Unfortunately, these flare-ups mirror an industry that lacks capabilities to detect and prevent stealth cyber-attackers from jeopardizing the safety of both ships and crew, while also causing significant problems to the transport of goods as well as financial costs.
To be decent and honest, noteworthy progress has been made in terms of guidelines and recommendation versions from industry groups and associations. But, while the number of cyber related attacks shows a slight decrease, we still miss the key to eliminate these incidents to the greatest extend possible. And why is that happening? Why when it comes to cyber security in shipping, we all feel uncomfortable? The answer is because the right mindset has not been put in place, yet! Besides, it is not coincidence that the vast majority of organizations consider untrained staff as their greatest cyber risk.
A matter of speed and knowledge
A few years ago, the industry started talking about autonomy entering the shipping era, but not about the proper security needed. It took time for shipping organizations and ports to understand that cyber-attacks are for real, but it took longer time to understand that they are manageable too.
In 2016, the IMO approved its interim guidelines on maritime cyber risk management, providing high level recommendations on cyber security for the maritime industry. Then, BIMCO launched its first edition of “The Guidelines on Cyber Security onboard Ships”, supported by other shipping organizations too, in order to help ship-owners, assess and manage cyber risks, develop response and recovery plans. Moreover, same year, ABS issued its first cyber security notation and IACS extended its remit to include cyber security.
However, the aforesaid developments did not stop hackers to “successfully” target one of the top shipping lines, Maersk, in summer 2017. The company was forced to reinstall 4,000 servers and 45,000 computers, while financial loss at the company estimated in the range of USD300 million.
In 2017, Maersk incident along with numerous others, showed the scale of the damage a computer virus can unleash and the need to speed up in finding solutions. A second edition of the “The Guidelines on Cyber Security onboard Ships”, came up the same year that IACS had formed a joint working group to develop a coordinated position on cybercrime and its prevention, and UK launched ship cyber security code of practice for ships for use in conjunction with organization’s risk management systems and subsequent business planning.
But still, more knowledge needed to be gained; training to be done; gaps to be filled with regards to the fast-evolving cyber risks in a technology dependent and inter-connected industry. The MSC 98 ‘Guidelines on Maritime Cyber Risk Management’ and the Resolution on ‘Maritime Cyber Risk Management in Safety Management Systems (SMS)’ further stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
In 2018, from a prevention perspective, the third edition of BIMCO Guidelines on Cyber Security onboard Ships as well as the 12 IACS recommendations on cyber safety were the most important pieces of information for addressing the requirement to incorporate cyber risks in the ship’s safety management system and enable the delivery of cyber safe ships whose resilience can be maintained throughout their working lives. Notably, for the first time, the third edition of TMSA self-assessment tool for oil tankers introduced maritime security as Element 13 including cyber security.
The industry seems to have been alerted concerning the great need to change mindset and adopt the appropriate crisis management tools. Already, tanker owners and operators subject to vetting under OCIMF’s SIRE Programme are addressing cyber security risks in their policies and procedures by January 2018. And, what’s next? IMO has given shipowners and operators three years; by January 2021, they should have incorporated cyber risk into ships’ safety management systems.
It is unclear whether other industries have managed to “weaken the enemy”, after the shocking announcement that even NASA servers were hacked in October 2018. The questions that we must ask ourselves are: What if Maersk, NASA and other giant organizations had not been attacked? Would the world be alerted? Or it can get much worse? How can we influence a positive change?
Setting the new year’s resolution and considering that crew training shows rising and positive trends, anyone could say that the industry tends to understand that cyber security is no longer a matter of technology alone, it requires people; meaning expertise and collaboration; it requires a combination of both people and process.
It took time for the maritime industry to understand that cyber-attacks are for real and longer time to understand that they are manageable too.
Apostolos is a Maritime Safety, Quality & Environmental Expert, Consultant, Trainer and Project Manager with more than a 20-year background in shipping as Technical, Marine, Safety & Training Superintendent and Consultant. He entered the industry back in early 90’s as Engineering Superintendent with a leading ship manager operating a mixed fleet of bulk and oil/chemical tankers. He then shifted to regulatory compliance and QHSE as superintendent and later as a Consultant and Trainer. Apostolos has successfully completed a wide range of QHSE projects including 250+ management system projects (ISM/ISO 9001-14001-18001/TMSA/MLC), 500 vessel and office audits to various standards and he has trained more than 8,000 people in a wide variety of QHSE subjects. He has also presented and chaired to more than 40 conferences. He holds Mechanical Engineering Bachelor and Master’s specialising in Energy & Environment and Master’s Degree in Maritime Business and Business Administration (MBA), all of them awarded with distinction. Apostolos is the Managing Director of SQE MARINE, SQE ACADEMY and Managing Editor of SAFETY4SEA.