COLUMN INSURANCETaking Cyber Risks Seriously Once, the stars were all that mariners needed to navigate the seas. Today, maritime companies rely on hi-tech systems to operate and navigate equally hi-tech vessels. All of that comes with new and signi? cant risks.By Christopher Cooke and John ColettiOn one side, auto- For the marine industry, areas of vulnerability include:mation has its ben- Company information: Breaches in computer networks e? ts, especially as can pose a threat to ? nancial, customer, employee and oth-crews grew smaller er proprietary data, putting it in the wrong hands. Hackers and ships got bigger. can take down a website and totally interrupt a company’s On the ? ip side, how- online operation. Like most companies, maritime compa-ever, marine technol- nies stores customer and employee information on com-ogy, like most other puter systems. For one, consider cruise lines who maintain technology, comes databases of their loyalty customers, in addition to the with its own risks. Today’s technologies often require In- more than 300,000 people they employ. By law in the US, ternet connectivity to function properly. A recent study by any breach of data that is deemed Personally Identi? able Boston-based security company Rapid7 found more than Information (PII) must be reported. PII is information 100,000 devices – from traf? c signal equipment to oil and that can be used on its own or with other information to gas monitors – were connected to the Internet using serial identify, contact, or locate a single person, or to identify an ports with inadequate security leaving them vulnerable to individual in context. When a breach occurs, most states breaches or hacking. mandate that companies notify those affected and often-Hackers seek and exploit weaknesses in computer sys- times, companies incur costs to provide credit monitoring tems and networks. They may be motivated by a variety of services.reasons, such as pro? t, protest, challenge or just the sport Ships: In another study, security ? rm Rapid7 was able to of it. Like most businesses, maritime companies can show collect information from 34,000 vessels around the world weaknesses in their computer systems and networks that using their automatic identi? cation system (AIS) receiver. many hackers would just love to exploit. Using this information they were able to identify and track individual ships, GPS coordinates and outgoing com-ISK ON THE ATERR W munications from every vessel involved, which included Hackers recently shut down a ? oating oil rig by tilting 29 law-enforcement vessels and 27 military ships. Somali it, while another rig was so riddled with computer mal- pirates help choose their targets by viewing navigational ware that it took 19 days to make it seaworthy again. Last data online, prompting ships to either turn off their navi-October, Tokyo-based cloud security ? rm Trend Micro gational devices, or fake the data so it looks like they’re Inc. said it discovered ? aws in ships’ mandated automated somewhere else. That doesn’t mean that others are watch-identi? cation systems, installed in an estimated 400,000 ing in other parts of the world. vessels, that can let attackers hijack communications of Ports: Hackers in? ltrated computers connected to the vessels and even create fake vessels. In another well-pub- Belgian port of Antwerp, located speci? c containers, made licized incident, researchers at Texas A&M University last off with their smuggled drugs and deleted the records. A year “fooled” an $80 million yacht off the coast of Italy as study last year by the Brookings Institution of six U.S. to its location by manipulating its GPS. ports found that only one had conducted an assessment In the maritime industry, the number of known cases of how vulnerable it was to a cyber-attack, and none had is low as attacks often remain invisible to the company, or developed a plan to response to an attack. Of some $2.6 businesses don’t want to report them for fear of alarming billion allocated to a federal program to strengthen port investors, regulators or insurers. But while it might be fun security, less than 1 percent had been awarded for cyber and games for hackers, a hacking incident can have signi? - security projects.cant and costly consequences for vessels and their owners. October 201418 MNMN Oct14 Layout 18-31.indd 18 MN Oct14 Layout 18-31.indd 18 9/18/2014 3:27:46 PM9/18/2014 3:27:46 PM