Maritime lawyers assemble!

Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships became constantly connected. Vessels were mostly not connected at sea, other than Fleet Broadband connections, rarely used because of the prohibitive pricing.

As a result maritime cyber regulation is on the catch up. Once upon a time IMO MSC 428(98) required ship owners and managers to assess cyber risk and implement measures. More recently MSC-FAL. 1/Circ.3/Rev.2 covered guidance for cyber at sea, but it didn’t have the desired effect.

Now there is a game changer. The IACS has stepped in with UR E26 and UR E27 (the International Association of Classification Societies).

How has that game changed?

Classification societies (classes) ensure that a vessel is seaworthy, AKA being in class. If the vessel is not deemed seaworthy its insurance won’t be operative. No insurance means that your ship isn’t going anywhere.

Classes need to walk a narrow path. They’re paid by ship operators, yet their decisions might conflict with the decisions of those operators. It’s similar to the conflicts of interest that credit rating agencies navigate.

Regardless of that, the cyber regulations from IACS change the game. If a vessel isn’t cyber compliant with the new standard it will be out of class and, and by definition the vessel is not insured.

Lawyers assemble!

There’s a shortage of technical and maritime expertise for evaluating the cyber security of a vessel. There is an even greater shortage of expertise within the assessors at the various classification societies.

Assuring the security of a vessel is a complex process. Most class inspectors will be seasoned mariners who understand safety and systems. Upping their skill level to include cyber security is a huge leap.

Making a judgement that a vessel is or is not cyber secure enough to be seaworthy is a big deal. Who is going to tell the ship operator / manager that their ship can’t go to sea?

The sums of money at stake for not sailing are significant. Angry operators are likely to contest any cyber-related unseaworthy decision and pile in with lawyers. It would be a brave classification society and class inspector that would stand up to a robust test in court of their ability to assess cyber security, given their limited skillset.

It’s more likely that said operator would threaten to take their business to another classification society, putting the class in a difficult ethical position.

As a result, I believe that these new standards are likely to be extremely hard to enforce. The level of technical debt in shipping is significant, making the task of compliance with these new regulations even more difficult.

Delays

Implementation of IACS UR E26 and 27 applies only to new build vessels initially contracted for build from 1^st Jan 2024. It turns out that this was overly optimistic for an industry already lumbered with technical debt.

It has been delayed by 6 months to 1^st July, meaning that the first vessels that need to be compliant will be launched in early 2025. I suspect that implementation will be pushed back again as ship yards and owners start to appreciate the scale of the challenge.

We’ve been asked to test the security of new build vessels in the yard. Their security was not up to a standard that we would consider seaworthy. The problem was not the owner or designer of the vessel, it was generally the technology vendors not sufficiently understanding cyber security, or security controls being bypassed during installation in order to get systems working.

For example we found back doors, undocumented remote access, legacy interfaces, default credentials, and random cellular modems.

There’s even a weird loophole – the deadline applies to vessels with their keel laid down after the effective date. Believe it or not, numerous keels have intentionally been laid down before the deadline and build slots using those keels come at a premium!

What’s causing the problem?

The quantity of technical debt in shipping is huge. Operators, owners, maritime technology vendors and more are having to get up to speed quickly. Mistakes are still being made.

Operators want the efficiency benefits of connected vessels, but the subsequent cost overhead of making their vessels secure is less attractive to them.

So far there haven’t been many significant cyber incidents in shipping. Reports of navigation computers (‘ECDIS’) being ransomwared pop up from time to time, but a targeted full vessel attack is rare. Probably the closest to this in the public domain was the attack against the Lady May superyacht on the Hudson river, probably by Chinese state actors. Interestingly the owner was indicted 12 times and was arrested for fraud.

Criminal groups have taken an interest in shipping. There are multiple potential sources of income from attacking vessels using cyber means:

Bunker fraud
Invoice fraud but for the huge $amounts billed when refuelling a ship. Awareness of invoice fraud was limited in shipping for a long time, so shipping firms made for easy prey.

Container theft
Misdirecting and stealing containers full of high value commodities. See our Stealing container ship cargo through LOC messaging blog post.

Causing commodity price spikes
See our Monetising hacking by shorting commodity shipments blog post.

Holding an entire vessel to ransom via cyber attack
Fortunately we have yet to see this occur, but we’ve been in a position during client vessel tests where we could easily have prevented a vessel from moving, or the crew from controlling it.

Conclusion

The financial incentive to attack shipping is significant. It is important that owners, operators and managers address cyber security before regulation finally starts to bite.

It is imperative that your maritime technology suppliers make clear, contractually enforceable statements about the cyber security of the systems that they will be installing in your vessel.

We have carried out testing on shake-down trips for vessels, where it quickly became clear that the yard and/or installers had not followed contracted network design. Commercial sailing was delayed, causing significant financial impacts.

Validate all installations to ensure they comply with the secure design that you specified. This can only be done with really experienced, maritime skilled pen testers.

As an example of some of the weird and wonderful ways that security controls can be bypassed by technology installers: we tested a vessel with a new load computer. The connection between the user interface on the bridge and the server several decks below involved drilling 7 expensive deck penetrations. Instead, the technology installer discovered that the network access control (NAC) product in place on the vessel could be bypassed. This saved them the cost of the deck penetrations, but also exposed the load computer from every single ethernet wall port on the vessel!