The cybersecurity at US ports is basically nonexistent and actions taken by federal agencies to address the issue have been limited, according to a recent report from the US Government Accountability Office.
Furthermore, cyber risk may be specifically excluded in port-operators liability insurance policies.
The GAO said more than $1.3 trillion in cargo is handled annually at about 360 commercial sea and river ports but the US Coast Guard and Federal Emergency Management Agency have yet to full address cyber threats, vulnerabilities and consequences of an attack.
The Coast Guard has assessed risks dealing with physical threats to ports but as of its latest published risk assessment, it has not considered risks related to cyber threats, concluded the GAO, which examined steps the Department of Homeland Security’s component agencies taken to address cybersecurity at US ports while reviewing pertinent laws, policies and regulations.
“Without a thorough assessment of cyber-related threats, vulnerabilities, and potential consequences to the maritime subsector, the Coast Guard has limited assurance that the maritime modes is adequately protected against cyber-based threats,” said the GAO. “Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, maritime stakeholders will be less able to appropriately plan and allocate resources to protect the maritime transportation mode.”
The GAO found that federally mandated security plans for the maritime industry generally do not identify cyber risk.
“Our observations for the entire maritime industry, and not just for the ports, is that cybersecurity is an area which has not been prioritized adequately,” said Lars Jensen, CEO and co-founder of maritime cybersecurity firm CyberKeel. He said the company plans on issuing a white paper, tracking the entire journey of a shipping container, later this year.
The need to plan for cyber-related threats has never been greater, reported the GOA. Information and communications technology are increasingly relied upon to move cargo through ports. Potential threats include hackers, insiders, criminal groups, competitors, bot-network operators and terrorists. An attack may cause trade disruption, theft, physical damage or loss, injury, or death.
“Vessel navigation and propulsion systems, cargo handling and container tracking systems at ports and on board ships, and shipyard inventories and automated processes are all controlled using software that is fundamental to smooth-running operations,” according to a report by Marsh’s Global Marine Practice. Hypothetically, if a vessel was traveling through the Panama Canal was disrupted and blocked the channel due to a cyber attack, “it would have significant economic impact around the globe,” Marsh added.
But a decade-old exclusion in insurance and reinsurance polcies–CL 380–continues to prevent cyber-related coverage for shipyards, cargo-handling facilities and vessels following a cyber attack, according to Marsh.
Sean Dalton, executive vice president and head of the marine division at Zurich, said the exclusion is not widely used. Rather, policies remain vague on coverage for cyber-related loss. A cyber attack on a port would result in a complex claim, and it remains unclear where coverage would come from if a cyber attack results in theft of cargo or a delay in delivery.
“The industry runs a big risk to stay silent [on cyber coverage in marine policies],” he said. The American Institute of Marine Underwriters is investigating the issue, looking to ISO for guidance.
More than preventive action, since none of it can remain foolproof for very long, if at all, Dalton said contingency plans are valued among insurers.
“Resiliency is key,” Dalton said. “Contingency plans–developing an alternate means to maintain business-as-usual–is sought after. How will operations respond?”
On this point, Dalton said the maritime port industry draws from past experiences such as its preparations for Y2K and the disruptions felt following Superstorm Sandy, for instance.
Marsh said a small number of major insurers have turned the corner on CL 380 and are prepared to offer capacity for cyber-attack risk. The broker said a company could buy as much as $200-$300 million in coverage by the end of 2014.