CYBER EXPOSURES IN THE SHIPPING, LOGISTIC AND

OFFSHORE ENERGY INDUSTRY AND INSURANCE SOLUTIONS

ON THE HORIZON

17th January 2018

Michael Hauer, Head of Marine, Asia Pacific

Andreas Schmitt, Head of Cyber, Asia Pacific

Picture credit: McIek/Shutterstock.com

What is all about Cyber?

Cyber is a prefix used in a growing number of terms to describe new things that are being made possible by

the spread of computers. Anything related to the Internet also falls under the cyber category.Source: https://www.webopedia.com/

Cyberspace is the non-physical terrain created by computer systems. Anything related to the Internet also

falls under the cyber category.Source: https://www.webopedia.com/

Cyber incident: Actions taken through the use of computer networks that result in an actual or potentially

adverse effect on an information system and/or the information residing therein.Source: CNSS Instruction No. 4009 (26 Apr 2010)

2

Motivation – DigitalizationInternet penetration – 5 billion minds expected in 2020

Source: PHD Ventures, Inc

The Connected World

0%

10%

20%

30%

40%

50%

60%

0

1

2

3

4

5

6

7

8

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Population in Billions

Internet Users** World Population Penetration (% of Pop)

Source: PHD Ventures, Inc

Connectivity

/ IoT

3

Digital progress at the speed of light

Image: shutterstock

2021

+56%35.82 bn connected devices

+175%3.3 zb internet traffic Source Connected Devices: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

Source Internet Traffic: https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html

Digitalization in the Maritime Industry

Source: https://to2025.dnvgl.com/shipping/digitalization/

5

Source: https://www.joc.com/maritime-news/container-lines/digitization-challenge-recovering-shipping-industry_20170815.html/

Source: https://www.ge.com/digital/stories/from-connected-cars-to-connected-ships

•Higher automatization on vessels

•More connectivity within the logistic chain and

in Offshore Energy (Energy Sector uses 7% of

Satellite Internet)

•More Data Real Time

•Robots taking over Offshore Platforms

Cyber Systems in Shipping Industry

Six major types of systems in shipping industry

Ships and safe navigation

Global Positioning Systems (GPS),

Electronic Chart Display and Information System

(ECDIS)

Automatic Identification Systems (AIS),

Satellite communication

Cargo tracking systems

Marine Radar systems

Automatic Identification systems

Information and Communication Technology (ICT) systems

6

Data is the fuel of the Digitalization

Restricted Access

Image: used under license from shutterstock.com

No Access

Unwanted Access

Loss / Destruction

7

Outcome of Cyber Incidents

Economic losses are increasing without limits

Image: https://threatmap.checkpoint.com/ThreatPortal/livemap.html

6,000 bn US$2021The costs of cyber crime (in bn US $)

450 bn US$2016Source 2016: https://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html

Source Estimation for 2021: http://securityaffairs.co/wordpress/50680/cyber-crime/global-cost-of-cybercrime.html

Primarily

third-party

Primarily

first-party

Dimensions of cyber risks

Security

Liability

ReputationCompliance &

privacyCosts

Unauthorized actions

Denial of service

Extortion

Electronic vandalism

Theft of data

Computer viruses

Accidental

Human Error

Technical Failures

Environmental (e. g. Fire)

Loss of reputation after

cyber incident

by third party

own fault

Systematic posting of

wrong information

Regulations & Law

Privacy laws

EU GDPR

HIPAA + HITECH

Gramm-Leach-Bliley

……..

Intellectual property

infringement

Product/service failure

Privacy violation

9

10Source: https://www.enisa.europa.eu/

Cyber Threat Landscape

Global ransomware damage → $5 billion (06/2017)

→ $325 million in 2015 → 15X in 2 years

→ 638 million ransom attacks in 2016

Source: Kaspersky Threat Landscape for ICS

Cyber is a substantial threat across many industries

Distribution of companies attacked by WannaCry and Petya by industry (May – July 2017)

11

Cyber Incidents in Marine

• GPS manipulation falsify on-board navigation – July 2013

• Floating oil-platform near Africa tilted to one side - April 2014

• Drilling rig not operable due to malware 19 days BI

• Somali pirates track vessels navigation online 1 confirmed incident

• Cyber systems in Antwerp port hacked to locate specific containers

• Norwegian energy and oil and gas sector > 50 cyber incidents (2015)

• USS Guardian ran aground off the Philippines (2013) falsified charts

• Flaws in ECDIS software unauthorized access and modify files (charts)

• A $100 VHF hack tool (AIS manipulation) falsify vessel’s Information

• A major fuel supplier fall victim to an $18m scam

• Petya / NotPetya attack cost Maersk around 300 Million dollars

• U.S Navy Hacked – 130,000 Sailors’ Personal Data Exposed

https://shiptracker.shodan.io/ 12

Cyber Incidents and Vulnerabilities

Source: https://teiss.co.uk/news/clarksons-data-breach-ransom/?getcat=2934

Source: https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/

Source: https://teiss.co.uk/news/british-airways-glitch-caused-human-error-confirms-aig/

Source: https://teiss.co.uk/news/cruise-ships-vulnerable-ransomware-physical-damage/

Source: https://teiss.co.uk/news/nuclear-submarines-vulnerable-cyber-attacks/

13

Threat

Matrix

Internal

User Error

Opportunistic

Hacker

Insider

Threat Hacktivist

Organized

crime

Cyber-

Terrorist

Cyberwar and

Cyberspionage

Motivation None Fun & curiosity Money, grievance Politics, Ethics Money Ideology & religion Strategic

Target selection Accidental Coincidental &

political

Grievance Ideology & political Individual &

coincidental

Ideology, anti-

western, collateral,

media attention

Individual,

collateral

Organisation None Partly Well planned Structured Well planned Regional Perfect

Competence Low to high Low to high Low to high Medium to high High Low to high Very high

Threat Actors

Low High

Image: used under license from shutterstock.com

14

Cyber risks are real in Marine - Overview

Marine Insurance

Cargo

(Freight)

Hull

(Ship, physical

damage, P&I)

Marine Liability

(Port operations,

forwarder liability)

Energy

(Offshore platform)

Trigger Damage

Cyber

15

Cyber Threats and Damages in Marine

Ransomware / Malware

Advanced Persistent

Threat

Phishing

Data Extraction

Denial of Service

Man-in-Middle Attacks

Business Interruption

Data Breach

Wrong navigation /

transportation of cargo

Espionage / Piracy

Physical Damage / Personal

Injury

Loss or damage to

cargo

Cyber Trigger Losses/

Damages

16

Marine Cargo

Comprehensive coverage against physical damage or loss of goods during

storage and shipping, whether by land, sea or air.

Cover is broadly standardized with option for all risk or named perils.

•Physical Damage to Cargo due to a transport accident caused by Cyber attack

•General Average claims (as joint adventure with Hull)

•Delay and damage to Fright (perishable goods) in Reefer containers (power cut)

•Damage or delay to Project Cargo resulting in DSU

•Detour and Ransom

Cyber Scenario Examples

17

Which Cyber Exposures exist in Marine?

Which Cyber Exposures exist in Marine?

Marine Hull and P&I

Cover for physical damage of Hull and Machinery as well as general average and

collision liability.

Protection & Indemnity cover for damage to third party property and crew

•Hacking into Navigation Systems causing

Misdirection

Take over control, high jacking, ransom

Causing collision, grounding

Use vessel as weapon (e.g. LNG carrier)

•Tamper security and communication system

Cyber Scenario Examples

Marine Liability

Cover of Liability assumed (Fright Forwarders, Warehousemen, Stevedores, Port &

Terminals) for Cargo under Care, Control or Custody.

Cargo Insurers can take recovery from Marine Liability

• Hacking into logistic systems of ports, terminals or logistic companies

• Obtaining sensitive data about shipment (kidnap, destroy, theft, use for illegal shipment)

• Misdirection of Cargo to new recipient

• Business interruption of Cargo operation (P&T)

Cyber Scenario Examples

19

Which Cyber Exposures exist in Marine?

Offshore Energy

Cover for physical damage to Platforms & Wells, liability for pollution and third

party as well as business interruption.

• Manipulation of Monitoring

• Shut down production, drilling control or a emergency shutdown system

• Physical Damage to equipment, Bodily Injury

• Loss of access to remote operations

• Loss of Well control

• Pollution, Business interruption

Cyber Scenario Examples

20

Which Cyber Exposures exist in Marine?

- Loss of Personal Identifiable Information (PII)

- Recovery of Data

- Cost to restore Reputation

- Legal Defense

- Extortion

- Loss of Market

General Cyber threats

21

Which Cyber Exposures exist in Marine?

Examples for Marine Policies & Silent Cyber coverages

Institute Cyber Attack Exclusion Clause CL 380

1.1.

Subject only to clause 1.2 below, in no case shall this insurance cover loss damage liability or expense directly or

indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm,

of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.

1.2.

Where this clause is endorsed on policies covering risks of war, civil war, revolution, rebellion, insurrection, or civil strife arising therefrom,

or any hostile act by or against a belligerent power, or terrorism or any person acting from a political motive,

Clause 1.1 shall not operate to exclude losses (which would otherwise be covered) arising from the use of any computer,

computer system or computer software program or any other electronic system in the launch and/or

guidance system and/or firing mechanism of any weapon or missile.

22

How to assess Cyber Risks?

Identify

Asset management, internal risk assessment, …

Protect

Access control, awareness training, …

Detect

Anomalies & events, security continuous monitoring, …

Respond

Response planning, mitigation, …

Recover

Recovery planning, improvements …

Cyber insurance (powered by Munich Re)

Risk gap

Outage of external network

!

!

!!

!

!

Cyber Security Framework

23

Cyber Product Landscape

24

Cyber Coverage Elements to be considered in the future

landscape of Marine Policies?

Physical Damage (Assets)

Data & Software Recovery

“Data Breach”

Third Party Liability / incl.

aspects of Bodily Injury and

Property Damage

Costs (Notification, IT-Forensic, Crisis Management….)

Cyber Extortion

Non physical damage Contingent Business

Interruption (Outsourcing activities)

Non physical damage Business Interruption

Physical Damage and consequential

Business Interruption

25

Contact:

Andreas Schmitt – Head of Cyber Asia Pacific

E-Mail: aschmitt@munichre.com / Telephone + 65 6318 0724

Michael Hauer – Head of Marine Asia Pacific

E-Mail: mhauer@munichre.com / Telephone + 65 6318 0772

10 Steps to Cyber Security (1)

1. Information Risk Management

Establish an effective governance structure and determine your risk appetite

Maintain the Board's engagement with the cyber risk

Produce supporting information risk management policies

2. Network Security

Protect your network against external and internal attack.

Manage the network perimeter + Filter out unauthorized access and malicious content.

Monitor and test security controls.

3. Malware Prevention

Produce relevant policy + establish anti-malware defenses that are applicable + relevant to all business areas.

Scan for malware across the organization

4. Secure Configuration

Apply security patches and ensure that secure configuration of all ICT systems in maintained.

Create a system inventory and define a baseline build for all ICT devices27

10 Steps to Cyber Security (2)

5. Monitoring

Establish a monitoring strategy and develop supporting policies

Continously monitor all ICT systems and networks.

Analyse logs for unusal activity that could indicate an attack

6. Incident Management

Establish an incident response and disaster recovery capability.

Produce and test incident management plans

Provide specialist training to the incident management team

Report criminal incident to law enforcement

7. User Education and Awareness

Produce user security policies covering acceptable and secure use of the organisation's systems.

Establish a staff training programme.

Maintain user awareness of the cyber risks

28

10 Steps to Cyber Security (3)

8. Home and Mobile Working

Develop a mobile working policy and train staff to adhere to it

Apply the secure baseline build to all devices

Protect data both in transit and at rest

9. Removable Media Control

Produce a policy to control all access to removable media

Limit media types and use

Scan all media for malware before importing into the corporate system

10. Managing User Privileges

Establish account management processes and limit the number of privileged accounts

Limit user privileges and monitor user activity

Control access to activity and audit logs

29

Assessment of cyber risks

The evaluation of the maturity of IT security assesses the covered exposure

1. Organization

2. Information security governance and compliance

3. Inventory and classification of assets

4. IT system hardening and encryption

5. Patch management

6. Malware protection

7. Application security

8. Network security

9. Access control

10. Risk assessment, incident management, disaster recovery and business continuity

11. Awareness

30