DCN AUGUST Edition 2019

Cyber
protection
at port & sea
Iain Sharples from Zurich Financial Services looks
at the new wave of digital pirates and how transport
companies can form their own lines of cyber defence
Cyber insurance is a rapidly developing sector of the insurance
market, fraught with a lack of historical data and examples that
make it almost impossible to predict the nature and impact of
attacks. It gets even more complex with marine and transport
providers in a global network where attackers can have a greater
impact in an extremely short period of time and can go undetected
until the damage is done.
DOUBLE-EDGED TECHNOLOGY
Automation has definitely helped with the risk profiling,
management and operations of businesses in the transport
industry. Having fewer people onsite at container terminals is
an obvious example – resulting in fewer bodily injury losses and
private property damage to ships and cargo. This benefits the
businesses themselves and their insurers.
However, increased dependence on technology brings a new raft
of risks. Every large piece of equipment (including ships, landbased
equipment, trucks, trains and drones) depends to a greater
or lesser degree on technology for its maintenance and operation,
and a malfunction (whether by human error, a coding error or a
malicious cyber attack) can have catastrophic effects.
A SPECIFIC FOCUS ON SHIPS AND EQUIPMENT
Automated cargo handling equipment and ships present an
opportunity for cyber attackers to take over control remotely. The
result could be significant damage to the equipment or ship, other
assets as well as third party property and bodily injury.
As marine insurers, there are a few obvious areas we look at to
ensure a customer has adequate cyber protection for their port and
terminal equipment. At a basic level this includes asking:
• How is the equipment connected to other systems e.g. wired,
wireless, over the web?
• What is the approach to software patches and maintenance on
equipment?
• What is the security information and event management (SIEM)
approach to specific pieces of technology to ensure incidents are
tracked properly?
If a company has a large piece of equipment that’s autonomous
and web-based, whether it is a vessel or terminal equipment,
it needs to have its own security and maintenance schedule to
regularly test for vulnerabilities. It is important to be able to
demonstrate that they’re monitoring when the system is accessed
(and by whom) and that they have measures in place to protect
against any possible cyber attack.
VULNERABILITIES CAN BE TINY
Even small transactions must be monitored. In 2013, cyber
attackers used phishing and malware attacks to transport
250 kilograms of cocaine through a delivery of bananas to a
Rotterdam terminal. The hackers gained access to the system
and redirected the cargo to their own location rather than the
intended delivery address.
There could be liabilities and exposure to penalties from
authorities that attach to similar events. Companies will need to be
able to demonstrate they have taken a reasonable approach to cyber
security with adequate plans and processes in place.
Polygraphus
CYBER PROTECTION BASICS
All marine and transport businesses should protect themselves
from cyber attacks. Without it, they can stand to lose a great deal
financially if they fall victim to an attack and it can take years to
recover from reputational damage or other factors, for example
environmental pollution through system failures.
It is important to get the basics right. These include keeping
firewalls and antivirus software updated; identifying vulnerabilities
across the business; understanding the weak points within each
department; and writing a cyber defence policy, including processes
to lock off parts of the business in the event of an attack.
Employees and contractors are a business’s greatest line of cyber
defence. It’s vital to remember that cyber security is about people,
not technology. Every cyber attacker has infiltrated the system
because an insider has let them in – through a USB key, a phishing
email, or by clicking on a fraudulent link.
Regular training for anyone who can access the technology
network will help to identify potentially fraudulent activity. A strict
internal policy around third-party data can help protect suppliers’
and customers’ data, as well as the business’s own information.
FIND AN INSURER WHO UNDERSTANDS CYBER RISKS
Insurers can help protect businesses who have set up internal cyber
protection systems, although not all insurers will offer the right
type of insurance for companies in the transport chain. Insurers
will often also provide support services such as risk management to
ensure good cyber protection is in place and emergency response in
the event of a cyber attack or failure.
Most cyber insurance cover will address first-party losses but
won’t make any provisions for third-party damages across the
supply chain in the event of an attack. For example, traditional
marine insurance policies have a standard cyber exclusion.
Shipping operators should work with their broker to find an
insurance provider who has a good understanding of what the
cyber impact can be.
START FROM THE INSIDE
All cyber defence and cyber attacks start from within, which
is why it is so important to get internal policies right first. Get
every relevant department on board. Leverage in-house expertise.
Work with the employees who know the systems inside out and
thedcn.com.au August 2019 45