Strike & Delay cyber cover is designed for shipowners and charterers looking to protect their revenue streams from the effects of a delay arising from a cyber-attack. It provides cover against cyber-attacks on ships, but also cyber-attacks against onshore infrastructure, which can in turn lead to vessel delays at a port.

In this episode of ‘Alongside’, we look at the threat of cyber-attacks in the maritime industry. As the sector becomes more and more reliant on connected technology, we ask how much of a threat is there and what needs to be done to counter those threats. Our host Kait Borsay is joined by Daniel Ng, CEO of Cyber Owl, a company which helps asset operators in the maritime and critical national infrastructure sectors manage cyber risks and ensure cyber compliance. We also hear from Georgie Furness-Smith, Senior Cyber Underwriter and Head of Maritime Cyber at AXIS Capital.

Hello and welcome to 'Alongside', the podcast from Standard Club for the shipping industry across the world, I'm Kait Borsay. In this episode as the industry becomes more and more reliant on connected technology, how much of a threat of cyber attacks to maritime and what needs to be done to counter those threats?

There is a real distinct lack of reporting in this area. I think that's really masking the true scale of the problem.

At the moment, it isn't clear to an individual ship owner, how they benefit from sharing that information.

Joining me is Daniel Ng, who is CEO of Cyber Owl, a company which helps the maritime industry manage cyber risks, and in short, cyber compliance. Also with us is Georgie Furness-Smith, who's Senior Cyber Underwriter and Head of Maritime Cyber at Axis Capital. Before we begin, let's take a look at what we mean by cyber attacks or cyber threats. Daniel, give us an overview of how these threats manifest themselves.

Hi, Kate, thanks for having me on the podcast. The vast majority of cyber risks on shipping systems are really very sort of small events really. I think we build up this view of cyber attacks and shipping systems a little bit like a sort of James Bond scene straight out of that storyline, where you've got the manifesting of attacks on computers that ground ships to a halt and drive them into reefs. The reality is, it's far from that in terms of likelihood and frequency. Not to say that's not possible, but just quite a remote likelihood of that happening. Most of it comes in the form of bits of ransomware, extortion, really, criminals trying to make a quick buck from a shipping company. And that's really how we end up seeing most of the attacks manifest.

We'll get into more detail a little further on into the podcast. Georgie, I think it's important to put some further perspective on this for maritime, what's the current level of threat and what's changed in the last five to 10 years in the sector?

Thank you, Kate. I would say in the last sort of five years, the main thing that's changed is the perception and appreciation of the threat. And I think that's especially true now that we've seen a couple of incidents have been widely reported within the maritime industry, which has given us a real sense of what the repercussions could be. I also think that it's important to note that maritime businesses are just like any other business. And generally, we have seen the incidence and severity of attacks across all industries increasing, not just maritime. So I guess the reason I've just said that is because I want to stress that maritime businesses themselves are at risk from cyber events. So for example, ransomware attacks on their corporate networks is not just their vessels that are vulnerable. And I think that's the point to stress.

Why is the issue then become more important from an insurance perspective just to offer your specialism to this?

So I think probably the easiest way to answer that is in two parts. Firstly, owners are definitely far more aware of the rest of their business. And they know that they have a gap in their cover from their hull and machinery policies. So this means that any property damage that because on their policies, as a result of a cyber attack, would not be covered. So essentially, they need a separate cyber insurance policy for that. And then secondly, we've seen the severity and frequency of cyber attacks increasing over the years. So it's become essential that companies like mine at Axis can offer a solution, a solution to meet that problem. And that's an ongoing challenge, really, because the property damage side of the cyber market is much newer, more developing area of the cyber insurance market. So it's sort of a constant evolving process.

I'd like to talk about some examples, really. So we can start to illustrate what might happen in the event of a cyber attack. Daniel, from your experience here, and let's, let's try and use shipping as the example if we can. Do we have some genuine examples here that we can paint a picture with?

Sure. Let me talk you through an example that we were working on earlier this year. So this was roughly around the end of February. Clearly the whole world was on heightened alert for what was going on in the Russia Ukraine conflict. And so as a business we were particularly vigilant, working with our customers looking for any evidence of nation state activity, attacks that originates or is motivated by sort of nation state activity. And in this particular case, on board, eight vessels across two different customers, and to eight very different types of vessels. Almost purely by coincidence, we think we found evidence of some malware that was designed to get itself on board the vessel or get itself on board a computer really, whether that's on a vessel or anywhere else, but also then spread its way across the network, in this case on board the vessels, and designed to give the attacker full control of that machine. So whether that is replacing the files on the machine shutting it down, stealthily trying to copy information off the back of the machine, or simply executing a new command or process on that machine, this particular piece of malware was designed to do that. And when we looked at it, it became very obvious that it was related to a family of malware called plug X. Now, plug X is not a new thing. It's been around for quite a few years. And actually, it's more famously known for matters of political espionage, rather than necessarily commercial espionage or for ransomware, or for ransom activity. The malware had found its way on to what is called operational technology on board the vessel. These are the computers that drive the actual operations of the vessel themselves. So whether these are navigation systems, or engine control systems, or ballast, and water treatment systems on board the vessel, these are clustered into a category of computers called operational technology. And clearly, if it's an attack on just the traditional Information Technology, or it on board the vessel, then really what you end up losing is data and information. But if the attack is on operational technology, then there is a potential effect on the operations of the vessel and, and the safety of the vessel. But given the way vessels are constructed, given the controls that have been put in place with these customers, there was no evidence of any control on the vessel systems at all. So what have we learned from that, in terms of typical things on board for cybersecurity for onboard systems? The first is often separation of what is the more traditional IT on board the vessel and the operational technology is happening, and where it's happening, it has a good layer of control. The second is, this is collateral damage, as far as we can tell. So it's not as if there is an organisation that is directly trying to target that specific vessel itself, this just happens to be collateral damage got itself up to the vessel.

So the aim would be what in terms of the particular malware attack?

Often we don't know that malware can be designed to execute a particular purpose, in this case, most commonly known and used for political espionage. But when it's released out into the world, it can be used and reused for all sorts of different reasons, and sometimes not in a very targeted way. So in the industry, we call this the spray and pray approach, where the perpetrator just releases it out, hopes it takes hold of some computer and then executes their sort of objective once it's taken hold. But it doesn't necessarily mean they're being really, really targeted about a specific computer about a specific vessel.

Georgie, let's bring you into this because I'm fascinated from an insurance point of view, really, how you're able to get involved and whether it matters that you don't always know what the end game is here. If a vessel for example, is the subject of a cyber attack, what Daniel has been telling us is often we don't really know why, when you're asking questions, as the insurer, is that quite a frustrating element of it that you don't know necessarily what the end game is, or was?

I think that's the main thing with cyber insurance that the end game's probably always changing. There's no, as soon as we figured out one thing, they've moved on to something else. So we are constantly reviewing what we're doing and trying to find out what the next target or strategy would be. As Daniel says, it's often hard to find out what the motivation is. And it's not often that they will just, you know, you can get in touch with whoever's done this and ask them why it's not, you know, doesn't really work like that. So we often will never know.

From an insurance point of view, what are the big issues here that you're having to effectively clean up after I suppose?

I think the main worry that people have is, well from insurance perspective as a property damage that might arise from a cyberattack on a vessel. So a vessel colliding or grounding because of lack of control. But we haven't seen that happening before. It doesn't mean it can't happen. It just hasn't happened yet. So that's the sort of disaster catastrophe loss. But when we're talking about everyday losses, it's the business interruption that people are worried about - the cost incurred with business interruption, the costs incurred with having to as Daniel says, clean up after these people, remove the malware start systems up again, the sort of attrition or losses that every day smaller losses, but then I guess the main thing to say here is that there is a real distinct lack of reporting in this area. So I think that's really masking the true scale of the problem. Only a certain number of shipowners want to put their hands up and say, this has happened to me publicly. So I think if companies are willing to anonymously report the threats that they'd experienced, we would be able to understand a lot more the true scale of the problem.

I thought it was really interesting, Georgie, what you've had to say about actually, you don't often hear about a specific proportion of attacks, because sometimes operators don't want to hold their hands up to them. It might be perceived as a weakness, of course, what we're understanding is that is that it's actually fairly common, and not that dramatic from you, Daniel, it's not some big meltdown of systems, it happens often - is that is that something you encounter Daniel, trying to convey the message really within maritime, that actually, this is a normal, everyday occurrence, and that we really need to start preparing for this and start expecting it - nothing to be ashamed or embarrassed about?

There's a few things there to unpack, I think. The first thing is that if we spend all of our energies, as a sector trying to prepare for very extreme outcomes, then chances are we are investing our time and effort in defending ourselves against outcomes that are very, very, very low likelihood in terms of what's happening in completely missing the attritional losses, as Georgie puts it. And in the end, in terms of net loss to the business, we've ended up investing a huge amount in something that we never experience. And that creates a level of disillusionment, I think, at the management level, because all that investment is not necessarily being seen as paying off, per se. At the moment, it isn't clear to an individual shipowner, how they benefit from sharing that information. So what we try to do with that narrative is to say, look, reporting on or sharing some information on the loss of an incident is one thing. But actually, if you report and share and also share what risks were manifesting, or what vulnerabilities were exploited to get there, that actually everyone benefits by shutting down those vulnerabilities, because it's very common for attackers, who tend to be very lazy, quite frankly, to use the same weapon twice. And if you can start to shift the narrative, so it's all about learning about those backdoors so we can all collectively close them before they manifest into losses, then I think the business case for sharing becomes a lot more evident.

How important is then the sharing of information within the maritime industry Daniel?

I think it's incredibly important. It's, it's the thing that will unlock tipping the scales of us having to defend ourselves as individuals into working as a collective. And if you look at other sectors that have, by and large done an incredible job of defending themselves against cyber attacks, the financial services one will spring to mind very quickly. And they went through exactly the same process, starting off in a rather sort of defensive secret way of not wanting to share information to what we have today, which is an incredible level of threat intelligence and information sharing, which makes the entire financial services sector much, much stronger. Shipping has a tradition of being quite secretive. Information advantage is viewed as a real advantage and shipping, I think in some ways, probably still is, even if that's changing very quickly as things go. And so that view of being secret, and having information advantage, is what's driving us to be very careful about sharing. But there are lots of other areas where we have gone beyond that and grown out of that like in piracy, for example, where we now know that sharing means we are collectively stronger against the perpetrator. So absolutely very critical.

Your company and is working with the Singapore Shipping Association. How does the partnership work? And what have you learned?

The background to this is that the Singapore Port Authority, so the MPA are looking to set a standard really for Singaporian shipping companies in terms of this immaturity, because there is a sense that whilst you've got perhaps some of the larger shipping companies that have been more on the front foot and managing the risks surrounding cyber attacks, they're are loads and loads of other companies down that supply chain that are perhaps not as prepared and, and not as aware and not as educated. And so some ability to understand the maturity across the shipping sector in Singapore, and benchmark that across the various areas of cyber capabilities becomes very meaningful and very powerful. Because then you're able to say, actually, we're good in these areas. But we're kind of below the benchmark and below the average in those areas.

How does that present? Without obviously going into too much technical detail? You've talked about achieving a level of maturity...how would that company or how would any company do that? If they were to do that set set to the standards that they are looking at implementing in Singapore?

Sure. Well, I mean, one very simple way of thinking about the different areas of cybersecurity capability is something called the five pillars of the NIST framework. So it simply says, Can you identify the risk? And there's a bunch of things that help you prove that you can identify the risk. Can you protect yourself from the risk? So can you put up the gates that stop the criminals from coming in? Can you detect when someone's breached? Can you respond on detection? And then can you recover? And simply with each of these five areas, are having some strength in being able to identify, protect, detect, respond and recover, will then give you a sense of whether you can survive an attack and just continue business despite being attacked? Because there is no way you can completely stop and attack 100%. And in some ways, that's a fool's mission really. What's much better is to say, let's do what we can to protect ourselves from being attacked. But let's assume we will be attacked, and then how quickly can we stand up again, and continue business with as minimal interruption as possible, and with as minimal losses as possible? And that is a far better way of being a cyber mature organisation.

What are the complexities for you here, Georgie, from an insurance point of view? And what do organisations or members even need to have in place to protect themselves in terms of insurance? What's the basic requirement here, really?

So I think there are two things really, that they need to have in terms of insurance. Firstly, they should have a traditional cyber insurance policy, which covers them from... well covers their balance sheet, from risks, such as ransomware, which are the bigger risks that Johnny was talking about earlier, and covers also business interruption and various other things. And then the second thing they would need is vessel property damage cover. So that covers the gap that they have in their hull and machinery policy, and means that if there was some any physical damage caused by a cyber event, they could collect it from our insurance policy.

And, Daniel, I'm interested to know, obviously, having your insurance in place is, you know, fundamental. But how do you how do you start to clean up after an attack? How does the practical side of this work, you obviously need your cover? And that and that comes from Georgie, but how do you go about starting to mop up after an attack?

We think of it in three phases. So the first phase is roughly around the first 24 hours could be 12 hours, or it could be six hours, depending on how severe the the incident is. But within that phase, your entire focus is to contain the spread of the attack and to get the, in the case of vessels to make sure the operations of the vessels are safe. That's your only concern within that first phase, we think of it as the first 24 hours. After that, the second phase is all around restoring, rebooting, getting business back on track and continuing to operate. Because you know, operations are safe, you can now get it back to running again. And then the third phase after that is about collecting the evidence to understand where were the vulnerabilities in the first place? How do we collect the information that's required to go back to the insurance to say, hey, look, these are the actions we took, these are the controls we put in place. And yet, unfortunately, we suffered a loss. You know, what further information do you need to process the claim? But I think sometimes people get the order of this wrong. And I think sometimes, particularly in phase one, and phase two, people think first thing, just get business back up and running again. Well, unfortunately, in the world of shipping, you're talking about lives out at sea, and you're also talking about, you know, big chunks of metals floating around. So the primary focus is always safe vessel operations, then it's business interruption.

So actually, within our cyber insurance policies, we have an incident response team, and that has a dedicated 24/7 hotline number, which provides a suite of experts that can help triage the event. So if it's Bank Holiday, for example, and you can't get ahold of the insurance underwriter, you would just call this 24/7 number and experts will be on hand to help with anything from salvage or a ransomware event, it might be lawyers, anything that happens to do with the cyber event on board a vessel, or indeed your business network, and there's someone on hand to help triage that so that the problem can be solved as quickly as possible.

And with one eye on the future, I'm curious to know where your predictions might be - will cyber attacks become even more commonplace? Are you anticipating that Georgie?

We've just had a couple of years really of real upheaval in the cyber market, we've seen the severity and frequency of ransomware attacks in particular, escalating. And so the whole cyber market's had a bit of a shake up with regards to addressing minimum standards and the types of risks we'd want to underwrite. So there's potential for us to see increased cyber threats and attacks, all evidence points towards that potentially being the case.

I would agree. I mean, I think it's inevitable really. And it's inevitable mainly because we are embracing connectivity, more data, faster data remote control, to drive some of the bigger objectives in the sector, you know, decarbonisation green shipping. We want to understand how our fuels are performing. We want to understand whether all the investments we're putting in place is paying off from a kind of decarbonisation standpoint, that means more data, more connectivity. I think it's inevitable, but we're also getting stronger, we're getting more educated, we're putting more controls in place. So these things even out over time, it just ends up becoming a race.

Well, that thought seems like a good point to end on. Thank you both for joining us. That's Daniel Ng CEO of Cyber Owl and Georgie Furness-Smith from Axis Capital. You've been listening to 'Alongside', the podcast from Standard Club for the shipping industry. If you have any questions about this or previous episodes, or you have a topic you'd like us to cover in future, leave a comment on the Alongside webpage. You'll find it in the knowledge and news hub at standardclub.com and there's a link to it in the show notes. Join us next time when we continue to explore key topics affecting the maritime industry and those who are part of it. And make sure you follow this podcast to ensure you don't miss an episode. Thank you again to both our guests. From me, Kait Borsay, thanks for listening