Key considerations for upcoming IMO Resolution on cyber security from the operator’s perspectives

Now that the new requirement is coming into force from January 1st 2021, the task of the shipping industry is not only to amend the existing SMS system to cover issues of Cyber Risk management; this is something that easily can be done getting something ready from the self. The main challenge is to assess all identified risks to ships, personnel and the environment and establish appropriate safeguards. It must start with a Hardware inventory on IT and OT systems of the vessel and develop and maintain a register of all critical system hardware on board, including authorized and unauthorized devices on company controlled networks. The SMS should include procedures for maintaining this inventory throughout the operational life of the ship.  Also should develop a Software inventory – Develop and maintain a register of all authorized and unauthorized software running on company controlled software onboard, including version and update status.

The SMS should be updated to include procedures for:

• maintaining this inventory when hardware controlled by the company is replaced
• maintaining this inventory when software controlled by the company is updated or changed
• authorizing the installation of new or upgraded software on hardware controlled by the company
• prevention of installation of unauthorized software, and deletion of such software if identified
• software maintenance

Also the company should develop a Map data flows – Map data flows between critical systems and other equipment / technical systems on board and ashore, including those provided by third parties. Vulnerabilities identified during this process should be recorded and securely retained by the company.

The SMS should be updated to include procedures for:

• maintaining the map of data flows to reflect changes in hardware, software and/or connectivity
• identifying and responding to vulnerabilities introduced when new data flows are created following the installation of new hardware
• reviewing the need for connectivity between critical systems and other OT and IT systems. Such a review should be based on the principle that systems should only be connected where there is a need for the safe and efficient operation of the ship, or to enable planned maintenance
• controlling the use of removable media, access points and the creation of ad-hoc or uncontrolled data flows. This may be achieved by restrictions on the use of removable media and disabling USB and similar ports on critical systems.

All these matters require an in depth analysis an expertise and quite a long time.

The views presented hereabove are only those of the author and not necessarily those of  SAFETY4SEA and are for information sharing and discussion  purposes only.

Kostas Vlachos, COO, Latsco Shipping Ltd

Kostas Vlachos is Mechanical / Electrical Engineer graduated from Technical University of Athens in 1981. From 1982 to 1996 he served in the Merchant Ships Inspectorate of the Greek Ministry of Merchantile Marine in various positions with the most important that of MARPOL Convention department head and ISM implementation department head. In the same period he was a Member of the Greek delegation in IMO as well as in various EU committees and subcommittees in Maritime Safety Committee and MEPC (Marine Environment Protection Committee). In 1997 he joined the Consolidated Marine Management Inc. as DPA/DMR and as Marine, Safety & Quality Manager.In February 2005 he assumed the duties of the COO/Managing Director of the Company having full control and responsibilities on all activities and departments of the Company. Starting from 1st January 2019, Consolidated Marine Management Inc. has changed its name to Latsco Marine Management Inc. He is a member of ABS, DNV, LRS, technical committees. In 2013, he was elected Chairman of Intertanko Hellenic Mediterranean Panel & Council member. Since 2014 he is a member of the executive committee of Intertanko, and ISTEC member.