to ships or to planes. And there was a well-publicized incident just in March of this year, so only a few months ago. And there was a Royal Air Force plane carrying Grant Shapps, who was then the Defence Secretary of the UK near Russia. And they experienced a GPS-related incident where the GPS of the plane was jammed, which affects the navigation system of the plane. So it was really quite dangerous to kind of find a plane in that kind of position and you have to think about potential effects there on commercial airlines as well and this ties in you know GPS spoofing and GPS jamming are not I wouldn't say they were common instance in the shipping industry but they have definitely been increasing in the amount of attacks that have been happening. and I think we briefly kind of spoke about this in the last episode but you know there's a case that came to us and obviously I'm not going to go into details about you know parties involved but basically the GPS of our vessel, our client's vessel, had been spoofed and that meant that the ship's AIS system which essentially kind of shows where the vessel is and relies upon GPS to provide a position actually showed that the ship was on land. In fact, I think it was in a car rental shop in the middle of the nearest city. And... It resulted ultimately in a collision happening. Now, anyone who's listening to this and knows anything about collision regulations knows very well that relying on AIS for collision avoidance is not acceptable. However, it was a contributory factor to this accident happening. And it was what we would describe in the industry as a “holy cheese” moment where there had been lots of issues that had happened. It had gone through all the holes in the cheese and resulted in this collision and so whilst this incorrect GPS position was not solely causative it was a significant factor and I’d say all of these examples together  we've just been discussing show that a cyber attack has a very real world consequence so you know what do you think?

Philip: I agree, I agree and I think the way you should think about cyber breaches in a shipping context is to think about it like any other casualty. I mean, you'll know from your wet shipping work that casualty can involve a grounding, collision between vessels or container fire. And it has parallels to a cyber breach because you often have a sudden dramatic incident that is fast moving. Sometimes the fact pattern changes quickly. And in both instances, you need a responsive team to help you to identify and contain the incident as well as deal with a fallout and so you know I think if  organizations get to a situation where they treat cyber preparedness in the same way as they would casualty prevention then I think you're on the right track.

Voirrey: Yeah I think treating a cyber attack in the same way as any other casualty is just it's the best way of looking at it because it is a casualty it's just you know wearing a different hat to the ones that we're used to I know when I  was at sea we did trainings all the time on you how to respond to a fire. You did fire drills, you did lifeboat drills, man overboard you know all those kind of what we would call I guess a “standard”  marine casualties situation and you know now working here at Reed Smith you know I'm part of the casualty and admiralty team and you know the best, most efficient way of dealing with a casualty is the person on the ship, which is usually the master, calls the correct person shoreside, which is normally the designated person ashore. And that person essentially activates a shoreside emergency room. All of their relevant people will come in to start dealing with this situation. But they also call their external people and this is where for example we might get a call to go out and attend to a casualty you know we fly all around the world doing that kind of work and it's not just shipping lawyers or casualty lawyers you know with a cyber breach you need to make sure not only have you got someone that understands shipping but you've got someone that understands in great detail you know what to do with the different regulations around the world because you know my understanding Philip is fairly basic on this one but different countries have different regulations and they all require different things that you need to do as regards to reporting and I think having that expertise to hand is definitely the way to go and I think Philip off the top of my head I can think of this NIS-2 directive that's been going around but maybe you could expand a bit more on these kind of regulatory requirements.

Philip: Exactly. I mean, I think the first thing to say is that the cybersecurity regulatory landscape is very fragmented. So as you say, different laws apply in different jurisdictions, although there is some commonality in the EU, for example, and in the UK, when it comes to things like the NIS-2 directive, which will come into force fully in October of this year. You've got the Cr