Daniel Jones, Partner, Rosehana Amin, senior associate and Rory Duncan, senior associate, at legal firm Clyde & Co, have written an article on cybercrime in the shipping industry, which they described as “a very modern form of piracy”.
In part one of a series of four, the writers observed that cyber-attacks posed a serious threat to corporations generally and those involved in shipping were no exception.
They said that the Cyber Risk team at Clyde & Co had worked on more than 3,000 data breaches and cyber incidents.
Shipping industry incidents
Clyde cited five major shipping industry incidents.
The NotPetya malware cyber-attack on Maersk Line in 2017 reportedly caused the company around $300m.
This incident was followed in 2018 by a serious ransomware attack on COSCO that severely impacted its email and telephone systems in the US as well as other locations and which the company described as having caused “significant business interruption”.
In April 2020, Mediterranean Shipping Co encountered a malware attack that forced the carrier’s website and headquarters to shut down for almost a week.
In September 2020, CMA CGM SA was the victim of a ransomware attack which impacted some servers on its network and prevented customers from having external access to the company’s IT applications and booking systems.
In October 2020, The International Maritime Organisation suffered a cyber incident against its IT systems internally and externally.
Clyde said that, although the shipping industry faced broadly the same cyber-risks as other sectors, it was increasingly becoming apparent that it fitted in with the profile of the high value, critical infrastructure targets sought by cyber criminals and also faced risks that might be considered unique to the nature of carriage of goods by sea.
Systems affecting the navigation of the vessel, such as ECDIS or AIS, may be attacked to facilitate piracy, criminal or terrorist objectives. The technology needed to “spoof” a vessel was inexpensive and was becoming easier to find and download online. Spoofing incidents had already been seen in practice in coastal areas of Russia, China and elsewhere.
The increasing use of shore-based control systems to monitor and direct ship-board operations provided new means of interference by third parties or internal error that might affect the prosecution of the voyage. Clyde said that it had seen cases involving shipping industry targets where a large number of consignments of goods were wrongly directed and/or the contractual voyage was interrupted and/or seriously delayed. This gave rise to claims including for physical loss and/or damage to perishable goods and consequential losses.
Electronic manipulation of cargo documentation or handling systems. Pirates had used cyber-attacks as a form of reconnaissance to identify ship manifests, container ID numbers and vessel sea routes to assist in the organization of attacks and the targeting of high-value goods.
With the increasing nature and extent of the threat posed to the shipping industry by cybercrime becoming more obvious, attention was now focusing on some of the legal issues and difficulties that were posed by such threats.
Carriage Contract Issues
In each case involving cybercrime there was the potential for resulting legal claims involving a wide range of parties, including shipowners, charterers and cargo owners. Clyde said that “the preparedness of the shipowner’s and the ship’s systems to deal with the relevant cyber-attack was likely to be an important consideration in the context of such claims”.
Claims under charterparties following a cyber-attack could arise in relation to a variety of provisions such as those relating to delivery / redelivery of the vessel, laycans, prosecution of the voyage, delays to loading and discharge and also the payment of hire.
The carrier’s duty is to exercise due diligence before and at the beginning of the voyage to provide a seaworthy ship. Clyde observed that “seaworthiness” covered not only the physical condition of the vessel, but also the adequacy and efficiency of crew, stores and equipment and the suitability of the vessel to carry the agreed cargo. Clyde said that clearly this obligation had the potential to extend to losses that arose in relation to cybercrime or attacks, but to what extent was less certain.
Recognizing the urgent need to raise awareness on cyber risk threats to support safe and secure shipping, IMO Resolution MSC.428(98) provided that cyber risk issues should be addressed in accordance with the ISM Code and included in safety management systems no later than the first annual verification of the company’s Document of Compliance after January 1st 2021.
A number of industry organisations have come together to produce a set of best practice guidelines.
The Guidelines on Cyber Security Onboard Ships (produced and supported by BIMCO, the International Chamber of Shipping, IUMI, Intercargo, Intertanko and other leading industry organisations) seeks to assist shipping companies with their on-board cyber security by providing a step by step guide to risk assessment.
The UK Government’s Department for Transport and Defence Science and Technology Laboratory have produced Code of Practice – Cyber Security for Ships.
Clyde said that, although these and other similar public interventions provided valuable and welcome guidance for those responsible for cyber security in the maritime sector, it was also the case that by raising the overall level of knowledge within the industry about the threats posed and the preventative measures that could be taken, they might also be considered to have raised the level of obligation that must be met in order to satisfy the ‘prudent shipowner’ test in the context of an unseaworthiness claim. “As such, the issue of unseaworthiness provides a useful illustration of the increased levels of awareness and preparedness that will be required if the challenge posed to the shipping industry by cybercrime is to be met”, the writers said.
Clyde said that future articles in this series would consider the rapid rise in ransomware incidents as well as issues related to exfiltration and data protection. The legal firm would also consider the steps that could be taken now to anticipate and mitigate risks, including issues relating to insurance and how to respond when an incident occurs.