Palinurus Asleep at the Helm: USCG Warns of Need for Cyber-Ready Fleets in Wake of Recent Cybersecurity Breach

The slumberous snare
had scarce unbound [Palinurus’s] limbs, when, leaning o’er,
the god upon the waters flung him forth,
hands clutching still the helm and ship-rail torn,
and calling on his comrades, but in vain.!
…Yet were they drawing nigh
the sirens’ island-steep, where oft are seen
white, bleaching bones, and to the distant ear
the rocks roar harshly in perpetual foam.
Then of his drifting fleet and pilot gone
Aeneas was aware, and, taking helm,
steered through the midnight waves, with many a sigh
and, by his comrade’s pitiable death
sore-smitten, cried, “O, thou didst trust too far
fair skies and seas, and liest without a grave,
my Palinurus, in a land unknown!”
 
Vergil’s Aeneid, Book V, ll. 852 et seq.

These are Aeneas’s eulogizing words for Palinurus, the trusted helmsman of the lead Trojan vessel after the fall of Troy, who dozed off under the spell of the god of Sleep, let go the rudder of the ship, fell into the sea and drowned. This ancient mythic episode of omnipotent gods and fallible men serves as a poignant metaphor for the ultra-modern automated “smart” systems that, despite their power, remain as fallible as the men and women using them. And the maritime setting of Palinurus’s slumbering at the rudder is an ancient analog for the United States Coast Guard’s July 8, 2019 Marine Safety Alert entitled, “Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels” (Cyber MSA) regarding a February 2019 “significant cyber incident impacting their shipboard network” aboard an ocean-going commercial vessel inbound to the port of New Jersey.

It bears noting at the outset that these allusions to ancient epics of the sea are not mere purple prose. The etymology of the word “cyber” has direct, deep-seated maritime roots. The word itself derives from the term “cybernetics,” a neologism coined by Norbert Weiner in his 1948 book about the science and architecture of biological and technical control systems. This word in turn was derived from the ancient Greek word (kubernētēs), the ancient Greek word for “helmsman” or “pilot” of a vessel. Thus, in a very real etymological sense, the much-discussed buzz-word “cyber” and related “cybersecurity” have their roots in the age-old operations of maritime trade.

It is fitting, then, that the Cyber MSA focused on the risk that shipboard malware, which had affected the vessel’s network and onboard hardware, might have had the capacity to disable the ship’s control systems – i.e., with the “helmsman”/Palinurus asleep at the digital rudder:

An interagency team of cyber experts, led by the Coast Guard … conducted an analysis of the vessel’s network and essential control systems… and found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.

This incident was reported to the Coast Guard by the vessel, presumably in recognition of the agency’s recent focus and reminder to the maritime industry (as most recently set out in a Marine Safety Information Bulletin, MSIB, in May) that cybersecurity breaches must be reported to the Coast Guard pursuant to the Maritime Transportation Security Act and related MARSEC regulations (as we have previously discussed on this blog):

As a reminder, suspicious activity and breaches of security must be reported to the [Coast Guard National Response Center, NRC] at (800) 424-8802. For cyber attempts/attacks that do not impact the operating condition of the vessel or result in a pollution incident, owners or operators may alternatively report to the 24/7 National Cybersecurity and Communications Integration Center (NCCIC) at (888) 282-0870 in accordance with CG-5P Policy Letter 08-16, “Reporting Suspicious Activity and Breaches of Security.”  When reporting to the NCCIC, it is imperative that the reporting party notify the NCCIC that the vessel is a Coast Guard regulated entity in order to satisfy 33 CFR § 101.305 reporting requirements. The NCCIC will in turn forward the report to the NRC that will then notify the cognizant Coast Guard Captain of the Port (COTP).

Notably, the May MSIB came in the wake of several so-called “phishing” attacks in which “[c]yber adversaries” were attempting to gain sensitive vessel information “using email addresses that pose as an official Port State Control (PSC) authority such as: port @ pscgov.org”; as well as “reports of malicious software designed to disrupt shipboard computer systems.”

And less than a month later, the Cyber MSA addressed another instance of shipboard malware, but noted that this particular security risk had actually been well-known aboard the vessel, to the extent that most crew would not use shipboard systems to check personal email, conduct financial transactions, or check bank accounts. And yet those same systems were routinely used for official business related to vessel operations, such as chart updates, cargo data management, and ship-to-shore communications (including with the Coast Guard). With modern “smart” vessels and shipboard systems, “with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery.” The Cyber MSA goes on to provide certain technical recommendations to improve shipboard network security, including (1) segmented network structures; (2) per-user profiles/password access; (3) avoidance of external media; (4) use of basic antivirus software; and (5) ensuring all systems remain up to date with security patches. With respect to item (3), the Cyber MSA noted that it was common practice on this particular vessel for USB drives containing cargo data to be plugged directly into the shipboard systems without sanitizing for potential malware.

The Coast Guard left absolutely no doubt about the importance of cyber hygiene in the modern shipping environment – suggesting, effectively, that it is a requirement:

Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities.

These are strong words, particularly when the word “cyber” does not yet appear, in any of its variations, in any regulation promulgated by the Coast Guard.

And the Coast Guard’s framing of cybersecurity as a “fundamental operational imperative” in the maritime industry is all the more resounding in light of several cyber-related developments affecting multiple facets of maritime operations.

First, Lloyd’s of London, arguably the preeminent global marketplace for insuring (and reinsuring) maritime and offshore risks, issued a July 4, 2019 Market Bulletin mandating that by 2020 all policies issued through the Lloyd’s market must “be clear on whether coverage is provided for losses caused by a cyber event [and such] clarity should be provided by either excluding coverage or by providing affirmative coverage in the (re)insurance policy.” This mandate is intended to avoid the problem of so-called “silent cyber” coverage concerns, which refers to non-affirmative coverage of cyber risks that may not have been contemplated by the coverage wording, but which are not expressly excluded and thus may potentially be covered under otherwise broad general language. This problem was identified in a recent survey that – somewhat shockingly – revealed “a significant divergence in firms’ views of the potential exposure within [inter alia] Marine, Aviation and Transport (MAT)…lines [, with] firms estimate[ing] their exposure to non-affirmative cyber risk on these lines to be anywhere between zero and the full limits.” Thus, cybersecurity will certainly be (to the extent it may not have been already) a front-and-center issue on underwriters’ minds in terms of setting premium on maritime risks going forward. As such, underwriters will expect the maritime industry to be proactive and actively engaged in implementing and maintaining cybersecurity protocols and systems, and will limit coverages and set premiums accordingly.

Relatedly, the Coast Guard’s declaration that cybersecurity is a “fundamental operational imperative” raises the possibility (likelihood?) for claims of “cyber unseaworthiness,” an issue that might affect everything from insurance coverage, to general average claims and charter party disputes, to potentially (if property damage or personal injuries result from the incident) the right to limitation of liability and fault/negligence. And the potential basis for claims of “cyber unseaworthiness” are incrementally increasing as a result of the vast and rapid development of industry best standards and practices regarding cybersecurity over the past several years. For example, the American Bureau of Shipping in 2016 formulated a five-volume CyberSafety™ program (previously mentioned on this blog) setting forth detailed, systematic steps for ensuring cybersecurity at sea, and providing for ABS-issued certifications at both the management and individual vessel levels. Det Norske Veritas (DNV) likewise offers cybersecurity training, assessment, and certification to the maritime and offshore industries. And BIMCO, the world’s leading provider of charter party and other maritime contract forms, joined forces with Cruise Line; International Associations of Cargo Shipowners (Intercargo); Vessel Managers (InterManager) and Tanker Owners (Intertanko); the International Union of Marine Insurance (IUMI); Oil Companies International Marine Forum (OCIMF); and the World Shipping Council to issue The Guidelines on Cyber Security Onboard Ships (February 2016). Likewise, and most recently, BIMCO in May 2019 published the first “standard Cyber Security Clause that requires the parties to implement cybersecurity procedures and systems, to help reduce the risk of an incident and mitigate the consequences should a security breach occur.” This clause is intended for broad integration in and application across various maritime/offshore contract types. Thus, the industry has recognized and continues to foster diligence around cybersecurity issues, whether indirectly via certification/best practices or directly through contractual terms like the BIMCO clause. As a practical matter, there will be little if any room to argue ignorance or state-of-the-art in the context of potential “cyber unseaworthiness” claims.

And perhaps more importantly, the International Maritime Organization (IMO) has left no legal/regulatory doubt about the necessity of cybersecurity on the seas:

The [IMO] Maritime Safety Committee, at its 98th session in June 2017, also adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Thus, for vessels subject to the ISM Code – which includes some Coast Guard regulated vessels (see, e.g., 33 CFR 96.210(a)) – there will presumptively be a legally enforceable requirement (as of 2021) to address cybersecurity in order to remain ISM Code compliant. Further, as discussed previously on this blog, numerous currently in-force Coast Guard MARSEC regulations, Subchapter M inland towing vessel regulations and the Bureau of Safety and Environmental Enforcement’s SEMS regulations all currently include provisions that (in light of the growing body of cybersecurity industry and regulatory guidance) implicitly require proactive cybersecurity actions in the maritime sector.

But even this may not be enough. As a recent Wall Street Journal article mentioned, cybersecurity industry experts have pointed out that “new” IMO requirements slated for 2021 enforcement and originally developed in 2016 “already need to be updated” because “[t]hey don’t address the modern cybersecurity exposures created by mobility, applications, and the cloud.” James Rundle, Maritime Cyber Rules Coming in 2021 are Outdated, Critics Say (The Wall Street Journal, Pro Cyber News, July 18, 2019). In particular, this article notes that there is already a cargo vessel (the YARA BIRKELAN, owned by Norway-based Yara International ASA, a chemical and fertilizer producer) that is scheduled to be operating on a fully autonomous basis, with no human crew, by 2020. The imminent reality of fully automated vessels at sea brings with it the very real possibility of “cyber pirates at some point taking over an autonomous shipping vessel in the middle of the ocean.” Id. (quoting Michael Murray, general manager of cyber physical systems with BlackRidge Technology International, Inc.).

As ships, structures and systems that operate at sea become further integrated into the expanding digital seas of the “Internet of Things,” with more and more systems (i.e., station-keeping, engine speed controls/monitoring, AIS and electronically aided navigation) being taken over by automation and “smart” technologies, maritime industry actors have a “fundamental operational imperative” to know how their hardware and software interact and where and how the hardware/software interface may be vulnerable to inadvertent breakdown or nefarious attacks. Ignorance – innocent or intentional – of cyber issues will no longer be an excuse (if indeed it ever was) for avoiding the consequences of cyber breaches. Accordingly, the maritime industry must heed the Coast Guard’s mandatory advice, or like Palinurus, risk falling asleep at the automated rudder and drowning in the digital sea.