As we enter 2018, maritime cybersecurity, which seems to have been widely discussed amongst our peers in the preceding years, seems set to be taken a step further with more and more classification societies looking into setting up their framework to deal with a class approval for a cyber-secure maritime eco-space.
Risk management is fundamental to safe and secure shipping operations. Traditionally risk management has been focused on operations in the physical domain, but greater
reliance on digitization, integration, automation and network-based systems has created an increasing need for cyber risk management in the shipping industry.
Cybersecurity for ships that are underway, moored or at berth requires a ship or fleet-wide approach. There are already security standards under the ISPS code, but cybersecurity requirements can provide additional guidance regarding the cyber-related aspects of the security measures. There are vulnerabilities created by accessing, interconnecting or networking various systems which can lead to cyber risks. Cyber attacks on any of the following:
- bridge systems,
- cargo handling and management systems,
- propulsion and machinery management and power control systems,
- access control systems,
- passenger servicing and management systems,
- passenger facing public networks,
- administrative and crew welfare systems, and
- communication systems
can result in damage or even losing course of the ship, which can drastically affect the safety of the ship, port facilities and marine property.
In June 2016, the IMO issued MSC.1/Circ.1526 “Interim guidelines on maritime cyber risk management”. The Guidelines provided high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and
vulnerabilities. The Guidelines also included functional elements that support effective cyber risk management. This was further replaced by MSC-FAL.1/Circ.3 “Guidelines on Maritime Cyber Risk Management” during the 98th session of the Maritime Safety Committee in June 2017.
These guidelines presented functional elements that supported cyber risk management. These functional elements are not sequential i.e. all should be concurrent and continuous in practice and should be incorporated appropriately in a risk management framework.
- Identify: To define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
- Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
- Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
- Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
- Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
These elements encompass the activities and desired outcomes of effective cyber risk management across critical systems affecting maritime operations and information exchange, and constitute an ongoing process with effective feedback mechanisms. There should be an appropriate level of awareness of cyber risks at all levels of an organization. The level of awareness and preparedness should be appropriate to roles and responsibilities in the cyber risk management system.
This IMO issued guideline was meant to provide a foundation for better understanding and managing cyber risks, thus enabling a risk management approach to address cyber threats and vulnerabilities. For detailed guidance, a reference to Member Governments’ and Flag Administrations’ requirements as well as relevant international and industry standards is recommended. Additional guidance and standards may include, but are not limited to:
- The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO. CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
- ISO/IEC 27001 Standard on Information Technology – Security Techniques – Information security management systems – requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).
Based on the IMO guidelines and other reference standards, the Indian Register of Shipping (IRClass) came up with a set of class rules. The implementation of the new rules helps IRClass to identify the cyber risk issues from as early as the design stage of the vessel. A final verification then takes place once the vessel is built, and periodically during annual surveys. A vessel and it’s shipping back office which is certified for cyber safety is assessed as complying with the class rules and will be provided with an additional class notation.
In addition to the class rules, IRClass has also developed the first edition of ‘Cyber Safety Guidelines for Port and Shipping Company Facilities’, a guide to safeguarding technology systems from internal and external cyber threats as stated in this media release on 28th Aug 2017. These guidelines are designed to help companies identify gaps and mitigate cyber security risks.
The only bit left to see is whether this will be efficiently implemented globally or whether it will turn into another ‘one-more-paper-for-the-annual-audit’ mindset.