Starting from 1 January 2021, shipowners and managers are required to officially address cyber security as a risk in their safety management systems.
In the new era of digitalization, the ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system. This resolution calls companies to report any cyber risk in their ISM Code no later than January 1, 2021.
According to the IMO, maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
Cyber security issues against maritime companies have made headlines in the last years, with an attack against French giant CMA CGM being the latest, less than a month ago.
In this context and as the IMO deadline approaches, DNV GL shared information from some of its ISM auditors’ feedback on maritime cyber security.
Cyber challenges reported by DNV GL auditors:
- Often difficult to address complicated problems in an easy way so that people can manage them without high technical knowledge of cyber safety and security
- Insufficient control of subcontracted IT services
- Focusing on both IT and OT is a challenge
- Weaknesses in access control, separating networks and effective firewalls
- Insufficient knowledge and training of crew, internal auditors, and superintendents on cyber security
- Cyber security risks and safeguards are not always easy to understand, and follow-up is a challenge for many
Recommendations
- Enhance risk and vulnerability assessments, test systems and network integrity with experts and concentrate improvement efforts first and foremost on crew and other staff involved in handling cyber security.
- Build on existing SMS, roles, responsibilities, tasks, etc.
- Improve the organizational understanding that success is dependent on support from all involved.
- Involve, train and motivate crew, superintendents and auditors and gain commitment from top management.
- Establish appropriate safeguards for cyber security risks and do not try to prohibit everything.
- Apply work permits tailored for software and hardware changes in order to manage risks in changes to systems.
- Train both normal safe operational behaviour as well as drill emergency response, also to cyber security events.
- Keep it simple and remember the IMO advice that the risk management approach to cyber risks should be resilient and evolve as a natural extension of existing safety and security management practices!
You may also refer to IMO IMO MSC-FAL.1/Circ.3.
In January 2020, the North P&I Club announced a new platform to help ship owners and operators to better understand their vulnerabilities to cyber risk and to improve their cyber security processes and systems ahead of the IMO’s deadline.
