October, being recognized as Cyber Security Awareness Month (NCSAM), calls for more attention on cyber issues and digitalization. Although we have discussed the numerous dangers and risks arising from a cyber-attack, a new point of view is here, the one of how a P&I Club responds to an attack.
In a recent digital discussion conducted by the American Club, the attendees focused on how a Club responds to a cyber threat and attack. The participants presented scenarios of a cyber-attack, as well as ways that a Club can help a vessel resume its operation.
The two scenarios
To begin with, Dr. Dennis Hackney, Head of Cyber Solutions Development, ABS Group, presented two potential scenarios of a cyber-attack.
In the first scenario he described threat actions that can be taken on the Dynamic Positioning (DP) system of an Offshore Support Vessel (OSV). In this scenario, if an attack occurs, control and redundancy of the DP is lost during station keeping resulting in an unsafe disconnect.
In this example what happens is that a USB is plugged in to update DP and botnet malware is installed on Workstation. As explained, Botnet performs network call out during station keeping.
DP control unit engage thrusters, articulates rudders, and/or surge engines resulting in disconnect during transfer.
The malware could cause loss of equipment, life, and possible environmental impacts.
In the second scenario, Dr. Hackney describes threat actions that can be taken against the automated ship ballast systems on a container ship.
Here, the Chief Officer’s control of the automated volume monitoring system, loadicator software, is compromised during a recent planned maintenance event.
The ballast pump rate, now incorrectly calibrated, prohibits the Chief Officer from completing the stability operation, resulting in lack of propeller submersion, decrease in engine efficiency, impact to Estimated Time of Departure (ETD), and even torsion stress on the hull and possible bending.
P&I Club moves
To better understand, the role of a P&I Club within the shipping industry is to cover shipowners, operators, and charterers for third-party liabilities encountered in the commercial operation of entered vessels.
To begin with, it is highlighted that
IG P&I Club rules do not exclude claims arising from cyber incidents, but they do not cover every consequence of every scenario.
According to Mϋge Anber-Kontakis, Global FD&D Manager & Counsel Shipowners Claims Bureau, Inc., there is no cyber exclusion in standard International Group of P&I Clubs (IG) P&I cover.
However, the Club covers a company if an attack was due to crew negligence or by an act of sabotage by a disgruntled former employee.
In addition, a Club will not cover a misdirected payment, as there is no third-party liability relating to vessel’s operation. A misdirected payment could result when cyber hackers gain access to shipowner’s or charterer’s email system. Payment intercepted by hackers impersonating shipowner or charterer leading to payments under charter party being misdirected to impersonator’s bank.
On the other hand, Mϋge Anber-Kontakis refers to the scenario, explained above, concerning the possibility of malware mistakenly installed by seafarer with USB stick that consequently interferes with a major shipboard system such as navigation or machinery.
In this case, it is noted that crew negligence is covered under P&I rules.
Similarly, if vessel diverts or collides, runs aground, damages third party property, causes injury or damages cargo, P&I covers liabilities, expenses and costs that may arise due to the incident.
During the webinar, Mϋge Anber-Kontakis concluded that “a lot of shipping players don’t realize the risk of cyber, unless they are affected.”
