News and insights

The last few years have highlighted the increasing level of interest that cyber criminals have in the global supply chain. The world’s four largest liner operators have all suffered from cyber-attacks and most recently, in May 2021, the U.S Colonial oil pipeline fell victim to a sophisticated ransomware attack.

It seems then that those involved in the transportation and trade of goods must be mindful of the risks and legal obligations engaged by heightened cyber threats. Especially due to the never-ending reliance on interconnected technologies and the onset of automated facilities within the shipping world.

The container trade has grown exponentially since its inception in the mid-1950’s, and the high levels of global demand for commercial and consumer products has seen more technology being integrated into the inter-modal transport solution. Whilst that is positive for meeting global demand it does also mark out the ‘box trade’ as an attractive target for cyber-criminals.

Cyber-attacks and Seaworthiness

Recent attacks have shown the level of interest ‘hackers’ have in accessing and altering the cargo stowage plans on container ships. Often these attacks are done maliciously and executed by hackers as exercises to prove their capabilities and cause disruption. It seems that doing so can be an attractive challenge for a cyber-criminal. Alongside the immeasurable disruption and cost that such an attack could cause, the more immediate risk is that the hacker’s actions could lead to a container vessel becoming unseaworthy. The altering of the cargo plan could lead to heavy containers being placed over light weight ones or containers containing flammable goods being placed near heat sources on the vessel.

Applying the decision in The Arianna¹ a ship would be classed as unseaworthy if “there is something about it which endangers the safety of the vessel or its cargo or which might cause significant damage to its cargo or which renders it legally or practically impossible for the vessel to go to sea or to load or unload its cargo…”

Seaworthiness is not simply a narrow obligation to ensure that a vessel is weathertight but a much broader obligation involving crew competency, lifesaving capabilities, cargo stowage, the state of the vessel’s machinery and equipment on board. The dangerous stowage of containers (due to a cyber-attack) would almost certainly endanger the safety of the vessel or its cargo or cause significant damage to the cargo. A prudent owner would not allow their vessel to sail if they were aware that the cargo stowage plan had been manipulated by a malicious actor.

Article III of The Hague Visby Rules requires that “The carrier shall be bound before and at the beginning of the voyage to exercise due diligence to make the ship seaworthy, properly man, equip, and supply the ship, make the holds, refrigerating and cool chambers, and all other parts of the ship in which goods are carried, fit and safe for their reception, carriage and preservation.”

If the frequency of IT attacks continues to increase and their likely impact is to render a loaded vessel unseaworthy, it seems that carriers will have to apply enhanced due diligence to their IT security and breach monitoring, before and at the beginning of the voyage; and ensure that the vessel is being loaded as expected and there are no signs of the plan being manipulated, in the event that the cargo stowage planning duties have been subcontracted.

The duty to exercise due diligence is nondelegable and to come within the protection of the Art. IV (2)(a) exemption, carriers will have to undertake their own adequate due diligence. What constitutes adequate due diligence will vary and be subject to the technical risk factors and level of exposure that is specific to the situation. For example: what portion of the cargo stowage plan has been produced electronically; has it been exclusively communicated between the relevant parties electronically; and do the parties involved have reliable systems in place to monitor any interception or breaches of their own systems?

This will be challenging as hackers conduct their business discreetly in order to go unnoticed. Carriers will be required to demonstrate a high-level of diligence to satisfy the due diligence obligation in the event of a successful cyber-attack.

Unsafe port claims

Alongside targeting cargo plans for specific vessels, cyber-criminals seem equally interested in aiming for mass disruption by targeting container handling terminals.

The acceleration of automated container handling technologies is not only exposing terminals as attractive targets, but ones where notoriety could be gained globally.

If a terminal becomes the subject of a cyber-attack it may render that port unsafe.

In The Eastern City it was established that ‘A port will not be safe unless, in the relevant period of time, the particular ship can reach it, use it and return from it without, in the absence of some normal occurrence, being exposed to danger which cannot be avoided by good navigation and seamanship.’

It is possible that (dependant on the interaction that the ship and port would have) a transmittable cyber-attack could render a port unsafe if the ship’s IT and communication technologies could also become infected and expose the ship to danger.

A charterer may be required to nominate a new port In the event that a named or nominated port becomes the victim of a cyber-attack rendering that port unsafe.

It appears that the increased reliance on technology both onboard and onshore means IT competence is now a factor of good seamanship. It may also be appropriate to consider the level of cyber vulnerability displayed by a port transitioning towards automated container handling, in much the same way that a vessel will consider the maintained depth and width of fairways, the availability of tugs and fendering arrangements in assessing the safety of a port.

Steps for the future

It seems prudent for charterers, owners and operators of vessels to consider their level of security and preparedness in the event of a cyber-attack, and the level of due-diligence required to rapidly identify one.

It will be important to consider the issue of liability and how that can be limited. It is recommended that attention is given to charterparties and other contracts so that responsibility for cyber security and due diligence is firmly assigned to one party. In that way, liability will be more certain should the responsible party fail to discharge their obligations.

Finally, the over-riding theme is that vessel operators need to be braced to act on contingency measures should the cargo plans become corrupted or a port unsafe. Preparedness now can help to reduce claims in the future.