The third edition of the industry cyber risk management guidelines, ‘Guidelines on Cyber Security Onboard Ships’, highlights the requirement to incorporate cyber risks in the ship’s safety management system. The edition provides guidance for dealing with the cyber risks to the ship arising from parties in the maritime supply chain.
Namely, IMO has given, to shipowners and managers, until the 1st of January 2019 to take into action the measures to manage cyber risk into the vessel’s SMS. According to Gard P&I Club there is still room for improvement.
In addition, shipowners should be responsible on managing cyber risks and conducting continuous operations to have positive results. Training and awareness of appropriate company policies and procedures may provide an effective response to cyber incidents amongst other steps to confront any cyber risks.
Also, concerning cyber security, Gard P&I Club has collaborated with DNV GL, conducting a cyber security awareness campaign, highlighting that the material of the campaign is not intended to suggest any industry changes or rule changes, but rather changes in the way people behave and act.
On the occasion of the release of the ‘Guidelines on Cyber Security Onboard Ships’ report that was published in the early days of December 2018, Jarle Fosen, Loss Prevention Executive, Arendal, has highlighted the key recommendations on how to respond to cyber risks:
#1 Focus on policies, procedures and risk assessments
Companies should take into consideration the risks arising not only from the use of IT equipment but also from OT equipment onboard ships and establish appropriate safeguards against cyber incidents involving either of these.
The company’s plans should align with the existent security and safety plan in the ISPS and ISM Codes.
According to IMO’s MSC resolution on Maritime Cyber Risk Management an approved safety management system ought to include cyber risk management in accordance with the objectives and requirements of the ISM Code, no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.
Moreover, any agreements concerning crewmembers’ responsibilities have to be written and formal.
Companies should also cover service providers’ physical security and cyber risk management processes in supplier agreements and contracts. Coordinating the vessel’s port is a difficult task globally and locally.
#2 Ensure that system design and configuration are safe and fully understood and followed
Anyone performing cyber security tasks should acknowledge that the aim of the procedures is to prevent unauthorised access and not simplify to satisfy the regulators.
Gard recommends that companies should thoroughly understand the ship’s IT and OT systems and how these systems connect and integrate ashore, including public authorities, marine terminals and stevedores. This requires an understanding of all computer based systems onboard and how safety, operations, and business can be compromised by a cyber incident.
For instance, as Jarle Fosen, Loss Prevention Executive, Arendal, stated, the systems and work stations with remote control, access or configuration functions could have:
- bridge and engine room computers and work stations on the ship’s administrative network;
- cargo with reefer temperature control systems or specialised cargo that are tracked remotely;
- stability decision support systems;
- hull stress monitoring systems;
- navigational systems;
- cargo handling and stowage, engine, and cargo management and load planning systems;
- safety and security networks, such as CCTV (closed circuit television);
- specialised systems such as drilling operation;
- emergency Shut Down for gas tankers, submarine cable installation and repair.
Moreover, some usual cyber vulnerabilities are:
- obsolete and unsupported operating systems;
- expired or missing antivirus software and protection from malware;
- shipboard computer networks lacking boundary protection measures, etc.
#3 Provide proper onboard awareness and training
Until now, the weakest factor when it comes to cyber security is the human. It is of a big importance that seafarers are properly trained to help them identify and report cyber incidents.
Onboard personnel have a crucial role in protecting IT and OT systems but can also be careless. Training and awareness should be tailored to the appropriate seniority of onboard personnel including the master, officers and crew.
