From 1st of January, 2021 cyber security will be a new requirement for all Safety Management Systems, according to IMO Resolution. In our special column SeaSense, in association with The North of England P&I Club, we ask global experts to provide feedback on the following question:
Is the shipping industry prepared for the IMO Resolution taking effect from January 2021 that states cyber security should be included in safety management systems (SMS)?
Corporate Officer, Director of Survey Operations Division, ClassNK
Head of Cyber Security and Safety, Bureau Veritas
|Yes. Although the IMO Resolution is a non-compulsory requirement, the entire maritime community seems concerned ahead of 2021, as proven by an increasing number of related inquiries from management companies. Cyber risks are a new challenge, but the shipping industry has utilized SMS in line with ISM Code to control various risks, and such approach should work this time. Focusing on MSC.428(98) request “SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”, ClassNK has prepared its audit scheme also considering flag states requirements to assist the industry’s actions swiftly. Moreover, we hope to provide expertise based on the collaboration with cyber risk experts and our accumulated knowledge of ships.||Maybe. On one hand the industry stakeholders (i.e. BIMCO, DCSA) and the International Association of Classification Societies (IACS) have delivered a substantial, applicable and efficient set of guidelines, rules and documentation for cyber risk management. This baseline of documents contributes to the enforcement of this resolution. On the other hand, few national authorities have shared instructions on vessel cyber risk management and few shipowners have anticipated the implementation of this resolution. As a consequence, the global level of vulnerability of vessels will be more or less the same on 1st January 2021. Even if we notice an increased consideration for cyber security (mostly because of recent events relayed by the media), technically speaking, OT systems connectivity, for example, is still growing without risk assessment, which can lead to data corruption or systems unavailability. In terms of organization, crew awareness, logical access control, cyber systems monitoring, incident response are yet to be seriously addressed.|
Team Leader Cyber Security, DNVGL Maritime Advisory
Global Head of Cyber Security, ABS Group of Companies Inc.
|Maybe. Awareness of the IMO resolution appears good and with that organizations have a good starting point for cyber risk management (CRM) preparing for the 2021 DOC audits. It is less certain that measures needed are effectively implemented. No two organizations are the same and the SMS measures must fit Company needs. Developing, implementing and assessing, measure effectiveness takes time. Compliance must be in accordance with ISM and we recommend using existing SMS solutions for compliance and maritime specific standards as benchmarks supporting internal/external verification activities. Close collaboration between managers/operators, vendors, yards and classification societies is essential for effective handling of CRM. We will continue contributing through our services for ISM certification, cyber secure class notation and cyber risk consultancy.||Maybe. Although there has been much publicity around the IMO Resolution, many owners and operators have just started or are not sure where to begin. This is further complicated by the fact that there is no “one-size-fits-all” approach. There are many factors that go into a cyber risk management program – the type of business, the complexity of the IT and OT networks, the operational profile of the vessel, etc. The resolution is meant to be a guideline and good cyber risk management must be designed around the applicable regulatory and unique operational challenges of each business.|
Vice President, Cyber Security, Warstila
Director (Loss Prevention), The North of England P&I Club
|MAYBE– Shipping’s digital transformation is very much underway, driven by innovative manufacturers offering increasingly complex and connected solutions. As the positive impacts of digitalisation become more widely accepted across the industry there will be further acceleration. Late adopters will embrace new opportunities and early adopters will iterate and accelerate to realise even greater rewards for their business. Resolution MSC.428(98), commonly referred to as IMO 2021 and intrinsically tied to the SOLAS convention, is increasing the understanding of mitigating risks associated with this new technology. Wärtsilä is helping our customers understand IMO 2021. Whilst some customers are more mature in their cyber awareness than others, the move towards including cyber risks within the ships Safety Management System (SMS) is definitely underway.||Yes, the industry is aware that it has to comply with the regulations and that cyber security is an issue that needs to be managed. There is a very broad spectrum of responses from shipping companies, some taking the issue very seriously, and others adopting a minimum compliance stance. This is no surprise in such a diverse industry. The requirement to manage cyber risks via the SMS has forced the shipping industry to take its first steps towards cyber maturity. No doubt there will be setbacks for individual companies, sectors and the wider industry along the way. But over time cyber risks will become well understood, accepted as a normal business risk and managed alongside all the other risks faced in shipping.|
Maritime Security Advisor, Improsec
|James E. McKee|
Founder and CEO, Red Sky Alliance and Wapack Labs LLC
|No. In essence there are three groups within the sector. Those who are actively taking care of cyber security, those who are seeing this as a “tick-box” exercise, and those who are not yet genuinely addressing the issue at all. The first group is a clear minority. The risk is that companies see this yet another compliance “tick-box” and not as way to actually improve their defensive position. This starts with an onsite hard look at the actual cyber security settings, but is something often skipped over in favor of assuming the weaknesses in the OT and IT layout are well known, as well as assuming compliance with basic cyber hygiene.||Maybe! Red Sky Alliance/Wapack Labs is tracking cyber security threats in the Maritime Environment. The entire transportation sector is under constant cyber threat, specifically the maritime industry. Our collections and analyses continue to expose cyber threats and vulnerabilities in supply chain members. If a shipping company follows the upcoming IMO Resolution, other supply chain members, such as trucking, rail and port facilities may not be complying. Humans are the weakest link in cyber vulnerability. Company employees at any leg of a transportation supply chain can fall for a tempting or official appearing email that could be the opening for malware infection, then move inside all of the networks of the entire supply chain and ports.|
HSSE/QA Manager, China LNG Shipping (International) Co., Ltd.
|Costas Th. Kontes|
Managing Director, V.Ships Greece Ltd.
|MAYBE. The last years we have seen a lot of guidance and support for ship managers to develop processes and plans to ensure compliance with the IMO requirements. Although this guidance is been useful, there is a lack of standardization, especially from the flag states and recognised organizations, that may have as result the lack of common approach and possible misunderstanding. Despite that, the maritime industry is becoming more mature and continuously develops competencies for the management of cybersecurity. And at the end is more about managing the risk rather than only compliance and as managers we have to take responsibility to ensure proper engagement and to enhance cyber risk management approach culture both onboard and ashore.||No, we are not completely ready as an industry yet; however, quite a few companies have already implemented since a number of years precautionary measures, carrying out audits. For V. Group, Cyber security is integral to operational safety. Over the last 18 months, the organisation has launched a number of initiatives to ensure all colleagues understand the importance of cyber security. We have also been working hard to address the latest IMO Resolution on Maritime Cyber Risk Management by developing our very own Cyber Safety package, as a complete framework to meet IMO requirements. The framework addresses the 5 areas identified in BIMCO guidelines (Identify, Protect, Detect, Respond and Recover). The V. Ships framework is cyber safety from the ground up, with the implementation of policies, technology, and support.|
Chief Operating Officer, LATSCO
Managing Director, Ionic Shipping (Mgt) Inc.
|Maybe. The task of the shipping industry with the new requirement is not only to amend the existing SMS system so that to cover matters of Cyber Risk management . The main challenge is to assess all identified risks to ships, personnel and the environment and establish appropriate safeguards. It must start with a Hardware inventory on IT and OT systems of the vessel and develop and maintain a register of all critical system hardware on board, including authorized and unauthorized devices on company controlled networks. The SMS should include procedures for maintaining this inventory throughout the operational life of the ship. Also should develop a Software inventory. All these matters require an in depth analysis an expertise and quite a long time. View more here||YES. Data breaches are unfortunately an everyday event whilst becoming more and more common in our lives today. As such, all shipping professionals have a specific obligation to protect themselves, their organizations and their clients from exposure to such threats, ensuring the safety of their vessels that trade worldwide and organizations managing them. The truthful fact is that since the beginning of 2020 where the worldwide pandemic commenced affected us all, everyone one way or another “sharpened their pencils” (whether one liked it or not) on IT skills and procedures, in view of new ways of working entered our lives in view of reduced travel, lockdowns and the like. Such examples included new video conferencing platforms, new IT software, many apps and services, just to name a few. As such, the way the threat landscape has evolved proves that cyber hackers remain undeterred from compromising systems for their own gain. Moreover, it’s been repeatedly shown that they shift and adapt in their choice of attack prompting the need for users and organizations within the shipping industry to stay ahead. As it has been recently stressed on numerous occasions, this is not an IT issue but a risk management issue on how each and every one of us should be protecting our data accordingly. The bottom line is that all companies – big and small – need to be continually aware to protect themselves and their clients. Practicing good cyber hygiene and making sure everyone within acknowledges and follows same is critical to its success. The future looks complex, exposed, and misconfigured — but it is also defensible.|
Senior Vice President Information Technology, ZEABORN Ship Management GmbH & Cie. KG
|MAYBE. Cyber and information security threats have grown in complexity and IMO has a valid concern. Owners are reviewing their processes and approaching their shipmanagers to achieve reliable procedures and evidence for secure vessel operations. We at ZEABORN know that cyber security does not come over night by filling a checklist. Staff on board and in office are the main actors in handling company’s IT devices and information security assets; therefore, the focus of awareness to cyber security related tasks is a must within the entire company management system. It is not a status but a continual process of assessing your current risk profile, monitoring your established controls, and improving your measures on an ongoing base. ZEABORN had followed best industry guidelines for their fleet since many years and is well prepared for IMO 2021. Our ISO 27001 certification provided a framework to align this ongoing approach to good practice and to ensure cyber security governance for the fleet under management – as an ongoing voyage.|