Going Lo-Fi At Sea May Mitigate Cyberrisk

Cyberthreats have become seaborne in recent years, and preventative measures are on the radars of governments and the shipping industry.

GPS and other electronic systems have proven to help ensure safe and accurate navigation, but they have also put digital bullseyes on ship decks. These technology upgrades have unwittingly exposed ships to cyberrisk because their signals are weak enough for remote perpetrators to jam.

When ships and crew members rely solely on GPS systems, they can be at the mercy of a cyberhacker seeking to provide wrong positions (or “spoof”), endanger the crew and their cargo, or hold the crew, cargo or sensitive information for ransom.

These risks are exacerbated by the fact that ships typically do not have automatic backup systems, and younger crew members are increasingly reliant upon the newer electronic navigation tools.

Allianz’s Safety and Shipping Review 2017 highlighted the growing threat of cybercrime in the sector, and noted the increasing level of activity in the last five years. For example, World Fuel Services fell victim to an online bunkering scam in 2014 when it agreed to participate in a tender for a large amount of fuel from what it believed to be the United States Defense Logistics Agency. Cybercriminals collected $18 million from that successful impersonation. In 2016, hundreds of South Korean vessels had to return to their ports after North Korea allegedly jammed their GPS signals.

The report noted that most maritime cyberattacks have been aimed at breaching corporate security, rather than taking control of vessels, but warned that such attacks could occur.

Captain Rahul Khanna, head of marine risk consulting at Allianz Global Corporate & Specialty, noted in the report that more, larger-scale attacks are imminent if the risks are not appropriately addressed. “We can’t put IT security on the backburner,” Khanna said. “Just imagine if hackers were able to take control of a large container ship on a strategically-important route. They could block transits for a long period of time, causing significant economic damage.”

The report also stressed that “crew education and identifying measures to back up and restore systems should be implemented” to reduce cyberrisk.

Looking Back For a Signal Forward
Some companies and governments have heeded the warnings and are identifying these indicators of attack. Preventative measures may lie in a maritime tool that had taken a backseat to the prevalence of GPS—a backup radio technology called Enhanced Long-Range Navigation (eLoran), which was developed in the United States in the mid-1990s. It has continental reach, emits strong signals via a low-frequency and relies on land-based transmitters that reveal a limited number of fixed positions. These once-limiting traits could be the automatic backup systems ships need in the event of jamming or spoofing.

On July 20, 2017, when the Department of Homeland Security Authorization Act (H.R. 2825) passed the floor of the U.S. House of Representatives, eLoran’s importance was stressed. The act includes a section titled “Backup Global Positioning System,” which features provisions for the U.S. Secretary of Transportation to initiate an eLoran system. H.R. 2825 proposes that eLoran be made available as a “reliable…positioning, navigation and timing system,” with the purpose of providing “a complement to, and backup for the Global Positioning System to ensure availability of uncorrupted and nondegraded positioning, navigation and timing signals for military and civilian users.”

Reuters this week reported that South Korea’s Ministry of Oceans and Fisheries is looking to establish the technology in a test form by 2019.

Time will tell if eLoran is the most practical and cost-efficient method to mitigate cyberthreats at sea. It seems if companies want to mitigate maritime cyberrisk now, the first steps would be to look to the technology of the past and turn on the radio.

Asian Piracy and Crime Incidents Drop 65%

The number of piracy and armed robbery incidents in Asia from January to September 2016 decreased by 65% compared to the same period in 2015. A total of 59 incidents were reported during the period, including three piracy and 56 armed robbery incidents, according to the Regional Cooperation Agreement on Combating Piracy and Armed Robbery against Ships in Asia (ReCAAP).

ReCAAP emphasized that the decrease in the overall number of incidents was most evident in the Straits of Malacca and Singapore. Other improvements were reported at ports and anchorages in Bangladesh and Vietnam. In these regions, there were only two incidents from January to September 2016, compared to 96 incidents in the same period last year. About 73% of the incidents occurred on board ships while at ports and anchorages, and 27% on ships while underway.
recapp-1

There was also a decrease in hijacking of ships for oil cargo theft during the nine-month period—only two such incidents occurred, compared to 12 incidents in 2015.
recapp-2

Although the total number of incidents has decreased, there is no room for complacency, ReCAAP emphasized. Measures must be implemented to prevent recurrence of incidents involving the abduction of crew in the Sulu Sea and hijacking ships to steal oil cargo. Crews need to be vigilant while underway and maintain watch at ports and anchorages. In addition, authorities should implement port security measures and maintain regular surveillance.
recapp-3

Aquisition Integration for Logistics and Cargo Insurance

chess-game
During my 36 years in the marine insurance industry, one of the most common issues has been failure to properly integrate acquisitions into cargo logistics insurance programs—which can result in gaps in cargo insurance coverage. Old habits die hard, however, and this is particularly true in logistics operations.

When an organization acquires a new company, there is a choice. The buyer can allow the acquisition to continue to operate independent of its logistics program (rarely is cargo insurance left independent) or fully integrate them into the buyer’s logistics and cargo insurance programs. The most common occurrence is full integration into the buyer’s logistics and cargo insurance programs for cost savings and continuity.

If the independent logistics option is chosen for the acquisition, it is still critical to perform a detailed gap analysis of the logistics SOPs (Standard Operating Procedures) used by the acquisition to assure their program does not present unique exposures not currently considered or addressed in the buyer’s program. The most objective and effective gap analysis should be performed by an outside consultant working with the buyer’s designated logistics representative.

A risk management representative is not required but may wish to attend. The consultant must have extensive experience in logistics audits as well as a clear understanding of implications of the terms and conditions of the cargo policy. This team will create a gap analysis report that details variances from best practices and the key drivers in the buyer’s logistics program that are critical to the marine cargo insurance program. This also allows the buyer’s cargo program to be adjusted for any unique requirements of coverage by the acquisition to assure there are no coverage gaps.

Importance of SOPs
It is worth a moment to address SOPs for logistics and security for shipping and storing goods in the due course of transit. Formal SOPs are critical to assure compliance, and proper measurement of compliance. SOPs also provide continuity of logistics’ programs so learned processes and shipping lane specific issues are not lost when there is a change in personnel.

In instances when the buyer decides for full integration, the process is much the same as described above for the independence option for logistics by the acquisition. The most important difference is that the gap analysis details the variances between the acquisition and the buyer’s logistics program SOPs and rates the findings into levels of importance for timely adoption; critical, second tier and third tier variances. The critical issues require adoption as soon as possible while the other variances can be corrected over the course of time.

It is important to complete a followup audit(s). If there are critical issues, a followup audit might be completed after the buyer has been advised that the critical variances have been finalized, to independently confirm compliance has been obtained if deemed appropriate. Regardless, a one-year audit is recommended to examine all the variances in the gap analysis to determine the level of compliance to correct all originally identified variances.

Again, old habits and processes die hard. You will often hear, “We always did it this way.” It is important during the gap analysis to integrate local issues required as needed, as long as it does not compromise the goal of the SOP. The integrations, especially acquired foreign companies, can be difficult, involving politics by other units of both companies outside of the logistics, security and risk management units. It is critical that senior management of both the buyer and the acquisition company have “full buy-in” on the integration process to overcome the political infighting that can develop.

The best analogy of this process would be a chess game—complex and variable with many moving, interrelated parts.

Piracy Incidents Down

Steps taken by the international maritime community have paid off, reducing the threat of piracy in the Arabian Sea’s Gulf of Aden, according to the Allianz Global Corporate & Specialty Safety and Shipping Review 2014. The number of ships seized and hostages taken was down significantly in 2013. According to the International Maritime Bureau (IMB), piracy at sea is at the lowest level in six years—264 attacks were recorded worldwide in 2013, a 40% drop since Somali piracy peaked in 2011. There were 15 incidents reported off Somalia in 2013, including Gulf of Aden and Red Sea incidents—down from 75 in 2012, and 237 in 2011 (including attacks attributed to Somali pirates in the Gulf of Aden, Red Sea and Oman).

But while the number of incidents in this region has gone down, piracy attacks in other areas have increased in frequency, notably Indonesia and off the west coast of Africa. While most of these Indonesian attacks remain local, low level opportunistic thefts carried out by small bands of individuals, a third of the incidents in these waters were reported in the last quarter of 2013, meaning there is potential for such attacks to escalate into a more organized piracy model unless they are controlled.

The Gulf of Guinea region accounted for 48 of the 264 incidents in 2013. Of these, Nigerian pirates and armed robbers were responsible for 31 incidents, including two hijackings, 13 vessel boardings and 13 vessels fired upon. One crew member was killed and 36 kidnapped—the highest number of Nigerian kidnappings for five years, according to the IMB.