In this article, Mr. Colin Gillespie, Director (Loss Prevention) at the North P&I Club, analyzes the main points of cyber resilience for an organization, highlighting that employing the right people is central to cyber security.
Putting in place the systematic cyber resilience needed to meet expectations set out by IMO 2021 guidelines demands a behavioural shift at the human level.
In general there are two types of responses that ship owners and operators can make to cyber threats: technical responses (dealing with equipment and systems); and procedural responses (focussing on how systems are used and how humans interact with them).
Technical steps can deliver quick wins. Corporate policies on cyber security can be consistent, clear and thoroughly rehearsed, but they can also be undermined by failing to address behavioural change.
Getting new procedural controls in place involves changes in practices and attitudes, the raising of awareness and training; all of these take time and, to a certain extent, rely on willingness to change.
IMO resolution (MSC.428(98)), requires safety management systems to include cyber risk management. The new provisions will apply no later than a ship’s first annual Document of Compliance verification after 1 January 2021.
To comply, shipowners and ships need to have their IT, operating technology systems and crews risk-assessed to demonstrate preparedness against cyberattacks and along with the actions to be taken should systems be compromised.
That guidelines are still being tweaked in the run up to ‘IMO 2021’ demonstrates that cyber security is an issue that is best dealt with continuously and ‘in the round’.
BIMCO will soon publish amended ‘Guidelines on Cyber Security onboard Ship’, for example, with updates on topics as disparate as crew training, risk assessment procedures in the SMS, essential cyber risks to be included in any ship security plan, and satellite systems vulnerabilities.
2021 is only a few short months away and the proactive ship owner or manager can be usefully getting on with their Cyber compliance self assessment.
Standard for self-assessment
Early this year, in a joint initiative with HudsonCyber, North invited Members to access the HACyberLogix cyber risk management platform free of charge on a time limited basis. The system aligns with many industry guidelines, including IMO’s own Cybersecurity guidelines for 2021 compliance, as given in MSC-FAL.1/Circ.3. It also supports virtualised collaboration in supporting an enterprise cybersecurity program (perfect for operating in a pandemic environment).
The HACyberLogix assessment tool is a three-tier cyber risk management tool, consisting of 12 self-assessment domains, which assess how the company gathers information on cyber security capabilities in order to identify and manage vulnerabilities. Each domain is designed to cover a different aspect of the organisation’s cyber security effectiveness. The model analyses and benchmarks the results to determine an organisation’s ‘cyber capability’ in a confidential report that includes prioritized recommendations aimed at improving cyber risk management. These recommendations effectively serve as a roadmap for the organization to implement and sustain a cyber security program that aligns with the management of change disciplines inherent in a member’s SMS.
Naturally, the strengths and weakness individual North P&I Club Members establish when their cyber risk management comes under scrutiny remain confidential. What can be disclosed is that almost 40 North Members have completed ‘Level 1’ HACyberLogix cyber risk management assessment.
A series of webinars have generated positive comments on the virtual nature of the platform, its accessibility on demand and its ability to handle multiple users. As the HACyberLogix methodology covers all aspects of a member’s organization, and thus drives cross-functional collaboration, it serves as a catalyst for driving cultural change at the human level.
Completing Level 1 puts users at a point where they understand their cyber resilience and can progress to include cyber risk management in their SMS. Levels 2 and 3 of the Cyberlogix package cater for more detailed and thorough assessments.
It is an approach that chimes with SCORA (Safety Culture Organisational Assessment), a tool for senior officers and shore-based manager developed by North’s Loss Prevention team and Green-Jakobsen and launched to some acclaim in 2019. SCORA reports on an organisation’s ‘safety capacity’ by scoring safety leadership, health and well-being, learning/development, reporting culture and risk management.
Cyber cultural shift
North’s view is that employing the ‘Right Crew’ is central to cyber resilience. The Club sees awareness campaigns allied with regular testing on cyber security basics as a way to kick start behavioural change.
Clearly, in the face of ever-developing threats, instilling vigilance is critical if cyber resilience is to be implemented ashore and at sea. Here, the right tools can make cyber security best practice part of everyday business awareness.
Putting people at the heart of cyber security resilience is key to protecting your company.
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
