It has not happened yet, but the experts warn that it is coming. The Big One — the worst-case cyber-attack on the shipping industry.
The June 2017 NotPetya attack that cost AP Moller-Maersk at least $300m was a wake-up call, but the industry should prepare for a much more damaging incident, says Mark Sutcliffe, director of CSO Alliance, an online community of shipping company security officers.
"A worst-case scenario might involve intrusion that invokes a cascade failure of a vessel carrying hazardous or polluting material, or possibly sustained disruption to networked navigational systems that could have an industry-wide impact," he tells TradeWinds.
Sutcliffe says Maersk was not even the intended target of the attack, which has been blamed on hackers acting on behalf of the Russian state.
"This was an unintended consequence exacerbated by complacency and inadequate network monitoring and cyber defences," he says.
A hacker could cause a grounding, sinking or collision resulting in loss of life, says Max Bobys, vice president of US maritime cyber security firm HudsonCyber.
"Cyber-attacks against the maritime sector occur every day," he adds. "Ransomware, for example, which continues to chronically spread and evolve, affects office and shipboard operating environments."
Sutcliffe says most maritime cyber-threats have been confined to distributed-denial-of-service attacks, website defacement and ransomware, but a cascading intrusion affecting ports worldwide could certainly happen.
"Network intrusion that creates a cascade effect, disrupting systems in a globally important mega-port such as Rotterdam or Singapore, would have [a] significant operational and consequently financial impact on the entire European Union logistics and transport chain," he says. "There is evidence of attacks developing in maturity of approach and impact, for example shipbroker fraud."
On 20 September, several servers in the Port of Barcelona's security infrastructure were hit in a cyber-attack that apparently did not affect operations but showed port vulnerability to such incidents.
Five days later, the Port of San Diego's IT systems were disrupted by a ransomware attack that prompted investigations by the Federal Bureau of Investigation and the Department of Homeland Security.
In July, Cosco's terminal at the Port of Long Beach in California was the target of a ransomware attack but a spokesman tells TradeWinds the incident "had not derailed operations".
Protecting against the worst-case scenario
Cyprus is well aware of the dangers, so deputy shipping minister Natasa Pilides says it is developing seafarer training courses in cyber security at the nation's maritime academies.
"We oversee the content, make sure that it is approved and ensure it is taught in the way as prescribed," she says.
Her agency is also eyeing cyber security initiatives with Cyprus' Department of Information Technology Services that it plans to share worldwide.
Pilides urges shipowners and companies to make sure employees follow safe protocols.
"Are the companies providing them with the right training?" she asks.
"There are a lot legal issues, such as what constitutes evidence, that will be resolved with experience, and the IMO will need to get more involved."
The US government outlined steps it will take to protect against evolving threats in a National Cyber Strategy published last month.
The 26-page report says: "Maritime cyber security is of particular concern because lost or delayed shipments can result in strategic economic disruptions and potential effects on downstream industries."
US President Donald Trump calls the report "a call to action for all Americans and our great companies to take the necessary steps to ensure our national cyber security".
Those steps include clarifying maritime security roles, promoting mechanisms for international digital security coordination and developing next-generation cyber-resilient infrastructure.
No specific laws on cyber-threats — yet
Despite the risks, there are no specific laws to prevent cyber-attacks in shipping. But Sutcliffe says organisations such as the IMO, US Coast Guard and the EU are drafting guidelines that might become laws.
"I think it will be a learning curve," he says. "You learn how to address it the best way and then you set laws."
In January, a section dedicated to security, including cyber-risk, was introduced in the third edition of the Oil Companies International Marine Forum's Tanker Management and Self Assessment (TMSA) programme.
The language was also included in the seventh edition of the vessel inspection questionnaire from the forum's Ship Inspection Report Programme (SIRE), made effective in September.
"Because TMSA and SIRE are imperative to gaining charters, tanker operators now have a commercial incentive to demonstrate they have given systematic consideration to potential vulnerabilities and implemented appropriate mitigations and safeguards to address them," DNV GL says in a report on digital defence.
The IMO's Maritime Safety Committee inserted maritime cyber-risk management into its list of Information Security Management Code requirements, with a strong recommendation that companies adopt it from 1 January 2021.
DNV GL says the amendment "leaves non-tanker vessel owners with little more than two years to achieve a similar level of preparedness as their tanker-owning colleagues".
Although the IMO is maritime's regulatory body, Sutcliffe says cyber security law enforcement will have to happen at a national level.
"Quite often, particularly where resources are limited or do not exist, this will be achieved cooperatively with other departments at the operational level," he says. "IMO has new risk-management rules coming into force in 2021. Failure to adhere could see ships detained."