Inadequate cyber security in the shipping industry continues to pose a significant risk to ship, crew and cargo safety and shipowner reputation and profitability. IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems encourages flag states to ensure that procedures for the control of cyber risks are included in existing ISM Code Safety Management Systems (SMS).This should be accomplished no later than the first annual verification of the shipowner company’s Document of Compliance (DOC) after 1 January 2021.
The purpose of this Risk Bulletin is to raise member awareness of the upcoming SOLAS/ISM Code cyber risk management obligations to be met by MMIA entered vessels engaged in international trade as well as similar Non-Convention Vessel Standards (NCVS) which apply to vessels engaged in domestic trades.
Vessel operation includes Operating Technology (OT) systems which control on board physical systems (e.g. ECDIS and ARPA) and Information Technology (IT) systems that manage data processing and communications. Originally, OT and IT systems were separated but they are often now linked through the internet to facilitate OT updating and patching. As a result, the viral or Malware infection of an OT system can occur. In turn, this can generate a significant cyber risk to the safety of a vessel’s crew, cargo and operation as well as damage to the marine environment.
A maritime cyber risk is defined by the IMO as a potential circumstance or event, which could result in shipping-related operational, safety or security failures as a consequence of IT or OT systems being corrupted, lost or compromised.
Cyber risk management means the process of first identifying, assessing and reporting a cyber-related risk and then minimising it to an ‘as low as reasonably practicable’ (ALARP) level. The IMO’s goal is that this process will result in a global shipping industry which is operationally resilient to cyber risks and not an easy target for Malware criminals or terrorists.
IMO Resolution and Guidelines
IMO Resolution MSC.428(98), provides a brief statement of the IMO’s ‘high level recommendations’ in relation to cyber risk. The details are provided by the IMO’s Circular, Guidelines on Maritime Cyber Risk Management, MSC-FAL.1/Circ.3 .
The IMO Guidelines consist of six pages which provide detailed recommendations on maritime cyber risk identification and management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The recommendations are designed to be incorporated into existing SMS manuals and procedures and associated ISPS systems so as to update and enhance these processes.
A very useful explanatory publication, sponsored by the ICS, BIMCO and other leading shipowner organisations, is The Guidelines on Cyber Security Onboard Ships, 3rd Ed. The starting point for the 56 page Guidelines is the confirmation of its alignment with the IMO Resolution and Circular as referred to above. It then expands on the IMO’s requirements and recommendations to explain and illustate the entire process for maritime IT and OT control, inclusive of:
- Identifying threats and vulnerabilities.
- Assessing risk exposure.
- Developing protection and detection measure.
- Establishing contingency plans.
- Responding to and recovering from cyber security incidents.
The ICS Guidelines also provide some disturbing examples of cyber threats and losses which have already occurred both on board ships and ashore. One OT example being a shipboard ECDIS system which failed and was then discovered to be infected by a virus. The resulting rectification and delays costing hundreds of thousands of dollars. Another OT example was the inadvertent infection of a shipboard control system by a 3rd party technician inserting a USB device which contained a highly destructive virus. Equally troubling are reports of shipboard IT systems impacted by the insertion of infected USBs by pilots, customs officers and ship agents.
Conclusion and Takeaway
The ICS Guidelines make it clear that the risks of accidental cyber damage
or deliberate cyber-attack to OT and IT systems used in the maritime industry, including on board ship, are very real. The consequences have already proven to be costly and the deliberate causes, such as Malware and Ransomware attacks, are unlikely to disappear and will likely worsen.
MMIA considers it essential that members are fully aware of the IMO’s Resolution MSC.428(98) and MSC-FAL.1/Circ.3 , as further explained by The Guidelines on Cyber Security Onboard Ships. Further, if members have not already done so, they should implement compliance with the IMO’s ‘high-level recommendations’ no later than 1 Jan 2021. This will include their appropriate incorporation into each ship manager’s and vessel’s SOLAS, Chapter 9, ISM Code and ISPS Code manuals and procedures, or to the equivalent NCVS standards, as applicable to each entered vessel and trade Members are respectfully reminded of their obligations under the MMIA Rules of Entry, General Rules, Rule 26, warranties f. and g., relating to flag state regulatory compliance and IMO convention compliance, inclusive of SOLAS. Members are also reminded of their “due diligence” obligations as required by MMIA Rules, General Rules, Rule 3. Compliance with the IMO’s cyber risk management recommendations referred to in this Risk Bulletin will greatly assist members in ensuring that all of their P&I insurance obligations have been met together with flag state and PSC inspection requirements.