The shipping industry is increasingly at risk from cybersecurity attacks and a gap in insurance policies is leaving them vulnerable.
Cybersecurity has come into focus across the economy, as hackers become more capable. Meanwhile, ships are more reliant on a range of electronic devices to operate.
“This includes software to run the engines, complex cargo management systems, automatic identification systems (AIS), global positioning systems (GPS) and electronic chart displays and information systems (ECDIS),” explained Matthew Montgomery, Holman Fenwick Willan.
“The added incentive for a hacker is that the shipping industry involves high value assets and the movement of valuable cargo on a daily basis.”
Jamming or disrupting GPS systems creates significant problems. For example, in April last year, South Korea said that around 280 vessels had to return to port after experiencing problems with their navigation systems, and claimed North Korea was behind the disruption.
Professor David Last, strategic advisor to the U.K.’s General Lighthouse Authorities which provides navigation aids for ships, recently ran a series of trials to examine the effect of GPS jamming on shipping. In one trial, a jammer was operated from a lighthouse and aimed at ships.
“The effect was profound. It strongly affected GPS receivers on ships out to sea to the horizon at about 30km,” he told CNBC during a phone call.
“Some GPS receivers simply died. They wouldn’t provide any information. But interestingly other ships’ GPS receivers lied. That is to say they gave false positions. So we had ships that were actually in the sea that appeared to be travelling over land.”
A second series of trials placed a jammer on a ship, which caused multiple systems to fail, including navigation systems, emergency systems, the clocks and the automatic identification system, which transmits a ship’s location to other nearby ships so they appear on radar.
“We had ships that were in wrong positions and ships that suddenly began to move very gently without anybody realizing it,” explained Last.
Losing these systems can become a big problem when visibility is an issue and on busy shipping routes such as the English Channel.
“When the weather is bad, when fog is down the visibility is low, they (the ships) depend entirely on GPS for their navigation,” he said.
“If GPS goes wrong, the potential for accidents is very high.”
Another cause for concern is the fact many shipping companies may be uninsured in the event of a cyber attack.
“Most insurance policies covering ships include a cyber attack exclusion clause which excludes cover for property damage and business interruption. This has left a potential exposure for shipowners,” said Montgomery.
According to Montgomery, the insurance market is responding to these gaps and starting to offer products which cover cybersecurity, but the shipping industry needs to identify which risks need to be insured and how to mitigate them.
“Some ship owners are now identifying the areas where they are exposed to cyber risks, developing and testing written information security and incident response plans, and putting their incident response team through simulated exercises (with the assistance of external legal advisors) to see where the gaps are,” he said.
“Once a shipowner has implemented active cyber risk identification and mitigation processes, they are likely to be in the best possible position to transfer any remaining exposures through a cyber insurance policy.”