The State of Cybersecurity Readiness in the U.S. Maritime ...• USCG opened its Coast Guard Cyber Command (CGCYBER) in May 2017 • 39-person cyber event response team • Integrated

© 2019 Jones Walker LLP joneswalker.com© 2019 Jones Walker LLP

The State of Cybersecurity Readiness in the U.S. Maritime Industry

Andrew R. LeeFord Wogan

December 4, 2019

© 2019 Jones Walker LLP

June 27, 2017 Ransomware message received by Maersk employees

joneswalker.com | 2

© 2019 Jones Walker LLP joneswalker.com | 3


Maritime industry: vulnerable

joneswalker.com | 4

The Marine Industry is Vulnerable

• Insider threats• External threats – jamming,

spoofing, extortion• Mismatched, out-of-date

software• Inadequate budget allocation• Limited training• General lack of readiness

Impacts

• Cargo stolen or lost

• Port disruptions

• Physical Damage

• Loss of life

• Ecological Harm

• Terror incident

• Lost revenue

• Lost stakeholder confidence


Jones Walker Maritime Cybersecurity Survey

joneswalker.com | 5

126 respondents

Including:

75 Vessel Owners/Operators 28 Port Operators / Service Providers 23 Cargo Shippers

from Small (36), mid-size (58), and large (23) companies


Respondents believe the industry is prepared … … but their own companies are not.


Big companies -- ready.Mid- and small companies -- not so much.

• 100 percent of large companies claim: -- prepared to deal with a data breach.

• Respondents from small (94%) and mid-size companies (81%) reported that their organizations were unprepared to prevent a data breach.


Readiness by sub-sector

70% unprepared 78% unprepared 43% unprepared


Readiness measured by potential bad outcomes

* Negative public opinion * Lost customers * Lost business partners / goodwill

* Lost confidential info * Lost intellectual property * Mandatory notification


What is the cost of an attack? (IHS Markit / Fairplay Survey International Survey)

joneswalker.com | 10

0 10 20 30 40 50 60 70

< $5,000

$5,000 - $50,000

$50,000 - $100,000

$100,000 - $500,000

$500,000 - $1 million

$1 million - $10 million

Cost of an Attack

17% - $100,000 and up

6% - $500,000 and up

3% - over $1 million


Are companies spending enough to address?NO



Where is the industry going?


Autonomous Shipping


From Future Directions International Research Institute…


“The maritime industry appears still to be ill-equipped to deal with such future challenges as the cybersecurity of fully autonomous vessels.”


Where is industry going?


Widespread Automation


Recent Port Breaches


• Barcelona

• San Diego

• Long Breach


June 27, 2017 Ransomware message received by Maersk employees



Maersk NotPetya Incident


June 2017

• Global shutdowns• Obstructed system • Destroyed 50,000 PC’s• $250-$300 mm cost• $10 bn impact (est.)• Affected container shipping,

tug boat and oil tanker operations

Chairman: company had “only average” cyber-readiness


Indications of preparedness



But is the industry even aware?

What you don’t know can hurt you


97% - “no breach” or “unsure”


Industry unsure if data has been compromised



Where is the government?


• Trying to raise the alarm

• USCG opened its Coast Guard Cyber Command (CGCYBER) in May 2017

• 39-person cyber event response team• Integrated with DHS support

• USCG and DHS issued proposed cybersecurity draft guidelines for Maritime Transportation Security Act in July 2017

“The key is to treat a cyberattack as if it were a physical threat.”

-- USCG Cyber Commander Rear Adm. Kevin Lunday


USCG Warnings



Where is industry as a whole?


• In June 2017, Maritime Safety Committee adopted Resolution MSC.428(98)

• Encourages governments “to ensure that cyber risks are appropriately addressed in safety management systems no later than” January 2021

• In July 2017, IMO issued MSC-Fal.1/Circ. 3 • Provide “high-level recommendations

on maritime cyber risk management”


BIMCO Guidelines on Cyber Security Onboard Ships


• World’s largest international shipping association

• Issued third edition of cyber risk management guidelines in December 2018

• Third edition in as many years

• Spring 2019 – BIMCO cybersecurity clause will require parties to contract to have “plans and procedures in place to protect its computer systems and data, and to be able to respond quickly and efficiently to a cyber incident”


BIMCO Guidelines on Cyber Security Onboard Ships


• Good starting point, but not enough

• Clause requires parties to:• Implement appropriate cybersecurity measures and

systems

• Maintain appropriate procedures and policies “to allow [an efficient and effective response] to a cybersecurity incident

• Regularly review arrangements to verify procedures and policies being followed

• Use reasonable efforts to ensure third-party compliance with contract

• Promptly notify other party of breach

Clause permits parties to limit total liability to the other

Default amount if none specified: $100,000


Takeaways from survey



Cyber-secure companies do these things:


• Appoint empowered information security officers, with well-defined roles and responsibilities

• Train their workforce in cybersecurity procedures

• Participate in threat assessments and share information

• Obtain or re-evaluate cyber risk insurance

• Include cybersecurity as part of their OT and strategic plans

• Devote budget to cyber-readiness like their company’s reputation depends on it

• Develop and maintain disaster recovery, business continuity, and other contingency plans

• Document and implement cybersecurity policies and procedures


Thank you!

Andrew R. Lee Ford Woganwww.joneswalker.com


http://www.joneswalker.com/

Documents

The State of Cybersecurity Readiness in the U.S. Maritime ...• USCG opened its Coast Guard Cyber Command (CGCYBER) in May 2017 • 39-person cyber event response team • Integrated