IACS published 9 of its 12 recommendations on cyber safety, in order to enable the delivery of cyber resilient ships whose resilience can be maintained throughout their working lives. The first report recommends procedures for software maintenance of shipboard equipment and systems.
The IACS Recommendations address the need for:
- A more complete understanding of the interplay between ship’s systems;
- Protection from events beyond software errors;
- In the event that protection failed, the need for an appropriate response and ultimately recovery;
- In order that the appropriate response could be put in place, a means of detection is required.
The first recommendation regards software maintenance of shipboard equipment and systems. Here IACS splits the area of responsibility into 5 areas:
1. Producer of software
The Producer of software or System Integrator should have a quality system for software lifecycle activities, which documents relevant procedures, responsibilities and configuration management, including deliveries from sub-suppliers, taking into account cyber-security considerations.
2. Data provider
Data provided should carry out data production and distribution operations in accordance with a quality system, covering:
- Data quality (production, delivery, testing and integration);
- Standardization of data import;
- Means to ensure the continuous availability of data maintenances;
- Prevention/detection/protection from unauthorized modification; Prevention of the distribution of malware.
3. Service Provider
Service Provider should carry out maintenance-related operations in accordance with a quality system, covering:
- Competence management;
- Coordination and call-entrance procedures;
- Remote maintenance procedures (if applicable);
- Reporting procedures;
- Shipboard operations safety briefing;
- Cyber-security.
4. Shipowner
The Shipowner must ensure that software maintenances are conducted according to an appropriate International Safety Management (ISM) Code system and operational procedures.
If the software maintenance is relevant to class related services, the Shipowner should inform the Classification society before the operation of the software maintenance is carried out.
The shipowner can also delegate some responsibilities to the vessel operating company or assigned system integrator.
5. Classification Society
The society should be informed by the Shipowner of any software maintenance relevant to class related services. It should also witness the software maintenance, as well as see an updated Inventory for computer based system on board after satisfactory testing, which should be kept on board.
Computer based systems on board
As for the computer based systems on board, these should allow access for maintenance purposes and provide protection against unauthorized access.
In addition, they should support procedures to roll back to a previous software version and configuration during software maintenance, after a software maintenance has been attempted. Roll back procedures could be based on a previous software version stored in the computer based system or on previous software versions that can be uploaded by the Service provider.
Finally, where appropriate, computer based systems should generate a diagnostic report after maintenance has been performed, which also identifies the software version running on the equipment or system. The equipment or system should also provide a way to check that interfaces and functionality are operating as expected after maintenance has been completed. It should also provide the means to display, on demand, the current software version.
You may see more information in the PDF herebelow