DCN AUGUST Edition 2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cyber<br />
protection<br />
at port & sea<br />
Iain Sharples from Zurich Financial Services looks<br />
at the new wave of digital pirates and how transport<br />
companies can form their own lines of cyber defence<br />
Cyber insurance is a rapidly developing sector of the insurance<br />
market, fraught with a lack of historical data and examples that<br />
make it almost impossible to predict the nature and impact of<br />
attacks. It gets even more complex with marine and transport<br />
providers in a global network where attackers can have a greater<br />
impact in an extremely short period of time and can go undetected<br />
until the damage is done.<br />
DOUBLE-EDGED TECHNOLOGY<br />
Automation has definitely helped with the risk profiling,<br />
management and operations of businesses in the transport<br />
industry. Having fewer people onsite at container terminals is<br />
an obvious example – resulting in fewer bodily injury losses and<br />
private property damage to ships and cargo. This benefits the<br />
businesses themselves and their insurers.<br />
However, increased dependence on technology brings a new raft<br />
of risks. Every large piece of equipment (including ships, landbased<br />
equipment, trucks, trains and drones) depends to a greater<br />
or lesser degree on technology for its maintenance and operation,<br />
and a malfunction (whether by human error, a coding error or a<br />
malicious cyber attack) can have catastrophic effects.<br />
A SPECIFIC FOCUS ON SHIPS AND EQUIPMENT<br />
Automated cargo handling equipment and ships present an<br />
opportunity for cyber attackers to take over control remotely. The<br />
result could be significant damage to the equipment or ship, other<br />
assets as well as third party property and bodily injury.<br />
As marine insurers, there are a few obvious areas we look at to<br />
ensure a customer has adequate cyber protection for their port and<br />
terminal equipment. At a basic level this includes asking:<br />
• How is the equipment connected to other systems e.g. wired,<br />
wireless, over the web?<br />
• What is the approach to software patches and maintenance on<br />
equipment?<br />
• What is the security information and event management (SIEM)<br />
approach to specific pieces of technology to ensure incidents are<br />
tracked properly?<br />
If a company has a large piece of equipment that’s autonomous<br />
and web-based, whether it is a vessel or terminal equipment,<br />
it needs to have its own security and maintenance schedule to<br />
regularly test for vulnerabilities. It is important to be able to<br />
demonstrate that they’re monitoring when the system is accessed<br />
(and by whom) and that they have measures in place to protect<br />
against any possible cyber attack.<br />
VULNERABILITIES CAN BE TINY<br />
Even small transactions must be monitored. In 2013, cyber<br />
attackers used phishing and malware attacks to transport<br />
250 kilograms of cocaine through a delivery of bananas to a<br />
Rotterdam terminal. The hackers gained access to the system<br />
and redirected the cargo to their own location rather than the<br />
intended delivery address.<br />
There could be liabilities and exposure to penalties from<br />
authorities that attach to similar events. Companies will need to be<br />
able to demonstrate they have taken a reasonable approach to cyber<br />
security with adequate plans and processes in place.<br />
Polygraphus<br />
CYBER PROTECTION BASICS<br />
All marine and transport businesses should protect themselves<br />
from cyber attacks. Without it, they can stand to lose a great deal<br />
financially if they fall victim to an attack and it can take years to<br />
recover from reputational damage or other factors, for example<br />
environmental pollution through system failures.<br />
It is important to get the basics right. These include keeping<br />
firewalls and antivirus software updated; identifying vulnerabilities<br />
across the business; understanding the weak points within each<br />
department; and writing a cyber defence policy, including processes<br />
to lock off parts of the business in the event of an attack.<br />
Employees and contractors are a business’s greatest line of cyber<br />
defence. It’s vital to remember that cyber security is about people,<br />
not technology. Every cyber attacker has infiltrated the system<br />
because an insider has let them in – through a USB key, a phishing<br />
email, or by clicking on a fraudulent link.<br />
Regular training for anyone who can access the technology<br />
network will help to identify potentially fraudulent activity. A strict<br />
internal policy around third-party data can help protect suppliers’<br />
and customers’ data, as well as the business’s own information.<br />
FIND AN INSURER WHO UNDERSTANDS CYBER RISKS<br />
Insurers can help protect businesses who have set up internal cyber<br />
protection systems, although not all insurers will offer the right<br />
type of insurance for companies in the transport chain. Insurers<br />
will often also provide support services such as risk management to<br />
ensure good cyber protection is in place and emergency response in<br />
the event of a cyber attack or failure.<br />
Most cyber insurance cover will address first-party losses but<br />
won’t make any provisions for third-party damages across the<br />
supply chain in the event of an attack. For example, traditional<br />
marine insurance policies have a standard cyber exclusion.<br />
Shipping operators should work with their broker to find an<br />
insurance provider who has a good understanding of what the<br />
cyber impact can be.<br />
START FROM THE INSIDE<br />
All cyber defence and cyber attacks start from within, which<br />
is why it is so important to get internal policies right first. Get<br />
every relevant department on board. Leverage in-house expertise.<br />
Work with the employees who know the systems inside out and<br />
thedcn.com.au August <strong>2019</strong> 45