Partner Philip Thomas and associate Voirrey Davies discuss the importance of cybersecurity in shipping. Some of the topics include the risks, examples of cyberattacks and tips on how to prevent them.

----more----

Transcript:

Intro: Trading Straits brings legal and business insights at the intersection of the shipping and energy sectors. This podcast series offers trends, developments, challenges and topics of interest from Reed Smith litigation, regulatory and finance lawyers across our network of global offices. If you have any questions about the topics discussed on this podcast, please do contact our speakers.

Voirrey: Welcome back to Trading Straits. My name is Voirrey Davies and I'm an associate in the transportation group based in our London office. I'm joined today by Philip Thomas, who's a partner in our emerging technologies team, also based in London. And we're going to be talking to you today about shipping and cybersecurity, with the key question being, what do I need to know? So Philip, I think we should kick it off with the main part of the podcast, which is what is cybersecurity?

Philip: So I think of cybersecurity as being how people, organizations, and even governments protect themselves against cyber attacks, and also how they mitigate the impact of those attacks occurring. To me, cybersecurity is distinct from cyber risk. When I think about cyber risk, I think about the risk of adverse consequences flowing from a cyber breach, so financial loss, business disruption, and so forth. And it's also distinct from data breach. We often find people using cyber breach and data breach interchangeably. A data breach typically has the theft or acquisition of data as its main focus, whereas a cyber breach is broader and may involve the data breach, but may not have data as the main focus. So you're aware of cyber incidents in the shipping sector, do you have any examples of what those cyber incidents look like and any recent examples to share

Voirrey: Yeah absolutely. I mean as you said there's a quite big difference really between the data breach and then some sort of cyber attack that has happened. Back in 2017 there was a widely publicized cyber attack on Maersk, which essentially paralyzed their global network. And that was a ransomware attack. So these are things that are happening. And more recently, we've been seeing a lot of GPS spoofing. This is nothing new, but there's definitely been an uptick in those kind of matters, particularly from hostile states. It has a really big impact on the actual navigation system of the vessels that are out at sea. Not only are we seeing things to do with assets at sea, we're also seeing attacks on infrastructure in ports. The advent of kind of these really clever crane systems in container ports means that they are quite susceptible to any type of cyber attack that could render them unable to operate. And, you know, thinking of it on a kind of a wider basis. If you don't take your cyber security seriously in the shipping industry, then you can be very exposed. The impact of a cyber attack in shipping can be much more serious than in other sectors, because it can impact the safety and the seaworthiness of vessels, which essentially could mean life or death situations or significant damage to the asset, to the environment, to the cargo on board. Where we've seen with GPS spoofing, vessels can be led into hostile territory and potentially seized which is you know an absolute nightmare for everybody involved in that sort of situation. With this advent of real-time data to vessels directly into the navigation systems it's yet another access route for you know a hostile entity to try and kind of get into the cyber system of those vessels and as you know some of the examples I've just discussed there, organizations can be held to ransom. Ransomware is called that for that very reason. And unless you pay up, you can't get control of your systems or your vessels. And sometimes even if you do pay up, you don't get the assets back to you. And you've mentioned earlier that it can be very expensive, these kind of mistakes, Philip. So what can companies do to try and prevent these attacks?

Philip: I think there's a lot companies can do. The starting point, I think, is to get ahead of the technological risk. And by that, I mean being proactive about using the latest technology to safeguard against attacks and also ensuring that your personnel are appropriately trained in the use of that technology. One of the major weaknesses, I guess, from a cybersecurity risk perspective, is your people, because cybercriminals will often target people in these attacks, perceiving them to be a vulnerability within an organization. And so much of what we read about the cybersecurity attacks are really the product of somebody inadvertently clicking on a link or opening an attachment that they weren't expecting or not taking care. It's far more rare for these incidents to be as a result of an employee doing something willful or intentional. But it only takes one inadvertent mistake for systems to become paralyzed. You may remember recently we had the CrowdStrike incident where IT systems were unavailable for a day. And many people immediately assumed that that was as a result of a cyber attack. In the event it wasn't but that that is the kind of impact a cyber breach can cause which means that you're locked out of your system for a day and as you mentioned in the shipping context it can be very serious, it can cost an awful lot to remedy if you think about supply chains for example. It can impact not only your organization but a lot of linked organizations who are reliant on you. So it is serious and it needs to be taken seriously. And so to answer your question, how best to protect against it, it's really a combination of technological security measures, staff training, awareness programs, maybe even dummy runs. We've seen many organizations run test cyber breaches to see how they would respond in practice. And also having policies in place to make sure that your staff your contractors, your visitors, are all rowing in the same direction and taking a consistent approach to your security.

Voirrey: Yeah it's interesting actually what you say there about kind of dummy runs because actually something that from my time at sea we used to do what were called “tabletop exercises” where you would kind of pretend that there was some sort of major disaster that had happened and you would be liaising with the head office and the emergency response team shore side and kind of practicing what you would do. So is that the kind of thing that you think companies could be doing with regards to cyber attacks as well?

Philip: I think it's very useful to do that because one of the issues with a cyber attack is that it happens suddenly and you have to make decisions urgently and under pressure and I guess a dummy run is one way to test how you would respond under pressure. The other point to say is that there's a spectrum of reasonable decisions you could take in that scenario and many people would make different decisions but you're not really going to know until you're under some pressure and it's a safe environment to do so because it isn't of course, a real world attack, but it runs you through your responses and also tests your knowledge of the organization's processes and protocols.

Voirrey: Yeah, I think really the kind of key issue is training and personnel. And, you know, I know that I used to go off to training centers and do week-long courses on environmental aspects, on ship handling, you know, those kind of things. and where cybersecurity is relatively new, particularly as far as the shipping industry is concerned, you know, the shipping industry traditionally has always been quite slow to react to new things that come out. You know, for example, you know, it took the Titanic before we got SOLAS and other kind of major disasters for key legislation. And that kind of ties in, I think, with this need to kind of get ahead of the game, which you mentioned earlier, and get those kind of training plans out in place. An incident that I know about personally with regards to a cyber breach or attack was definitely going back to what you said about the carelessness over malevolence. So when I was at sea, I heard a story which was about an officer who had, taken a USB stick from the ship to an internet cafe. Now this USB stick was what was being used to provide the updates for the electronic charts on board. So what would usually happen is you plug your USB stick into the bridge computer, you would download the updates from the internet through a specific site and then you would plug the USB stick into your ECDIS, hit update and hope it all went well. Sometimes you had to do that a couple of times, but, you know, generally you would get there. And what he had done is he had taken the ECDIS USB stick, and he'd gone ashore to an internet cafe, where he plugged it in, because he was downloading documents, photographs, you know, whatever he was doing. And he then came back on the ship, and proceeded to use the USB stick to do the next ECDIS update. What he didn't know was that he had not only downloaded the photos and the documents that he had intended to, but he'd also downloaded a computer virus. What then happened was, of course, he uploaded the computer virus not only onto the bridge computer, but also into the ECDIS. And that meant that the entire ECDIS navigation system crashed, couldn't be used. That meant the ship couldn't sail anywhere because it didn't have any navigational charts and that rendered the ship unseaworthy and the vessel was then significantly delayed whilst they then had to try and fix it and you know that just goes to show that people can really be the key to causing, but also preventing, these kind of attacks and after that the ECDIS USBs were often encrypted they also were specifically labeled for use on ECDIS only. I mean, it wasn't the only story I heard about that kind of thing happening. I think it was quite widespread around the industry. And nowadays, if I go on ships to do accident investigation, those USBs, they aren't going anywhere. They're almost padlocked onto the bridge. So it just goes to show something as simple as a USB can cause a significant impact on the ability of a vessel to sail. Have you got any kind of thoughts on the type of training that could be developed for that, Philip?

Philip: Yes, I mean, I think just picking up on what you said, I think the key really is to make sure that the training is tailored to your particular risk. And because there are risks that are unique to organizations that work within the shipping sector, it makes more sense to scenario plan and prepare for instances that are likely to impact your organization. I mean, the example you gave would be a great way to test how an organization responds. But I think rather than going for something generic, you want something that resembles what could realistically happen to your organization so that if it does happen, you're prepared.

Voirrey: Yeah, I think preparation and prevention in this case is definitely better than the cure. You know, thinking about that, the Maersk incident that we mentioned earlier, you know that affected the entire supply chain around Maersk and it's estimated to have cost the supply chain around 10 billion dollars with around 300 million of those dollars being solely for Maersk and you know that is a pretty significant amount of cash which you know where you really want to avoid that from happening.

Philip: Definitely and if I can throw a statistic back at you, I read something in Cybercrime Magazine, which estimated that the global annual cost of cyber incidents could top 10.5 trillion U.S. dollars by 2025. And to put that in context, the article went on to say that if that was a major economy, it would be third in the world behind the U.S. and China.

Voirrey: That is a pretty epic stat.

Philip: I don't mean to be a topper, but I just thought I’d chip in.

Voirrey: Well I mean I think that,as far as values go, that is definitely something I can't top and i think definitely makes it even more important for people to make that initial investment in the training and preventative measures.

Philip: Exactly. This podcast is one of two. The next one we'll be doing will be to drill into more detail in terms of how to respond and how you can put yourself in the best position to protect and mitigate against cyber incidents.

Voirrey: I think that is going to be a very interesting podcast and I hope everybody decides to tune in for the next one. So, Philip, before we wrap up this session, any more thoughts from you, some key takeaways?

Philip: I think just to underline what you said about prevention being better than cure. I think it's easy to be glib about this because you think it'll happen to somebody else. And if you can get, you know, make it a core part of your risk management strategy, be proactive about it, make sure you get, you know, technological experts on board early and often to help you get your systems to protect against it and regular trainings. Those are my two takeaways.

Voirrey: Well thanks Philip, I think those takeaways are of utmost importance and you know definitely in summary what we are saying is prevention is better than cure. Thank you all very much for listening and we hope you tune in to our next podcast on Trading Straits.

Outro: Trading Straits is a Reed Smith production. Our producers are Ali McCardell and Shannon Ryan. For more information about Reed Smith’s Energy and Natural Resources or Transportation practices, please email tradingstraits@reedsmith.com. You can find our podcasts on podcast streaming platforms, reedsmith.com and our social media accounts at Reed Smith LLP.

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers.

All rights reserved.

Transcript is auto-generated.