Cyber Risk Management: IMO Guidelines and SMS Incorporation

Maritime Mutual Risk Bulletin No. 29

Cyberrisk Management for Shipping

Introduction

Inadequate cyber security in the shipping industry continues to pose a significant risk to ship, crew and cargo safety and shipowner reputation and profitability. IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems encourages flag states to ensure that procedures for the control of cyber risks are included in existing ISM Code Safety Management Systems (SMS).This should be accomplished no later than the first annual verification of the shipowner company’s Document of Compliance (DOC) after 1 January 2021.

The purpose of this Risk Bulletin is to raise member awareness of the upcoming SOLAS/ISM Code cyber risk management obligations to be met by MMIA entered vessels engaged in international trade as well as similar Non-Convention Vessel Standards (NCVS) which apply to vessels engaged in domestic trades.

Background

Vessel operation includes Operating Technology (OT) systems which control on board physical systems (e.g. ECDIS and ARPA) and Information Technology (IT) systems that manage data processing and communications. Originally, OT and IT systems were separated but they are often now linked through the internet to facilitate OT updating and patching. As a result, the viral or Malware infection of an OT system can occur. In turn, this can generate a significant cyber risk to the safety of a vessel’s crew, cargo and operation as well as damage to the marine environment.

A maritime cyber risk is defined by the IMO as a potential circumstance or event, which could result in shipping-related operational, safety or security failures as a consequence of IT or OT systems being corrupted, lost or compromised.

Cyber risk management means the process of first identifying, assessing and reporting a cyber-related risk and then minimising it to an ‘as low as reasonably practicable’ (ALARP) level. The IMO’s goal is that this process will result in a global shipping industry which is operationally resilient to cyber risks and not an easy target for Malware criminals or terrorists.

IMO Resolution and Guidelines

 IMO Resolution MSC.428(98), provides a brief statement of the IMO’s ‘high level recommendations’ in relation to cyber risk. The details are provided by the IMO’s Circular, Guidelines on Maritime Cyber Risk Management,  MSC-FAL.1/Circ.3 .

The IMO Guidelines consist of six pages which provide detailed recommendations on maritime cyber risk identification and management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The recommendations are designed to be incorporated into existing SMS manuals and procedures and associated ISPS systems so as to update and enhance these processes.

ICS Guidelines

A very useful explanatory publication, sponsored by the ICS, BIMCO and other leading shipowner organisations, is The Guidelines on Cyber Security Onboard Ships, 3rd Ed. The starting point for the 56 page Guidelines is the confirmation of its alignment with the IMO Resolution and Circular as referred to above. It then expands on the IMO’s requirements and recommendations to explain and illustate the entire process for maritime IT and OT control, inclusive of:

  • Identifying threats and vulnerabilities.
  • Assessing risk exposure.
  • Developing protection and detection measure.
  • Establishing contingency plans.
  • Responding to and recovering from cyber security incidents.

The ICS Guidelines also provide some disturbing examples of cyber threats and losses which have already occurred both on board ships and ashore. One OT example being a shipboard ECDIS system which failed and was then discovered to be infected by a virus. The resulting rectification and delays costing hundreds of thousands of dollars. Another OT example was the inadvertent infection of a shipboard control system by a 3rd party technician inserting a USB device which contained a highly destructive virus. Equally troubling are reports of shipboard IT systems impacted by the insertion of infected USBs by pilots, customs officers and ship agents.

Conclusion and Takeaway

The ICS Guidelines make it clear that the risks of accidental cyber damage

or deliberate cyber-attack to OT and IT systems used in the maritime industry, including on board ship, are very real. The consequences have already proven to be costly and the deliberate causes, such as Malware and Ransomware attacks, are unlikely to disappear and will likely worsen.

MMIA considers it essential that members are fully aware of the IMO’s Resolution MSC.428(98) and MSC-FAL.1/Circ.3 , as further explained by The Guidelines on Cyber Security Onboard Ships.  Further, if members have not already done so, they should implement compliance with the IMO’s ‘high-level recommendations’ no later than 1 Jan 2021. This will include their appropriate incorporation into each ship manager’s and vessel’s SOLAS, Chapter 9, ISM Code and ISPS Code manuals and procedures, or to the equivalent NCVS standards, as applicable to each entered vessel and trade Members are respectfully reminded of their obligations under the MMIA Rules of Entry, General Rules, Rule 26, warranties f. and g., relating to flag state regulatory compliance and IMO convention compliance, inclusive of SOLAS. Members are also reminded of their “due diligence” obligations as required by MMIA Rules, General Rules, Rule 3. Compliance with the IMO’s cyber risk management recommendations referred to in this Risk Bulletin will greatly assist members in ensuring that all of their P&I insurance obligations have been met together with flag state and PSC inspection requirements.

Previous Risk Bulletins

Tug and barge units provide a relatively simple and low-cost method of transporting dry bulk, liquid and container cargoes, typically over domestic trade routes. However, these benefits need to be considered against a number of associated stability and safety risks. This Risk Bulletin is intended to raise awareness of tug stability regulations and hazards and recommend practical loss prevention measures.
Ship capsize incidents are often due to inadequate ship stability caused by a sudden and unplanned rise in the ship’s Centre of Gravity (CoG). Tragic consequences include injury, death, pollution and total loss of ship and cargo. All ships are exposed to this potential danger but some ship types and trades are much more exposed than others.
In today’s highly regulated shipping environment, members sometimes voice their concerns about the amount of time and effort spent on facilitating shipboard inspections by flag state, class, port state control, charterers and their insurers . Why are all of these separate and apparently similar surveys necessary?
Voyage planning is an essential ship, crew and cargo safety process which has long been mandated through IMO Conventions. This Risk Bulletin aims to raise awareness of shipowners, their ship managers and masters of the serious losses, inclusive of groundings and pollution, which may result from failures of Voyage Planning.
Asbestos is a material classified by The World Health Organisation (WHO) as a Group 1 carcinogenic agent. As such, the existence of asbestos onboard a ship constitutes a serious hazard to ship crews, shipboard equipment installers, repairers and other visitors. This Risk Bulletin is aimed at raising awareness of the SOLAS amendments that now prohibit asbestos onboard all ships built after 1 July 2002 and control its use on ships built before this date.