A new report published by Inmarsat highlights the role of IMO’s 2021 cyber risk management code in providing a framework for cyber resilience.
Putting cyber risk management compliance into perspective
Managing cyber risk onboard ships is considered a natural extension of current operational risk management practices incorporated into existing Safety Management Systems within the existing ISM Code.
The relevant MSC.428(98) – Maritime cyber risk management in safety management systems resolution therefore:
- Affirms that an approved safety management system should consider cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
- Encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
Responding to cyber attacks
The Cyber Security Plan should, at minimum, include:
- A process for initial incident triage
- Steps to quarantine all electronic traffic to and from ship or fleet. Procedures for alerting and requesting communication vendors to check traffic
- Procedures for keeping corporate IT security department abreast of the situation
- Procedures to secure/ establish backup communications to the affected vessel(s)
- Steps to stabilize and isolate the infected system to guard against further spread
- Steps for gathering Intelligence and evidence from affected systems
- Procedures for executing recovery of critical systems remotely
- Arrangements for completely replacing the ICT system at the next safe port after a cyber event
Recovery from cyber attacks
Workaround plans are required to take account of possible failures in critical shipboard systems, with the processes described in a vessel’s emergency manuals so that the Captain can respond without the need to ask for help from/wait for shore-based colleagues. These plans should provide the Captain with instructions and/or a checklist on what to do. In the case of cyber resilience, workarounds plans might include:
- Actions to restore crashed/ failed email clients or degraded/failed ship-shore communication links; use backup FleetBroadband for email/voice until recovery
- Actions to work around/ recover failed PCs
- Usage of citadel telephone to send telex; testing of backup email ID from ship-to-shore and from shore-to-ship
- Fall back to paper charts in case of compromised ECDIS
In all cases, the Fleet ICT Manual inserted into the Ship’s SMS/ISM Code documentation should provide full guidance and document the Cyber Security Plan for all critical on-ship systems.
Training for cyber attacks
As the Plan is part of the Vessel’s ISM it is also essential to periodically carry out drills to test any issues, train the
crew, HSSE (Health, Safety, Security & Environment) team and any other stakeholders on how to respond to a cyber incident onboard ship, and encourage a culture of continual improvement.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
This means ship owners and managers should give cyber security drills the same weight as they give any regular Incident Management Drill – whether for grounding, ship fire or collision.
Under the new regime, cyber drills should be conducted across the fleet at least once a year to test response procedures and assess crew preparedness, procedures during a cyber incident onboard. It is essential that the Ship Manager’s Incident Commander takes charge and demonstrates effective leadership in these exercises to ensure the security of the ship, its crew and cargo, while allowing the Fleet IT team to concentrate on securing the ICT infrastructure and resolving the cyber issues. In addition, regular anti-phishing campaigns and penetration testing using simulated malicious emails can maintain high-levels of crew vigilance and test onboard systems and processes.
Finally, penetration testing by professional ‘white-hat’ hackers should also take place to identify technical weaknesses.
EXPLORE MORE AT INMARSAT’S CYBER RISK REPORT
