The second edition of “The Guidelines on Cyber Security Onboard Ships” has been released, including information on insurance issues and how to effectively segregate networks, as well as new practical advice on managing the ship to shore interface, and how to handle cyber security during port calls and when communicating with the shore side.
The latest practical advice has been compiled by the joint industry group, which is led by BIMCO and now includes new members OCIMF and IUMI, as well as the original contributors CLIA, ICS, INTERCARGO and INTERTANKO.
The chapters on ‘contingency planning’ and ‘responding to and recovering from cyber incidents’ have been rewritten to reflect the fact that the guidelines are aimed specifically at ships and the remote conditions prevailing if a ship’s defences have been breached. The edition also includes a new subchapter on insurance, looking at coverage after a cyber incident as this is an important part of the risk assessment which shipowners should now take into consideration. Finally, the Annex, which explains about networks, has been rewritten based on real experience of shipowners segregating networks on their ships.
The Guidelines on Cyber Security Onboard Ships have also been aligned with the recommendations given in the International Maritime Organization’s (IMO) Guidelines on cyber risk management which were adopted in June 2017.
Angus Frew, BIMCO Secretary General and CEO, said: “Cyber security is certainly a hot topic for all of us now, and this latest guidance includes valuable information, applying a risk based approach to all of the areas of concern, highlighting how an individual’s unwitting actions might expose their organisation.”
Cyber risk management
The report suggests that when incorporating cyber risk management into the company’s Safety Management System (SMS), consideration should be given to whether, in addition to a generic risk assessment of the ships it operates, a particular ship needs a specific risk assessment. The company should consider the need for a specific risk assessment based on whether a particular ship is unique within their fleet. This should consider factors, including but not limited to the extent to which IT and OT is used on board, the complexity of system integration and the nature of operations. Cyber risk management should:
- identify the roles and responsibilities of users, key personnel, and management both ashore and on board
- identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the ship’s operations and safety
- implement technical measures to protect against a cyber incident and ensure continuity of operations. This may include configuration of networks, access control to networks and systems, communication and boundary defence and the use of protection and detection software
- implement activities and plans (procedural protection measures) to provide resilience against cyber incidents. This may include training and awareness, software maintenance, remote and local access, access privileges, use of removable media and equipment disposal
- implement activities to prepare for and respond to cyber incidents.
Effective response on cyber attacks
A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all
aspects of the response. An effective response should at least consist of the following steps:
- Initial assessment: To ensure an appropriate response, it is essential that the response team find out:
- how the incident occurred
- which IT and/or OT systems were affected and how
- the extent to which the commercial and/or operational data is affected
- to what extent any threat to IT and OT remains.
- Recover systems and data: Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored, so far as is possible, to an operational condition by removing threats from the system and restoring software.
- Investigate the incident: To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate. The information from an investigation will play a significant role in preventing a potential recurrence.
- Prevent a re-occurrence: Considering the outcome of the investigation mentioned above, actions to address any inadequacies in technical and/or procedural protection measures should be considered, in accordance with the company procedures for implementation of corrective action.
“In the light of recent events we urge everyone across the industry to download itand to consider the risk cybercrime may pose to their ships and operations. Ignorance is no longer an option, as we are all rapidly realising”, says Mr Frew.
Explore more by reading the full report: