In the January issue of Be Cyber Aware at Sea, Phish and Ships focuses on 2021 as a transitional year with new regulations coming into force, but with concerns being raised over the guidelines that “will be already out of date”.
Specifically, Tom Kellerman, chief cybersecurity officer at security firm Carbon Black Inc. and a former chief information security officer at the World Bank, highlighted that the regulations do not address the modern cybersecurity exposures created by mobility, applications and the cloud.
This means that the regulations that the International Maritime Organization has already proposed provided a lot of time to the industry to absorb and implement them before making it an enforceable requirement. The regulation concerns the adoption of the Resolution MSC.428(98), which calls companies to report any cyber risk in their ISM Code no later than January 1, 2021.
However, Mr Kellerman states that this regulation was firstly introduced some years ago, meaning that new cyber-technologies have been developed and adopted widely by maritime businesses.
The guidelines, drafted in 2016, single out the use of ‘memory sticks’, for instance, and don’t mention the cloud or artificial-intelligence systems prevalent today.
He added that they don’t address today’s cyber security exposures created by mobility, applications and the cloud.
Moreover, it is reported that the guidelines do not cover the development of autonomous shipping, despite efforts from the IMO MSC to review the its status. This is because the speed at which the maritime industry is waking up to the benefits of autonomous technologies means that companies are fast on their way to deploying vessels without human crew, with one of the first, Yara Birkeland operated by Yara International ASA, due to operate this year.
The changes in the smart sector are based on the technologies and the firms that are willing to use them; Ideally, the pace of change should set the scale of security guidance required, and the pace of implementation for effective protection.
Another challenge implying that the IMO’s guidelines will not be rapidly enforced is that there are 164 country signatories to the IMO Safety of Life at Sea Treaty, signatories to the IMO Safety of Life at Sea Treaty, accounting for 99% of all commercial shipping, but the IMO is not the enforcer of its own rulings. Instead the signatory countries must ensure compliance, meaning that enforcement varies.
Despite the challenges above, it is stated that the 2021 guidelines are fully welcomed and they mark an important step towards cyber resilience. Thus, the difficulties reflected above are part of the digital era and need time to be fully accepted and adapted by the industry.
Concluding, an important tip is that companies should take ownership of their cyber-security. Regardless of standards and rules – customers, investors and the industry will not accept excuses should a preventable cyber-attack undermine your business.
