A REVOLUTION in shipping is occurring. New technology allows the realisation of unmanned or autonomous vessels that could alter the shipping landscape in the same way steam-power, containerisation and satellite navigation and communications dramatically changed the industry.

Ashore, things are just as dynamic. Ports, terminals and the entire supply chain are embracing technology in an ongoing push towards much greater operational efficiency.

Aside from the practical and legal challenges that these developments pose, the coming digital era exposes shipping to a new threat: cybercrime.

Digital transformation – what sort of revolution is it?
The physical systems that control shipping are on the cusp of a digital transformation. Crewless vessels, automated cargo handling, paperless shipping, blockchain and other new fringe technologies, open up staggering opportunities to improve efficiency and safety. An interconnected world looks like becoming an “internet of things” (IoT) – physical objects embedded with the computing power required to collect, process, and transmit data.

IoT does away with the notion of a ship as a collection of independent isolated objects or systems, such as a bridge, a main or auxiliary engine, or a box on a container vessel or in a port.

IoT creates a series of connected systems into feedback loops that enable automation. A digital era presents a dual challenge to the shipping industry: advance towards a more efficient system but mitigate against malicious interference, sabotage, espionage and unfair competition in what may seem a lawless online domain.

Cyber threats are serious and growing
Cybercrime is unique in the sense that it typically extends or operates across national boundaries, involves multiple jurisdictions and promises to result in truly global incidents. A single cyber-attack could conceivably impact multiple companies, vessels, cargoes and ports, making it difficult to estimate or contain losses. Couple this with the fact that malicious online actors are often anonymous, making trace back very difficult, cyber-crime in the coming digital era mounts a serious challenge.

Much has been said about the impact of cybercrime on unmanned or autonomous vessels. These are mostly catastrophic scenarios of hackers taking complete control of large unmanned or autonomous vessels – digital piracy. While this is not the realm of science-fiction (autonomous road vehicles already have been the target of hackers), a more likely scenario in the near term includes viruses or malicious software compromising a vessel’s charting software or manipulation of, or interference with, sensor data necessary for navigation.

Broader examples of cybercrime ashore are as diverse as the industry is wide. Events already reported include diversion of contract payments for freight and hire and sale proceeds to illegitimate parties; interception of codes and documents resulting in theft or mis-delivery of cargo; fraudulent e-bills; false ship fixtures and the list goes on.

How has the industry responded?
Regulatory frameworks to date have been reactionary. The IMO, flag states, industry associations, classifications societies and insurers’ poolable cover have released guidelines on maritime cyber risk management for bridge, cargo handling, machinery, access control, passenger management, public networks, administrative/crew management and communication systems, as well as how to manage ship-to-shore interfaces and security during port calls.

The guidelines form a high-level “protect, identify and respond” – type framework with the only concrete regulatory change being that a cyber-risk strategy must be incorporated into ship Safety Management Systems by the date of January 2021.

As cyber risk is dynamic and continuously evolving, limited only by the availability of new technology, the industry will play “catch-up” for some time yet. As new risks are identified, risk management will become tighter and more scrutiny applied to the management process. The challenge for owners and operators remains deciding on what shape and form prudent cyber-risk management takes. The following are three topics of discussion in the cyber-risk management space.

1. Insurance
As typical carriers’ liability and cargo insurance policies are not designed to cover cyber risk, cyber-crime poses a unique challenge to the industry. Some cyber insurance policies cover first-party losses but do not extend to third-party losses – a point relevant when considering the impact of cybercrime across the supply chain. Until insurers understand the risk from a frequency and severity perspective, insuring cyber risk will not be straightforward. Fundamental legal questions surrounding the status and liability of unmanned vessels must be resolved, such as the potential interaction between manned and unmanned vessels in a collision or the status of the external “crew” controlling the unmanned vessel. As cyber threats are so pervasive, cyber risk management will have to be addressed at the same time as the larger practical problems. 

Along with providing a vessel, crew and equipment that is sound and able to withstand the perils of the voyage, the vessel must be suitable to carry the cargo. What constitutes a seaworthy vessel in the cyber age? As specialised cover to deal with cyber breaches develops, current guidelines such as that from the IMO are not prescriptive in the way that physical risks can be quantified and mitigated against.

Traditionally, security has been framed by the International Ship and Port Facility Security (ISPS) Code, focusing on detecting and preventing security threats against ports and ships.

New technology may force a shift towards broader cargo and supply chain security, as ships and ports become the conduit for illegal activity.

The current consensus is that cyber risk management will take the shape of organisational, procedural and technical measures to protect the vessel’s systems, such as the bridge or cargo handling system. Failure to properly identify, manage and avoid cyber-related risk through protecting the vessel’s systems could be construed as failing to exercise due diligence to make a vessel seaworthy.

2. Time charters
Time charters allocate risk between owners and charterers. Contract wording usually attempts to distinguish and allocate trading risks as against those associated with the management and navigation of the vessel and care of the cargo. Even in cases of “traditional” time charter disputes – for instance, physical risks to the vessel and cargo from unsafe ports or arrest of the vessel, the distinction is not always an obvious one. On the issue of cyber security, without express contractual wording there may be no clear indication as to whether this risk will fall to the management or navigation of the vessel or relate to the employment or trading of the vessel.

To further complicate matters, issues of causation arise demanding a detailed examination of the facts. This is not a straightforward task when considering cyberattack. Similarly, the classic definition of a safe port stems from physical or political risks. Cyber security introduces a risk outside these realms and could manifest itself from within the vessel or originate at a port. Is a port unsafe if the vessel trading to it is subject to a cyberattack or repeated cyberattacks?

3. Force Majeure
Whether a cyber event may classify as a force majeure event depends on the construction of the force majeure clause, how the cyber event manifests itself, and whether the event was, in fact, beyond a party’s control.

Cyber incidents are of differing scale and may not have as devastating an impact as traditional supervening events such as natural disasters.

Most force majeure clauses do not capture events beyond physical or legal impediments to performance obligations and in any event would probably not stretch to capture cyber events affecting payment obligations. It remains to be seen whether broadly worded clauses could conceivably capture a cyber event.

Is the maritime industry prepared for the revolution?
As with other shipping revolutions, progress will likely occur over decades of painful development and risk-taking. Ocean-going shipping has enjoyed geographic isolation and until recently, has been less susceptible to shore-based interference and disruption. Along with ports and terminals, the focus has been on immediate challenges to physical security. With the coming digital age, new technology looks like converging that promises to link the entire supply chain. In this new order, cyber risk moves quietly from outlier to front and centre.

* Ben Adamson is an associate at HFW

This article appeared in the February 2020 edition of DCN Magazine