Cyber Risk Management: IMO Guidelines and SMS Incorporation

Maritime Mutual Risk Bulletin No. 29

Cyberrisk Management for Shipping

Introduction

Inadequate cyber security in the shipping industry continues to pose a significant risk to ship, crew and cargo safety and shipowner reputation and profitability. IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems encourages flag states to ensure that procedures for the control of cyber risks are included in existing ISM Code Safety Management Systems (SMS).This should be accomplished no later than the first annual verification of the shipowner company’s Document of Compliance (DOC) after 1 January 2021.

The purpose of this Risk Bulletin is to raise member awareness of the upcoming SOLAS/ISM Code cyber risk management obligations to be met by MMIA entered vessels engaged in international trade as well as similar Non-Convention Vessel Standards (NCVS) which apply to vessels engaged in domestic trades.

Background

Vessel operation includes Operating Technology (OT) systems which control on board physical systems (e.g. ECDIS and ARPA) and Information Technology (IT) systems that manage data processing and communications. Originally, OT and IT systems were separated but they are often now linked through the internet to facilitate OT updating and patching. As a result, the viral or Malware infection of an OT system can occur. In turn, this can generate a significant cyber risk to the safety of a vessel’s crew, cargo and operation as well as damage to the marine environment.

A maritime cyber risk is defined by the IMO as a potential circumstance or event, which could result in shipping-related operational, safety or security failures as a consequence of IT or OT systems being corrupted, lost or compromised.

Cyber risk management means the process of first identifying, assessing and reporting a cyber-related risk and then minimising it to an ‘as low as reasonably practicable’ (ALARP) level. The IMO’s goal is that this process will result in a global shipping industry which is operationally resilient to cyber risks and not an easy target for Malware criminals or terrorists.

IMO Resolution and Guidelines

 IMO Resolution MSC.428(98), provides a brief statement of the IMO’s ‘high level recommendations’ in relation to cyber risk. The details are provided by the IMO’s Circular, Guidelines on Maritime Cyber Risk Management,  MSC-FAL.1/Circ.3 .

The IMO Guidelines consist of six pages which provide detailed recommendations on maritime cyber risk identification and management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The recommendations are designed to be incorporated into existing SMS manuals and procedures and associated ISPS systems so as to update and enhance these processes.

ICS Guidelines

A very useful explanatory publication, sponsored by the ICS, BIMCO and other leading shipowner organisations, is The Guidelines on Cyber Security Onboard Ships, 3rd Ed. The starting point for the 56 page Guidelines is the confirmation of its alignment with the IMO Resolution and Circular as referred to above. It then expands on the IMO’s requirements and recommendations to explain and illustate the entire process for maritime IT and OT control, inclusive of:

  • Identifying threats and vulnerabilities.
  • Assessing risk exposure.
  • Developing protection and detection measure.
  • Establishing contingency plans.
  • Responding to and recovering from cyber security incidents.

The ICS Guidelines also provide some disturbing examples of cyber threats and losses which have already occurred both on board ships and ashore. One OT example being a shipboard ECDIS system which failed and was then discovered to be infected by a virus. The resulting rectification and delays costing hundreds of thousands of dollars. Another OT example was the inadvertent infection of a shipboard control system by a 3rd party technician inserting a USB device which contained a highly destructive virus. Equally troubling are reports of shipboard IT systems impacted by the insertion of infected USBs by pilots, customs officers and ship agents.

Conclusion and Takeaway

The ICS Guidelines make it clear that the risks of accidental cyber damage

or deliberate cyber-attack to OT and IT systems used in the maritime industry, including on board ship, are very real. The consequences have already proven to be costly and the deliberate causes, such as Malware and Ransomware attacks, are unlikely to disappear and will likely worsen.

MMIA considers it essential that members are fully aware of the IMO’s Resolution MSC.428(98) and MSC-FAL.1/Circ.3 , as further explained by The Guidelines on Cyber Security Onboard Ships.  Further, if members have not already done so, they should implement compliance with the IMO’s ‘high-level recommendations’ no later than 1 Jan 2021. This will include their appropriate incorporation into each ship manager’s and vessel’s SOLAS, Chapter 9, ISM Code and ISPS Code manuals and procedures, or to the equivalent NCVS standards, as applicable to each entered vessel and trade Members are respectfully reminded of their obligations under the MMIA Rules of Entry, General Rules, Rule 26, warranties f. and g., relating to flag state regulatory compliance and IMO convention compliance, inclusive of SOLAS. Members are also reminded of their “due diligence” obligations as required by MMIA Rules, General Rules, Rule 3. Compliance with the IMO’s cyber risk management recommendations referred to in this Risk Bulletin will greatly assist members in ensuring that all of their P&I insurance obligations have been met together with flag state and PSC inspection requirements.

Recent Risk Bulletins

BLC shortage claims are costly and disruptive. Control and minimisation require consistent application of both industry best practice measurement standards in conjunction with legal and contract knowledge. This Risk Bulletin highlights the supporting legal and contractual terms knowledge needed by a Member’s chartering department before ‘fixing’ a tanker under charterparty (CP) terms.
Bulk Liquid Cargo (BLC) shortage claims for alleged short delivery continue to present a costly risk challenge for tanker Members. Effective shortage control and loss prevention demands close attention to both ship and shore BLC measurement accuracy. This Risk Bulletin reviews the BLC measurement process for petroleum and chemical cargoes and makes recommendations to Members on the utilisation of industry ‘best practice’ standards.
Bulk liquid cargoes of petroleum, chemicals and vegetable oil are frequently worth far more than the tanker carrying them. If the cargo becomes contaminated, claims can be very large, and the tanker owner must prove the contamination was not the vessel’s fault .... This Risk Bulletin highlights the critical importance of the sampling process - inclusive of the pre-load ‘million dollar’ sample - as a powerful and conclusive ‘shore fault’ defence to contamination claims.  
Members who trade their vessels through the Singapore Straits will know the three letter anacronym ‘OPL’ stands for ‘Outside Port Limits’. What may not be known are the serious risks and penalties which can arise if vessels are ordered to anchor or idle in OPL areas to wait for voyage orders, conduct ship-to-ship (STS) cargo operations or take on stores and make crew changes. This Risk Bulletin discusses the legal risks and practical realities of using the so-called OPL areas for operational purposes with the intention of avoiding inside port limits fees and regulations.
Claims for the alleged short delivery of dry bulk cargoes are unfortunately common.  The cargo receiver’s allegation – often accompanied by a threat of ship arrest – is usually that the cargo weight discharged was less than the declared Bill of Lading (BL) cargo weight, as signed by the master. This Risk Bulletin highlights both the legal defences available to Member’s and the technical defences provided by draft surveys to defeat or minimise unjustifiable shortage claims.