The Maritime Transportation System – Information Sharing and Analysis Center (ISAC) executive director Scott Dickerson highlights that companies pay more attention to complying with the IMO regulations concerning cyber activity, than focusing on security and effective risk management.
To remind, IMO’s resolution calls companies to report any cyber risk in their ISM Code no later than January 1, 2021.
In this month’s Be Cyber Aware at Sea, it is reminded that although compliance is a crucial part of being in line with regulations, Dickerson in a past webinar of Riviera Maritime Media, highlighted that
No regulation, directive, or guideline is accurately depicting what the current risk profile is for an organisation. Compliance does not equal security or effective risk management, so please be wary of taking a compliance approach to any directive.
In addition, the problem of waiting for the guidelines to show you the way is twofold:
- The compliance mindset is a tick-box mentally, meeting the lowest bar and moving on to other things, only going back and refining cyber arrangements based on renewed guidance. By the time the guideline has been written and circulated, or a deadline met, the cyber landscape has already started altering, new threats emerging. “Waiting is not an option if a company wants to be ahead of the criminals – they need to be constantly updating their policies, assessing their risks and ideally meeting the industry guidelines before they are set,” it is noted.
- The limitations of the guidelines are a challenge themselves. Guidelines help establish the expectations of the sector but, as Dickerson says, they can’t possibly be specific enough for each company to rely upon solely. Instead they should be viewed as the bedrock of the issue, a jumping off point to further cyber protection based on the company’s unique role, size and circumstances.
Therefore, although the guidelines have the role of protecting the shipping and maritime industry, companies should not rest, but should rather be self-aware and proactive to build stronger defenses.
Concluding, in 2019, USCG reported of a cyber incident, but also reminded the industry that
Maintaining effective cyber security is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment. The US Coast Guard therefore strongly encourages all vessel and facility owners and operators to conduct cyber security assessments to better understand the extent of their cyber vulnerabilities
