University works with Bank of England to assess impacts of maritime cyber threats

Researchers from the University of Plymouth are working with the Bank of England to test how some of the world’s leading insurance firms would respond in the event of a maritime cyber attack.

The University’s Maritime Cyber Threats Research Group was asked to help develop a scenario through which companies can test their response and resilience in the face of a cyber incident.

The resulting work has now been featured in the General Insurance Stress Test 2022, published by the Bank of England’s Prudential Regulation Authority (PRA).

It presents a scenario through which an individual or organisation gains access to the bridge system of commercial seagoing vessels, causing physical damage to ships and ports and disrupting the maritime supply chain accounting for 90% of world trade in goods.

Companies are then asked to detail how they would respond in the event of such an incident, and how it could impact their clients across a range of industries.

This will allow the Bank of England to mitigate the collective, systemic impacts of such actions, and support firms in understanding the potential market implications of their decisions.

The 2022 exercise represents the first time a maritime cyber incident has featured in the General Insurance Stress Test, and Plymouth is the only university credited in helping to pull it together.

The scenario was conceived in line with the University’s work as part of the €7 million Cyber-MAR project, which aims to develop greater awareness of the cyber threats facing the global shipping fleet and the most effective ways of countering them.

It was then demoed in the Cyber-SHIP Lab, a unique, hardware-based maritime cyber security research and development platform supported by funding from Research England and several industry partners.

Dr Kimberly Tam , Lecturer in Cyber Security, said:
“This collaboration is evidence of how far-reaching the impacts of a maritime cyber attack could be. People are rightly worried about the physical damage to ports and vessels that could result from such an incident. However, the economic impacts on supply chains – as we witnessed when the Ever Given became stuck in the Suez Canal last year – or the costs incurred by shipping firms and insurers could have much deeper and protracted implications.
"We will be very interested to see how insurance companies respond to the Stress Test, and to gauge whether they are ready to respond in the event of such an incident in the near future.”

<p>Kimberly Tam (square)</p>

Dr Kimberly Tam , Lecturer in Cyber Security

The collaboration with the Bank of England is further evidence of the University of Plymouth’s world-leading expertise in maritime cyber security.

In 2021, the Maritime Cyber Risk Assessment (MaCRA) framework won awards from both the National Cyber Security Centre (NCSC) and the Lloyd’s Science of Risk prize.

MaCRA is designed enable an operator carrying any cargo on any route to quickly assess new threats to the overall system and determine what mitigation is required.

The scenario developed by the Maritime Cyber Threats Research Group

A threat actor gains access to the bridge system of commercial seagoing vessels, compromising the control systems.

The intrusion goes undetected for weeks until the threat actor locks the rudder and propulsion system of a container ship causing it to hit a quay in the port of Singapore. A day later, the threat actor causes another container ship to hit a quay and cranes in the port of Los Angeles.

Physical damage is caused to the quay and cranes, there is some loss of cargo and some hull damage. The threat actor threatens further accidents unless a US$50 million ransom is paid by each of the top five cargo shipping companies (as measured by twenty-foot equivalent units (TEU) capacity).

As a precautionary measure, many ships stop their journeys and all container port authorities close their ports until the bridge systems of impacted ships are checked, disrupting the maritime supply chain accounting for 90% of world trade in goods.

It takes three days to determine which elements of the bridge system have been compromised and two more days to develop a solution.

The motivation of the attackers are more political than financial with the ransom demand adding to confusion.