Cyber Risk Management: IMO Guidelines and SMS Incorporation

Maritime Mutual Risk Bulletin No. 29

Cyberrisk Management for Shipping

Introduction

Inadequate cyber security in the shipping industry continues to pose a significant risk to ship, crew and cargo safety and shipowner reputation and profitability. IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems encourages flag states to ensure that procedures for the control of cyber risks are included in existing ISM Code Safety Management Systems (SMS).This should be accomplished no later than the first annual verification of the shipowner company’s Document of Compliance (DOC) after 1 January 2021.

The purpose of this Risk Bulletin is to raise member awareness of the upcoming SOLAS/ISM Code cyber risk management obligations to be met by MMIA entered vessels engaged in international trade as well as similar Non-Convention Vessel Standards (NCVS) which apply to vessels engaged in domestic trades.

Background

Vessel operation includes Operating Technology (OT) systems which control on board physical systems (e.g. ECDIS and ARPA) and Information Technology (IT) systems that manage data processing and communications. Originally, OT and IT systems were separated but they are often now linked through the internet to facilitate OT updating and patching. As a result, the viral or Malware infection of an OT system can occur. In turn, this can generate a significant cyber risk to the safety of a vessel’s crew, cargo and operation as well as damage to the marine environment.

A maritime cyber risk is defined by the IMO as a potential circumstance or event, which could result in shipping-related operational, safety or security failures as a consequence of IT or OT systems being corrupted, lost or compromised.

Cyber risk management means the process of first identifying, assessing and reporting a cyber-related risk and then minimising it to an ‘as low as reasonably practicable’ (ALARP) level. The IMO’s goal is that this process will result in a global shipping industry which is operationally resilient to cyber risks and not an easy target for Malware criminals or terrorists.

IMO Resolution and Guidelines

 IMO Resolution MSC.428(98), provides a brief statement of the IMO’s ‘high level recommendations’ in relation to cyber risk. The details are provided by the IMO’s Circular, Guidelines on Maritime Cyber Risk Management,  MSC-FAL.1/Circ.3 .

The IMO Guidelines consist of six pages which provide detailed recommendations on maritime cyber risk identification and management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The recommendations are designed to be incorporated into existing SMS manuals and procedures and associated ISPS systems so as to update and enhance these processes.

ICS Guidelines

A very useful explanatory publication, sponsored by the ICS, BIMCO and other leading shipowner organisations, is The Guidelines on Cyber Security Onboard Ships, 3rd Ed. The starting point for the 56 page Guidelines is the confirmation of its alignment with the IMO Resolution and Circular as referred to above. It then expands on the IMO’s requirements and recommendations to explain and illustate the entire process for maritime IT and OT control, inclusive of:

  • Identifying threats and vulnerabilities.
  • Assessing risk exposure.
  • Developing protection and detection measure.
  • Establishing contingency plans.
  • Responding to and recovering from cyber security incidents.

The ICS Guidelines also provide some disturbing examples of cyber threats and losses which have already occurred both on board ships and ashore. One OT example being a shipboard ECDIS system which failed and was then discovered to be infected by a virus. The resulting rectification and delays costing hundreds of thousands of dollars. Another OT example was the inadvertent infection of a shipboard control system by a 3rd party technician inserting a USB device which contained a highly destructive virus. Equally troubling are reports of shipboard IT systems impacted by the insertion of infected USBs by pilots, customs officers and ship agents.

Conclusion and Takeaway

The ICS Guidelines make it clear that the risks of accidental cyber damage

or deliberate cyber-attack to OT and IT systems used in the maritime industry, including on board ship, are very real. The consequences have already proven to be costly and the deliberate causes, such as Malware and Ransomware attacks, are unlikely to disappear and will likely worsen.

MMIA considers it essential that members are fully aware of the IMO’s Resolution MSC.428(98) and MSC-FAL.1/Circ.3 , as further explained by The Guidelines on Cyber Security Onboard Ships.  Further, if members have not already done so, they should implement compliance with the IMO’s ‘high-level recommendations’ no later than 1 Jan 2021. This will include their appropriate incorporation into each ship manager’s and vessel’s SOLAS, Chapter 9, ISM Code and ISPS Code manuals and procedures, or to the equivalent NCVS standards, as applicable to each entered vessel and trade Members are respectfully reminded of their obligations under the MMIA Rules of Entry, General Rules, Rule 26, warranties f. and g., relating to flag state regulatory compliance and IMO convention compliance, inclusive of SOLAS. Members are also reminded of their “due diligence” obligations as required by MMIA Rules, General Rules, Rule 3. Compliance with the IMO’s cyber risk management recommendations referred to in this Risk Bulletin will greatly assist members in ensuring that all of their P&I insurance obligations have been met together with flag state and PSC inspection requirements.

Recent Risk Bulletins

The Israel and Palestine/Hamas conflict has worsened with reportedly over 30,000 Palestinians dead, and the Gaza Strip completely decimated. This appears to have generated a widening of Houthis attacks on shipping in support of Hamas..... This Risk Bulletin highlights the current security threats to shipping in the Red Sea, Gulf of Aden, Somalia Bight, and Indian Ocean/Arabian Sea areas.
Amendments to SOLAS mandating the upgrading of all commercial vessel Towing and Mooring Equipment design and operation entered into force on 1 Jan 2024. ... This Risk Bulletin seeks to explain the SOLAS amendments, the related Guidelines and their impact on Members.
Members will be aware that transits of the Red Sea and its Gulf of Aden approaches are currently very dangerous due to anti-ship missile and drone attacks by Yemen based Houthi rebels (“Houthis”).... This Risk Bulletin highlights the dangers to MM Member ships and crews and provides guidance on risk assessment and loss prevention.
Members engaged in international trade will be aware that the Ballast Water Management (BWM) Convention’s first stage ballast water exchange requirement (Regulation D-1) came into force in 2017. The second stage (Regulation D-2), which ends the ballast water exchange process and obligates ballast water treatment instead, becomes mandatory on 8 Sept 2024. This Risk Bulletin reviews the BWM D-2 requirements and the compliance steps necessary to avoid PSC detention and/or port state penalties and fines.
The accuracy of the old saying, ‘a happy ship is a safe ship’ has not yet been proved conclusively. But real life experience is that a secure, well fed, properly rested, and ‘focused on their jobs’ crew will always perform better in terms of both safety and productivity. This Risk Bulletin reviews the importance of the Martime Labour Convention (MLC) and its role in helping MM Members attain the ‘happy ship’ goal.