The Maritime Risk Podcast

In the first year that the Bank of England has agreed to include a maritime realistic disaster scenario into its general insurance stress test, the University of Plymouth’s Maritime Cyber Threats Research Group was asked to propose an appropriate maritime cyber stress test.

The stress test proposed concerns threat actors gaining access to the bridge systems of commercial seagoing vessels and compromising the control systems.

The intrusion goes undetected for weeks until the threat actor locks the rudder and propulsion system of a container ship causing it to hit a quay in the port of Singapore. A day later, the threat actor causes another container ship to hit a quay and cranes in the port of Los Angeles.

Physical damage is caused to the quay and cranes, there is some loss of cargo and some hull damage. The threat actor threatens further accidents unless a US$50 million ransom is paid by each of the top five cargo shipping companies (as measured by twenty-foot equivalent units (TEU) capacity).

As a precautionary measure, many ships stop their journeys and all container port authorities close their ports until the bridge systems of impacted ships are checked, disrupting the maritime supply chain accounting for 90% of world trade in goods.

It takes three days to determine which elements of the bridge system have been compromised and two more days to develop a solution.

The motivation of the threat attacker is more political than financial with the ransom demand adding to the confusion.

Our speaker today is Professor Kevin Jones, who, as a Director of the Maritime Cyber Threats Research Group, played an integral part in the submission of this RDS.

The scenario was conceived in line with the University’s work as part of the €7 million Cyber-MAR project, which aims to develop greater awareness of the cyber threats facing the global shipping fleet and the most effective ways of countering them.

It was then demoed in the Cyber-SHIP Lab, a unique, hardware-based maritime cyber security research and development platform supported by funding from Research England and several industry partners.

Speaker - Professor Kevin Jones

Kevin is the Executive Dean, Faculty of Science and Engineering at the University of Plymouth.  As a Director of the Maritime Cyber Threats Research Group, Kevin is currently investigating some of the most pressing technological threats posed to global shipping at all levels from theory through to practice. Under Kevin’s leadership the group has published widely on the security challenges facing the maritime sector, developed partnerships with businesses and in 2018 was the only UK representative at the US Coast Guard panels on Maritime Cyber Security. Finally, Kevin is playing an integral part in the recently formed Cyber-MAR network, a €7million European network which aims to enhance cyber preparedness across the maritime sector. 

Bitesize Risk Podcast 

Welcome to this the 12^th episode, in the series of Shoreline’s Maritime Risk podcasts.  Today, your host Captain Thomas Brown has the pleasure of speaking with Antonio “Johnny” Martinelli.  Johnny came to our attention when he appeared in this year’s Maritime Cyber Conference, ‘Hack the Port’ in Florida.  Johnny is currently the Director of Cybersecurity Training with the Grimm Security Engineering group but is most well-known for his work on the American TSA Master Key leaks between 2014 and 2018.

Today we will discuss remote vessel access, the potential consequences of a failure to detect malware embedded within shipboard IT and OT systems and the risk of virus migration from ship to shore and the possible consequences thereof.

Speaker Bio

Antonio “Johnny” Martinelli is a predominant personality in the Information Security community, most well-known for his work on the American TSA Master Key leaks between 2014 and 2018 and the Venmo public feed scraping exposures in 2018. Currently the Director of Cybersecurity Training with the Grimm Security Engineering group, he has formerly partnered with Australian firm 'Kasada' to defend against the automated abuse of web infrastructure and was the lead consultant on Uptake, Inc's Industrial Cybersecurity Platform. Prior to this, he spent many years in the field as a penetration tester, focusing heavily on both IT and physical security of financial and medical facilities, Security Engineer for a global Fortune 500 retail corporation, and Mainframe auditor and Systems Engineer for several IT asset recovery firms.

In this bitsize episode Shoreline discusses a malware at sea attack with Cyber Owl’s CEO – Daniel Ng.

Cyber Owl provides maritime cyber security monitoring services, in this episode, we hear how Cyber Owl detected a malware attack on a number of vessels within a shipowner’s fleet whilst at sea.

Daniel walks us through the process of detection, confinement and neutralization of the malicious code embedded within shipboard IT/OT systems.

This type of attack can and does happen to ships at sea, find out how to deal with this modern day risk by listening to the experts.

9 minute listen. 

Episode 10 is brought to you by myself Captain Thomas Brown who will be in conversation with Max Bobys.  Max leads Hudson Cyber, a division of HudsonAnalytix.

Hudson are a company Shoreline has a long relationship with, dating back to the early days of OPA 90 and the requirement for QI and OSRO services.

In more recent times Shoreline has welcomed Max’s input when developing Shoreline’s insurance risk transfer solutions namely ICCI and MCI.

Max is hugely experience in the sphere of cybersecurity acting in an advisory capacity to many national in international agencies whilst also authoring many publications on the subject.

In this episode, we check in with AcrisureRe's Cyber Practice Leader Tom Quy.
Tom provides a thorough explanation of the current cyber insurance market dynamics, how the cyber threat is evolving and what his means for buyers of maritime cyber insurance.

Host: Captain Thomas Brown CEO Shoreline
Guest: Anthony Hess CEO Asceris

Intel’s legendary co-founder and former CEO Andy Grove put it best when he said,

“Success breeds complacency. Complacency breeds failure. Only the paranoid will survive.”

When a shipping company measures success by its historical ability to avoid a cyber-attack, it becomes complacent and ever more prone to attack.

Only by being paranoid and meticulous in its continual cyber risk assessment, from which flows the implementation of its cyber security and risk transfer strategies will a company become more cyber resilient, thereby surviving and prospering in this internet age.

In Episode 8 of Shoreline’s series of Maritime Risk Podcasts, Shoreline’s CEO Captain Thomas Brown speaks to Anthony Hess, the CEO and co-founder of cyber response company Asceris, to address the issues of cyber claims quantification and analysis.

When you become the victim of a successful cyber-attack what does that look like, what are the likely financial losses your company may have to assume and how do you recover and get back to business?

We also discuss the value of Maritime Cyber Insurance as an integral part of your company’s overall cyber risk management strategy and discuss the ancillary benefits of the insurance cover that go beyond financial risk transfer.

If you are struggling to understand and quantify the size of your cyber risk exposure we can highly recommend listening to this very insightful discussion to hear the thoughts of a cyber risk professional who has responded to 100’s if not 1,000’s of cyber-attacks both large and small.

Shoreline’s Cyber consultant Nick Taylor we will be speaking to Julian Clark.  Julian is the Global Senior Partner at Ince and Co. and also heads up Ince Maritime’s new cyber initiative. The time to speak about the legal and insurance issues as they relate to maritime cyber risk has never felt more prescient than it does today. With the exclusion of silent cyber risk from property and liability policies of insurance, ship owners are forced to look for ways in which they can plug gaps in cover, and; from a regulatory perspective, with the new IMO 2021 Cyber requirements now in play, there is a greater focus on the need for clear company policies on cyber security both at sea and ashore. More prominence is being given to the delineation of Cyber risk and liability when drafting legal contracts.  Cyber risk is now center stage when agreeing charter party terms and / or entering into contracts for service or supply with third party vendors. In today’s podcast we will delve deeper into these modern day problems and discuss the size and shape of the issues at hand, whilst also focusing on how shipowners may mitigate and transfer these cyber related risks out of their companies.

The shipping and commodities industries have found themselves at the forefront of sanctions developments in recent months. 

 As the United States continues its campaign of sanctions against Iran, North Korea, Syria and Venezuela, the Office of Foreign Assets Control or ‘OFAC’, is increasing the pressure on the maritime and commodities industries to require sanctions compliance.

My name is Nick Maddalena, a consultant for Shoreline, the specialist insurer that provides pioneering maritime insurance solutions on a global scale for US trading and beyond.

In this, the latest in the series of Shoreline’s Maritime Risk Podcasts, I discuss with two leading experts the maritime sanctions ‘seascape’ and the risks and repercussions to shipowners of non-compliance.

Mike Salthouse is a member of the senior leadership team at North Group and a qualified lawyer. He has led industry engagement on the topic of sanctions with the US, EU and UK governments since 2011.

Ron Crean leads global energy, maritime and insurance at Windward. His 27 year maritime career spans shipbroking, liner shipping, tanker chartering and ports and he was one of the pioneers of using AIS data to track commercial shipping starting AIS Live in 2004.

Facilitation payments have long been the scourge of the port visit for the deep-sea master. The outstretched hand, the muffled request; that sinking feeling in the pit of your stomach when you realise you have no option but to facilitate the permission needed for ship operations to progress smoothly and unencumbered.

It's the asymmetry of the risk versus remedy equation that has taxed the conscience of many a ship's master, with the risk being, delay to the vessel's operating schedule and the remedy being a carton of cigarettes and a bottle of whiskey. The inequality of this simple financial equation has allowed this petty crime to become more and more pervasive over time.  

For too long now the ship's Master has balanced on the horns of this rather annoying dilemma, being dammed if he does and dammed if he doesn't. On the one hand, he has his legal and contractual obligations which should prevent such a transaction taking place, and on the other, to fail to do so may lead to delay and the loss of many thousands of dollars for his owners and the loss of his livelihood should he fail to meet the swingeing time pressures that accompany charterers orders.

In this podcast, Shoreline’s CEO – Captain Thomas Brown review’s this very real maritime risk and discusses ways in which the industry is fighting back and changing through the collective action of the many and the expertise of the few who have the vision to create a better industry outcome.

We will look at the prevention and the cure.

Prevention being the mandate of the Maritime Anti-Corruption, which has made great strides over recent years to curb these shady practices, offering support and advice to shipowners and their seagoing masters to prevent the practice of bribery at sea and; the cure will be discussed with our colleagues at Control Risks who have responded to many a cry of help from their shipowner and insurance clients when caught in this crosshairs of this criminal activity. 

About the Contributors

Cecilia Müller Torbrand

MACN Executive Director

Cecilia leads MACN. She was one of the front drivers for its establishment in 2011, and has served as chair of the network and as collective action lead in the MACN Steering committee.

Vivek Menon

Head of Collective Action and Partnerships (EMEA)

Vivek leads MACN's collective action programs within the regions of Europe, the Middle East, and Africa. He is primarily responsible for collective action projects in West Africa, with a focus on Nigeria.

John Bray

Control Risks – Director

John Bray is a risk consultant and policy specialist with more than 30 years' experience in Asia, Europe and Africa. His particular areas of expertise include anti-corruption strategies for the private sector; business and human rights; and private sector policy issues in conflict-affected areas.

Asia Pacific │ Social Risk and Impact Assessment│ Political & Economic Risk Consulting │ Corruption Risk Assessment & Analysis

Just before midnight on October 3^rd 2020, the ten year old, Maltese flagged, Greek owned, Aframax tanker - MV Syra suffered an explosion and damage to her forward section, whilst taking on crude at the Bir Ali crude single buoy mooring system, located in central Yemeni waters. The explosion was thought to have been caused by a sea mine or floating improvised explosive device.

 Today Shoreline’s Captain Thomas Brown was joined by Cormac McGarry and Ashley Halabi of Control Risks to analyze the news of this attack on one of Shoreline’s client vessels.

News reports have further suggested that significant pollution may have been caused by the explosion whilst a number of floating objects reported in the vicinity of the tanker were reported to have subsequently exploded.

This is a worrying development in maritime security for vessels navigating and operating within the Gulf of Aden and Yemeni waters.

Shoreline acts as COFR guarantor for much of the petroleum cargo shipped from this part of the world to the US and hopes this podcast will provide useful insight and information to their clients operating in this particularly volatile part of the world.

Cormac McGarry - Senior Analyst, Maritime - Control Risks 

Cormac is part of a specialised analytical team, spread across the world, dedicated to global, international and supranational issues where his primary responsibility is to manage Control Risks’ maritime intelligence and security services. 

Ashley Halabi - Researcher, Middle East and North Africa - Control Risks

Ashley contributes to analysis of political, security and operational risks in the Middle East and North Africa and leads on Lebanon and Yemen. She writes analysis on political and security developments and their implications for commercial activities. She also contributes to bespoke consulting reports for clients in a range of sectors and jurisdictions. Ashley monitors and logs incidents related to civil unrest, terrorism and war in the Middle East and North Africa.