Shipowner headaches: cyber threats, data quality, liability risks

The International Association of Classification Societies is introducing unified requirement E26 covering the cyber resilience of newbuild ships, and E27 covering the electronics, networks and integrated systems on board. Both will be applied on ships being built after 1 July 2024.

IMO is also planning to revise its global cyber security, safety and risk management legislation after it introduced amendments to safety management systems to include cyber risk management in 2021.

“The shipping industry has been slow to respond in the regulatory world, by waiting for something to happen then dealing with the situation,” said Ms Davies, She urged shipowners to have cyber policies and strategies in place when security breaches occur.

“With real-time data, it is even more important to have security policies in place,” she said, “and in the future, we are heading for AI and autonomous shipping.”

Mr Thomas agreed in the importance of having policies and cyber awareness training in place prior to companies having to deal with an incident. “Safeguarding against cyber threats is vital as a lack of preparedness can lead to an incident.”

The major challenges for owners come from cyber threats, poor data quality, misreporting and liability risks. “Cyber threats are becoming more sophisticated in size and scale,” he continued. There have been recent incidents on ships, with shipping companies and ports having ransomware lock up data, and hackers changing manifests and taking over assets.

“An AI system is only as good as the data in its algorithms” 

Criminals now have more opportunities with increasingly connected networks and ships. While most incidents have targeted companies for ransom money, there are potential issues from cyber incidents, such as ship collisions, groundings or vessels sailing off course.

“Shipping companies, on a basic level, need to be alert to this and be best placed to protect assets,” said Mr Thomas.

“Training is important as a key vulnerability is people becoming the subject of cyber attacks. Important for protecting against this is training crew on cyber awareness – to identify, report and contain.”

Data quality is important for analytics as programs will not deliver the intended outcomes if inaccurate data is provided. “Rubbish in results in rubbish out, and generates differences between projected and actual results,” said Mr Thomas.

There is also a misreporting risk for internal reporting and for external reporting obligations for IMO, flag and port states and regional authorities. “There could be issues and liability risk. Crew would be liable for misreporting data.” It could take time to work out who is at fault, whether it is an equipment manufacturer, shipowner, master, crew or a malicious actor. “There is no easy answer for this yet,” said Mr Thomas.

Under existing regulations, it is important for shipowners to demonstrate the seaworthiness of ships, including cyber resilience and redundancy in ECDIS and to have back-ups on a different server for business continuity. “System security is important and so is having a cyber breach response strategy, to report, respond and contain if an incident happens at sea,” said Mr Thomas.

Data sharing and AI

“Regulatory requirements mandate minimal cyber security for electronics on board, but it is a complex multifaceted framework.” This is made more complex with demands for data sharing with regulators, charterers, port state control, class and other third parties. Shipowners have a “duty of care and responsibility of data sharing” and often share in good faith. But there remains questions on the accuracy and reliability of data being shared and confidentiality agreements to ensure it is not shared further.

In the medium term, there will be more cyber, data quality and sharing issues to tackle, as AI is increasingly used for detecting patterns not noticeable by human analysis, generating more accurate and swifter results for optimising vessel operations and voyages.

“An AI system is only as good as the data in its algorithms.” With bad data, an AI could be “hallucinating and generating random results, resulting in system issues,” said Mr Thomas. AI is vulnerability to cyber threats and solutions rely more on third parties.

It is up to shipowners to ensure they have risk mitigation procedures, train staff to be more cyber aware and be prepared to respond to security concerns.

Webinar poll results

Attendees were asked to vote on a series of poll questions during the webinar. Here is a summary of the results.

According to a recent report by IBM, what is the average cost of dealing with a cyber-security incident?

£38,000: 0%

£380,000: 45%

£3.8M: 55%

Do you have a defined strategy and policies to address cyber risks in your business?

Yes: 32%

No: 10%

Some: 58%

How confident are you that these policies cover your vessels, including your use of ECDIS?

Very: 9%

Somewhat: 55%

Not sure: 36%

Not at all: 0%

How can the maritime industry best prepare for the future of ECDIS, data analytics and autonomous shipping?

Invest in research and development to advance these technologies: 10%

Foster collaboration and partnerships among industry stakeholders: 20%

Develop comprehensive training and education programmes for the workforce: 0%

Actively participate in the development of international standards and regulations: 40%

Adopt a proactive approach to risk management and contingency planning: 30%

Which of the following is the most significant challenge in the development and implementation of autonomous shipping systems?

Ensuring the safety and reliability of autonomous navigation and decision making: 42%

Addressing the regulatory and legal implications of autonomous shipping: 50%

Developing robust cyber-security measures to protect against threats: 8%

Adapting crew roles and responsibilities to accommodate autonomous systems: 0%

Integrating autonomous systems with existing bridge equipment: 0%

Which of the following is the most important factor in the successful adoption of ECDIS and data analytics technologies?

Robust standards and guidelines for development and implementation: 25%

Strong cyber-security measures and breach response strategies: 25%

Collaboration and knowledge sharing within the industry: 1%

Regulatory and legal frameworks that accommodate new technologies: 25%

Quantifiable return on investment for shipping companies: 14%

What is the most significant potential benefit of leveraging artificial intelligence in ECDIS and data analytics systems?

Optimised route planning and fuel consumption: 25%

Enhanced vessel performance and operational efficiency: 36%

Reduced crew workload and human error: 0%

Improved safety and situational awareness: 39%

Enabling the development of autonomous shipping systems: 0%

(Source: Riviera)

On Integrating ECDIS and analytics for optimal vessel performance webinar panel were: Reed Smith technical and data group partner Philip Thomas and associate of the transportation industry group Voirrey Davies.