Trading Straits

In part 1 of the series, partner Philip Thomas and associate Voirrey Davies highlighted the importance of cybersecurity in shipping. In part 2, they share tips on how to handle a breach, and provide their thoughts on the future of autonomous shipping.

Transcript: 

Intro: Trading Straits brings legal and business insights at the intersection of the shipping and energy sectors. This podcast series offers trends, developments, challenges and topics of interest from Reed Smith litigation, regulatory and finance lawyers across our network of global offices. If you have any questions about the topics discussed on this podcast, please do contact our speakers.

Voirrey: Welcome back to Trading Straits. My name is Voirrey Davies and I am an associate in our transportation industry group based in our London office. I am joined once again today by Philip Thomas, partner in our emerging tech team, also based out of London. And this is our second podcast in our two-part series on shipping and cybersecurity. Just as a brief recap of our last podcast we thought it would be helpful just to go over again the definition of what cybersecurity actually is in the context of what we're talking about so cybersecurity is the steps taken by an organization both with regards to people and technology to prevent cyber attacks from occurring or to minimize their effect and as we talked about in our last podcast this differs from a data breach in various ways which we won't go into again but please feel free to listen to our podcast from last time if you want some more information on that. Our key takeaways from the last podcast were that it's just vital to be prepared ahead of time. You don't want to be dealing with a breach with nothing in place. People are often the weak link in any sector not just within transportation but any industry area and it's not because people seek to act maliciously it's just because hostile parties tend to target people so this is why training and robust policies for everybody in your team which includes people working as we would say at the pointy end so on the ships or driving the planes is of utmost importance and today what we're going to talk about is what happens when, despite all your best efforts, the most robust of policies, there has been a cyber attack and a corresponding cyber breach. I think really what the difficulty is, is trying to think about a cyber attack, because it can have just as big an impact as a physical casualty, like a fire or grounding, but it can be really difficult to envisage how it can actually affect a ship or a port infrastructure or shipping company. I mean, Philip, I don't know about you, but I personally think it's quite difficult to imagine something intangible like a cyber attack.

Philip: Absolutely. So I think, I mean, cyber attacks can take very different shapes and forms. In a transportation context, they can have a significant disruptive effect. And as we mentioned on our last podcast, it can even, in some instances, be a matter of life or death, particularly where the attack involves challenges to the safety of personnel. I mean, in terms of real world consequences, there's a raft of things to take into account. First of all, there's the disruption that the incident occurs. There's a cost of remedying it. There's additional management time that could be taken up in trying to resolve it. You've got issues of reputational damage, potentially, because if you're seen to be an organization that suffers or at least is vulnerable to cyber attacks, that can impact your perception in the market. And it can also put you on the radar with regulators for all the wrong reasons. A recent example, although not a cyber attack specifically, was the CrowdStrike outage, which, as many of you will know, exposed the vulnerability of people's IT systems when you're reliant on a single service provider or a limited number of service providers. In that instance, the disruption came as a result of an update that wasn't carried out properly, but it has the same disruptive effect where systems went offline for most of a day. Airline flights were canceled, businesses were disrupted. And so that just gives a bit of a flavor of how bad it can be.

Voirrey: Yeah, I mean, I think the CrowdStrike incident was just, it was a really great example of how the world can just grind to a halt. You know with one issue with one company you know it just really got it into the news and I think you know whilst there was a lot of fears that it was a cyber attack you know to find out it was probably a bit of a relief to find out really that it was just an update that had kind of gone wrong and while you were talking there I was kind of having to think about, some more specific cyber attacks that I can think about was related to assets, so to ships or to planes. And there was a well-publicized incident just in March of this year, so only a few months ago. And there was a Royal Air Force plane carrying Grant Shapps, who was then the Defence Secretary of the UK near Russia. And they experienced a GPS-related incident where the GPS of the plane was jammed, which affects the navigation system of the plane. So it was really quite dangerous to kind of find a plane in that kind of position and you have to think about potential effects there on commercial airlines as well and this ties in you know GPS spoofing and GPS jamming are not I wouldn't say they were common instance in the shipping industry but they have definitely been increasing in the amount of attacks that have been happening. and I think we briefly kind of spoke about this in the last episode but you know there's a case that came to us and obviously I'm not going to go into details about you know parties involved but basically the GPS of our vessel, our client's vessel, had been spoofed and that meant that the ship's AIS system which essentially kind of shows where the vessel is and relies upon GPS to provide a position actually showed that the ship was on land. In fact, I think it was in a car rental shop in the middle of the nearest city. And... It resulted ultimately in a collision happening. Now, anyone who's listening to this and knows anything about collision regulations knows very well that relying on AIS for collision avoidance is not acceptable. However, it was a contributory factor to this accident happening. And it was what we would describe in the industry as a “holy cheese” moment where there had been lots of issues that had happened. It had gone through all the holes in the cheese and resulted in this collision and so whilst this incorrect GPS position was not solely causative it was a significant factor and I’d say all of these examples together  we've just been discussing show that a cyber attack has a very real world consequence so you know what do you think?

Philip: I agree, I agree and I think the way you should think about cyber breaches in a shipping context is to think about it like any other casualty. I mean, you'll know from your wet shipping work that casualty can involve a grounding, collision between vessels or container fire. And it has parallels to a cyber breach because you often have a sudden dramatic incident that is fast moving. Sometimes the fact pattern changes quickly. And in both instances, you need a responsive team to help you to identify and contain the incident as well as deal with a fallout and so you know I think if  organizations get to a situation where they treat cyber preparedness in the same way as they would casualty prevention then I think you're on the right track.

Voirrey: Yeah I think treating a cyber attack in the same way as any other casualty is just it's the best way of looking at it because it is a casualty it's just you know wearing a different hat to the ones that we're used to I know when I  was at sea we did trainings all the time on you how to respond to a fire. You did fire drills, you did lifeboat drills, man overboard you know all those kind of what we would call I guess a “standard”  marine casualties situation and you know now working here at Reed Smith you know I'm part of the casualty and admiralty team and you know the best, most efficient way of dealing with a casualty is the person on the ship, which is usually the master, calls the correct person shoreside, which is normally the designated person ashore. And that person essentially activates a shoreside emergency room. All of their relevant people will come in to start dealing with this situation. But they also call their external people and this is where for example we might get a call to go out and attend to a casualty you know we fly all around the world doing that kind of work and it's not just shipping lawyers or casualty lawyers you know with a cyber breach you need to make sure not only have you got someone that understands shipping but you've got someone that understands in great detail you know what to do with the different regulations around the world because you know my understanding Philip is fairly basic on this one but different countries have different regulations and they all require different things that you need to do as regards to reporting and I think having that expertise to hand is definitely the way to go and I think Philip off the top of my head I can think of this NIS-2 directive that's been going around but maybe you could expand a bit more on these kind of regulatory requirements.

Philip: Exactly. I mean, I think the first thing to say is that the cybersecurity regulatory landscape is very fragmented. So as you say, different laws apply in different jurisdictions, although there is some commonality in the EU, for example, and in the UK, when it comes to things like the NIS-2 directive, which will come into force fully in October of this year. You've got the Critical Entities  Resilience directive, which also applies to transportation companies as they're deemed essential services. So you've got a growing landscape of laws that you need to navigate. And one of the particular concerns here is that if you're unlucky enough to suffer a major cybersecurity breach, you've not only got the fallout of that incident to address and to contain and to think about, [but] do I need to notify any regulators of the incident? But it may also put a spotlight on what you've done as an organization to comply with those regulations. What we found, certainly in a data breach context is that often some of the biggest fines that have been levied on organizations have been less about the fact that a breach occurred in the first place and more to do with the organization's lack of preparedness. Because it's when you're notifying the regulator or when the regulator finds out about it, you then have to explain what did you have in place, what policies did you have in place, what training did your staff have, what technological measures, what administrative measures, what organizational measures did you have in place, to safeguard against this risk. Are you independently certified, for example, to any industry standards on cybersecurity?

Voirrey: Yeah and I have to say that's really not that different to what shipping companies are already required to do you know under the ISM code you need to have a safety management system so you need to be able to you know say what you do which is the policies and you need to do what you say so follow the policies and then you need to be able to prove it so you need to prove that you've been doing it that's the kind of the very basic summary of what safety management system is and you know it sounds like it's basically exactly the same thing for data breaches.

Philip: Exactly and you touched on a great point which is that you know the cybersecurity impact on seaworthiness at the end of the day because if your assets are vulnerable and compromised then depending on what the shape of that cyber incident is it may impact the safety and seaworthiness of the vessel.

Voirrey: Yeah and I think you know that that very as we keep saying here real world or like kind of impact of a cyber attack you know the safety of the vessel, the cargo, and the environment you know potentially all put at risk and we did briefly kind of discuss this in the last episode but you know vessels having their GPSs or now with this advent of real-time data coming to vessels, ECDIS systems, you know, being hacked and getting false navigation data and finding yourself in the waters of a hostile state and potentially being arrested, you know, that is a serious issue for any ship owner. Because not only have you now potentially got an asset that's been arrested, you're going to be facing claims from charterers, from cargo interest you know it definitely opens a door to significant issues for the owners there if they've left themselves vulnerable.

Philip: Exactly as well as reputational risk.

Voirrey: Well absolutely I mean you don't want to be known as that ship owner whose ships keep getting hacked into and arrested. And you know I think technology is there to make things easier that's supposed to be the point but with technology and new technology just it comes with new and sometimes much more complicated risks that we don't necessarily think of straight away you know when you get the new jazzy piece of technology on your ship or on your airplane.

Philip: Agreed and I think we touched upon this on our last podcast which is that the more connected devices you use the greater the risk. I mean, the benefit obviously is that it makes things more efficient for you and it has all the benefits that come with connected technology, but equally you're potentially more vulnerable the more you use this. And that's not to dissuade organizations from using that technology. It's more the point that it's even more important to prepare for cyber risk.

Voirrey: Preparedness and being proactive I would say have definitely been the running themes of these two podcasts that we've done and I think where there is now there is legislation that already does apply to the kind of the wider transportation industry it is going to be quite interesting to see how legislation from you know other organizations such as the IMO kind of how that develops over time as we get more real-time data and the advance of autonomous shipping you know how that's going to be legislated with regards to cyber security and robustness and how that's then going to have an impact on how autonomous shipping develops as we move forward and you know when ECDIS was first kind of thought of and created the legislation that governs that has developed over time and you know ultimately became a requirement for all vessels over a certain size to have ECDIS on board so the industry is not adverse to technology but I do think you know it needs to be hand in hand with proactive guidance.

Philip: Agreed. So what takeaways do you have?

Voirrey: I would say from today's podcast, my key takeaway is that a cyber attack should be treated as any shipping casualty. You need to act swiftly, you need to take control of the narrative, and you need to ensure your team really knows what to do. They need to have trained, they need to know who to call, they need to know how to react to these kind of incidents. And by team I mean everybody from the ship crew all the way through to the people in the head office that are going to be receiving that call from the ship. It really does take a village and that's something that I think I hope we have made clear throughout this. You need a wide team of experts that can help you deal with this situation in the most efficient and effective manner to help you regain control potentially of your assets or your systems and also to minimize repetitional damage to you and your company. That would be my key takeaway, Philip.

Philip: I agree with all of that. I would also add that it's worth knowing what the international landscape looks like because if you could track what the cyber requirements are across your geographical spread then at least you know what you're dealing with and these requirements often overlap to a significant degree so one way to minimize anxiety about this is to know what you're up against so that you know what you need to prepare for.

Voirrey: Well we are a very global industry so I think knowing what's going on wherever you are operating is definitely a key takeaway from this. Thank you everyone for listening. We hope that you join us again on Trading Straits.

Outro: Trading Straits is a Reed Smith production. Our producers are Ali McCardell and Shannon Ryan. For more information about Reed Smith’s Energy and Natural Resources or Transportation practices, please email tradingstraits@reedsmith.com. You can find our podcasts on podcast streaming platforms, reedsmith.com and our social media accounts at Reed Smith LLP. 

Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers. 

All rights reserved. 

Transcript is auto-generated.