Earlier this month, senior Coast Guard leaders had the opportunity to make remarks on various topics, during the Connecticut Maritime Association’s Shipping 2017 conference and expo in Stamford, Connecticut. Rear Admiral Paul Thomas, assistant commandant for prevention policy, focused on the importance of incorporating cyber risk management at every stage of ship design, construction, and operation, during a shared-stage panel on cyber security.
Mr.Thomas highlighted the progress made so far in these couple years by saying that Cyber Risk Management (CRM) is now a household term in the shipping industry. This is not always the case in other critical infrastructure segments. It reflects a maturity of understanding of the entire cyber challenge beyond hackers and attackers. Shipping industry associations have publish CRM guidelines, class societies have published RPs, International Association of Class Societies has made cyber safety and CRM a focus area, and the International Maritime Organization also has developed guidelines for shipboard CRM that we expect will be finalized in June.
In addition to these efforts, USCG has conducted vulnerability assessments at ports, port facilities and aboard ships of all types to better understand the depth, breadth and scope of this challenge.
“We have partnered domestically with NIST [National Institute of Standards and Technology], FERC [Federal Energy Regulatory Commission], NRC [Nuclear Regulatory Commission], FCC [Federal Communication Commission] and others to bring lessons and best practices from other sectors to shipping and the Marine Transportation System; and we have developed useful tools that help all of us build awareness.” He said.
Currently, awareness of Cyber as a Risk Management remains a major challenge to address. The focus, he said, should be to install governance over cyber risk in the same way we have installed governance for physical risks.
“It is our view that, to the extent a ship or shipping company relies on cyber systems to meet existing international or domestic requirements around safety, security and environmental protection there already exists an obligation to understand and manage the risks associated with those systems’’ Mr Thomas added.
The U.S. has submitted a paper to IMO for consideration at MSC 98 that makes the case for installation of governance over cyber risks as part of the Safety Management System (SMS) required by the IMO’s ISM Code.
“The next step is to mitigate inherent cyber risk through standards for the design, construction and integration of shipboard cyber systems in the same way we set standards for ship structure or propulsion systems. I know that IACS is working hard on this and individual Class Societies have their own cyber safety programs’’ he concluded.
Mr Thomas noted that the ship of the future will have cyber systems designed and integrated to class and other standards which are incorporated into IMO and domestic regulation, and those systems will be operated and maintained IAW approved SMS compliant with ISM or domestic requirements. He called for incorporation of the cyber risk at every stage of ship design, construction and operation is known.
