Post on 31-May-2020
CYBER EXPOSURES IN THE SHIPPING, LOGISTIC AND
OFFSHORE ENERGY INDUSTRY AND INSURANCE SOLUTIONS
ON THE HORIZON
17th January 2018
Michael Hauer, Head of Marine, Asia Pacific
Andreas Schmitt, Head of Cyber, Asia Pacific
Picture credit: McIek/Shutterstock.com
What is all about Cyber?
Cyber is a prefix used in a growing number of terms to describe new things that are being made possible by
the spread of computers. Anything related to the Internet also falls under the cyber category.Source: https://www.webopedia.com/
Cyberspace is the non-physical terrain created by computer systems. Anything related to the Internet also
falls under the cyber category.Source: https://www.webopedia.com/
Cyber incident: Actions taken through the use of computer networks that result in an actual or potentially
adverse effect on an information system and/or the information residing therein.Source: CNSS Instruction No. 4009 (26 Apr 2010)
2
Motivation – DigitalizationInternet penetration – 5 billion minds expected in 2020
Source: PHD Ventures, Inc
The Connected World
0%
10%
20%
30%
40%
50%
60%
0
1
2
3
4
5
6
7
8
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Population in Billions
Internet Users** World Population Penetration (% of Pop)
Source: PHD Ventures, Inc
Connectivity
/ IoT
3
Digital progress at the speed of light
Image: shutterstock
2021
+56%35.82 bn connected devices
+175%3.3 zb internet traffic Source Connected Devices: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
Source Internet Traffic: https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html
Digitalization in the Maritime Industry
Source: https://to2025.dnvgl.com/shipping/digitalization/
5
Source: https://www.joc.com/maritime-news/container-lines/digitization-challenge-recovering-shipping-industry_20170815.html/
Source: https://www.ge.com/digital/stories/from-connected-cars-to-connected-ships
•Higher automatization on vessels
•More connectivity within the logistic chain and
in Offshore Energy (Energy Sector uses 7% of
Satellite Internet)
•More Data Real Time
•Robots taking over Offshore Platforms
Cyber Systems in Shipping Industry
Six major types of systems in shipping industry
Ships and safe navigation
Global Positioning Systems (GPS),
Electronic Chart Display and Information System
(ECDIS)
Automatic Identification Systems (AIS),
Satellite communication
Cargo tracking systems
Marine Radar systems
Automatic Identification systems
Information and Communication Technology (ICT) systems
6
Data is the fuel of the Digitalization
Restricted Access
Image: used under license from shutterstock.com
No Access
Unwanted Access
Loss / Destruction
7
Outcome of Cyber Incidents
Economic losses are increasing without limits
Image: https://threatmap.checkpoint.com/ThreatPortal/livemap.html
6,000 bn US$2021The costs of cyber crime (in bn US $)
450 bn US$2016Source 2016: https://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html
Source Estimation for 2021: http://securityaffairs.co/wordpress/50680/cyber-crime/global-cost-of-cybercrime.html
Primarily
third-party
Primarily
first-party
Dimensions of cyber risks
Security
Liability
ReputationCompliance &
privacyCosts
Unauthorized actions
Denial of service
Extortion
Electronic vandalism
Theft of data
Computer viruses
Accidental
Human Error
Technical Failures
Environmental (e. g. Fire)
Loss of reputation after
cyber incident
by third party
own fault
Systematic posting of
wrong information
Regulations & Law
Privacy laws
EU GDPR
HIPAA + HITECH
Gramm-Leach-Bliley
……..
Intellectual property
infringement
Product/service failure
Privacy violation
9
10Source: https://www.enisa.europa.eu/
Cyber Threat Landscape
Global ransomware damage → $5 billion (06/2017)
→ $325 million in 2015 → 15X in 2 years
→ 638 million ransom attacks in 2016
Source: Kaspersky Threat Landscape for ICS
Cyber is a substantial threat across many industries
Distribution of companies attacked by WannaCry and Petya by industry (May – July 2017)
11
Cyber Incidents in Marine
• GPS manipulation falsify on-board navigation – July 2013
• Floating oil-platform near Africa tilted to one side - April 2014
• Drilling rig not operable due to malware 19 days BI
• Somali pirates track vessels navigation online 1 confirmed incident
• Cyber systems in Antwerp port hacked to locate specific containers
• Norwegian energy and oil and gas sector > 50 cyber incidents (2015)
• USS Guardian ran aground off the Philippines (2013) falsified charts
• Flaws in ECDIS software unauthorized access and modify files (charts)
• A $100 VHF hack tool (AIS manipulation) falsify vessel’s Information
• A major fuel supplier fall victim to an $18m scam
• Petya / NotPetya attack cost Maersk around 300 Million dollars
• U.S Navy Hacked – 130,000 Sailors’ Personal Data Exposed
https://shiptracker.shodan.io/ 12
Cyber Incidents and Vulnerabilities
Source: https://teiss.co.uk/news/clarksons-data-breach-ransom/?getcat=2934
Source: https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/
Source: https://teiss.co.uk/news/british-airways-glitch-caused-human-error-confirms-aig/
Source: https://teiss.co.uk/news/cruise-ships-vulnerable-ransomware-physical-damage/
Source: https://teiss.co.uk/news/nuclear-submarines-vulnerable-cyber-attacks/
13
Threat
Matrix
Internal
User Error
Opportunistic
Hacker
Insider
Threat Hacktivist
Organized
crime
Cyber-
Terrorist
Cyberwar and
Cyberspionage
Motivation None Fun & curiosity Money, grievance Politics, Ethics Money Ideology & religion Strategic
Target selection Accidental Coincidental &
political
Grievance Ideology & political Individual &
coincidental
Ideology, anti-
western, collateral,
media attention
Individual,
collateral
Organisation None Partly Well planned Structured Well planned Regional Perfect
Competence Low to high Low to high Low to high Medium to high High Low to high Very high
Threat Actors
Low High
Image: used under license from shutterstock.com
14
Cyber risks are real in Marine - Overview
Marine Insurance
Cargo
(Freight)
Hull
(Ship, physical
damage, P&I)
Marine Liability
(Port operations,
forwarder liability)
Energy
(Offshore platform)
Trigger Damage
Cyber
15
Cyber Threats and Damages in Marine
Ransomware / Malware
Advanced Persistent
Threat
Phishing
Data Extraction
Denial of Service
Man-in-Middle Attacks
Business Interruption
Data Breach
Wrong navigation /
transportation of cargo
Espionage / Piracy
Physical Damage / Personal
Injury
Loss or damage to
cargo
Cyber Trigger Losses/
Damages
16
Marine Cargo
Comprehensive coverage against physical damage or loss of goods during
storage and shipping, whether by land, sea or air.
Cover is broadly standardized with option for all risk or named perils.
•Physical Damage to Cargo due to a transport accident caused by Cyber attack
•General Average claims (as joint adventure with Hull)
•Delay and damage to Fright (perishable goods) in Reefer containers (power cut)
•Damage or delay to Project Cargo resulting in DSU
•Detour and Ransom
Cyber Scenario Examples
17
Which Cyber Exposures exist in Marine?
Which Cyber Exposures exist in Marine?
Marine Hull and P&I
Cover for physical damage of Hull and Machinery as well as general average and
collision liability.
Protection & Indemnity cover for damage to third party property and crew
•Hacking into Navigation Systems causing
Misdirection
Take over control, high jacking, ransom
Causing collision, grounding
Use vessel as weapon (e.g. LNG carrier)
•Tamper security and communication system
Cyber Scenario Examples
Marine Liability
Cover of Liability assumed (Fright Forwarders, Warehousemen, Stevedores, Port &
Terminals) for Cargo under Care, Control or Custody.
Cargo Insurers can take recovery from Marine Liability
• Hacking into logistic systems of ports, terminals or logistic companies
• Obtaining sensitive data about shipment (kidnap, destroy, theft, use for illegal shipment)
• Misdirection of Cargo to new recipient
• Business interruption of Cargo operation (P&T)
Cyber Scenario Examples
19
Which Cyber Exposures exist in Marine?
Offshore Energy
Cover for physical damage to Platforms & Wells, liability for pollution and third
party as well as business interruption.
• Manipulation of Monitoring
• Shut down production, drilling control or a emergency shutdown system
• Physical Damage to equipment, Bodily Injury
• Loss of access to remote operations
• Loss of Well control
• Pollution, Business interruption
Cyber Scenario Examples
20
Which Cyber Exposures exist in Marine?
- Loss of Personal Identifiable Information (PII)
- Recovery of Data
- Cost to restore Reputation
- Legal Defense
- Extortion
- Loss of Market
General Cyber threats
21
Which Cyber Exposures exist in Marine?
Examples for Marine Policies & Silent Cyber coverages
Institute Cyber Attack Exclusion Clause CL 380
1.1.
Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or
indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm,
of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.
1.2.
Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom,
or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive,
Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer,
computer system or computer software program or any other electronic system in the launch and/or
guidance system and/or firing mechanism of any weapon or missile.
22
How to assess Cyber Risks?
Identify
Asset management, internal risk assessment, …
Protect
Access control, awareness training, …
Detect
Anomalies & events, security continuous monitoring, …
Respond
Response planning, mitigation, …
Recover
Recovery planning, improvements …
Cyber insurance (powered by Munich Re)
Risk gap
Outage of external network
!
!
!!
!
!
Cyber Security Framework
23
Cyber Coverage Elements to be considered in the future
landscape of Marine Policies?
Physical Damage (Assets)
Data & Software Recovery
“Data Breach”
Third Party Liability / incl.
aspects of Bodily Injury and
Property Damage
Costs (Notification, IT-Forensic, Crisis Management….)
Cyber Extortion
Non physical damage Contingent Business
Interruption (Outsourcing activities)
Non physical damage Business Interruption
Physical Damage and consequential
Business Interruption
25
Contact:
Andreas Schmitt – Head of Cyber Asia Pacific
E-Mail: aschmitt@munichre.com / Telephone + 65 6318 0724
Michael Hauer – Head of Marine Asia Pacific
E-Mail: mhauer@munichre.com / Telephone + 65 6318 0772
10 Steps to Cyber Security (1)
1. Information Risk Management
Establish an effective governance structure and determine your risk appetite
Maintain the Board's engagement with the cyber risk
Produce supporting information risk management policies
2. Network Security
Protect your network against external and internal attack.
Manage the network perimeter + Filter out unauthorized access and malicious content.
Monitor and test security controls.
3. Malware Prevention
Produce relevant policy + establish anti-malware defenses that are applicable + relevant to all business areas.
Scan for malware across the organization
4. Secure Configuration
Apply security patches and ensure that secure configuration of all ICT systems in maintained.
Create a system inventory and define a baseline build for all ICT devices27
10 Steps to Cyber Security (2)
5. Monitoring
Establish a monitoring strategy and develop supporting policies
Continously monitor all ICT systems and networks.
Analyse logs for unusal activity that could indicate an attack
6. Incident Management
Establish an incident response and disaster recovery capability.
Produce and test incident management plans
Provide specialist training to the incident management team
Report criminal incident to law enforcement
7. User Education and Awareness
Produce user security policies covering acceptable and secure use of the organisation's systems.
Establish a staff training programme.
Maintain user awareness of the cyber risks
28
10 Steps to Cyber Security (3)
8. Home and Mobile Working
Develop a mobile working policy and train staff to adhere to it
Apply the secure baseline build to all devices
Protect data both in transit and at rest
9. Removable Media Control
Produce a policy to control all access to removable media
Limit media types and use
Scan all media for malware before importing into the corporate system
10. Managing User Privileges
Establish account management processes and limit the number of privileged accounts
Limit user privileges and monitor user activity
Control access to activity and audit logs
29
Assessment of cyber risks
The evaluation of the maturity of IT security assesses the covered exposure
1. Organization
2. Information security governance and compliance
3. Inventory and classification of assets
4. IT system hardening and encryption
5. Patch management
6. Malware protection
7. Application security
8. Network security
9. Access control
10. Risk assessment, incident management, disaster recovery and business continuity
11. Awareness
30
Our strength in numbers
• 3 locations – Shanghai, Singapore, Copenhagen
• 50+ staff – 13 nationalities
• 57% of the world’s tonnage
• 2,000 members in over 120 countries
• 10,000 helpdesk enquiries per year
• 30,000 followers on social media
• 3 million page views on BIMCO website per year
• 1 billion TDW and growing
Today’s presentation:Taking Maritime Cyber Security Seriously.
• Knowledge and awareness• Cyber vulnerabilities on ships - No one is excluded.• The Guidelines on Cyber Security on Board Ships• Ways to protect your ship
Cyber attack
• A ship is an independent unit and a cyber attack may compromise the safety of that ship, the marine environment and to some extent, the business continuity and reputation of the owner
DISMANTLINGNEWBUILDCON
SUPERMAN
cyber awareness programme
TERM SHEETANTI-CORRUPTIONeBILLS OF LADING
Summarize