Cyber Risk Management: IMO Guidelines and SMS Incorporation

Maritime Mutual Risk Bulletin No. 29

Cyberrisk Management for Shipping

Introduction

Inadequate cyber security in the shipping industry continues to pose a significant risk to ship, crew and cargo safety and shipowner reputation and profitability. IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems encourages flag states to ensure that procedures for the control of cyber risks are included in existing ISM Code Safety Management Systems (SMS).This should be accomplished no later than the first annual verification of the shipowner company’s Document of Compliance (DOC) after 1 January 2021.

The purpose of this Risk Bulletin is to raise member awareness of the upcoming SOLAS/ISM Code cyber risk management obligations to be met by MMIA entered vessels engaged in international trade as well as similar Non-Convention Vessel Standards (NCVS) which apply to vessels engaged in domestic trades.

Background

Vessel operation includes Operating Technology (OT) systems which control on board physical systems (e.g. ECDIS and ARPA) and Information Technology (IT) systems that manage data processing and communications. Originally, OT and IT systems were separated but they are often now linked through the internet to facilitate OT updating and patching. As a result, the viral or Malware infection of an OT system can occur. In turn, this can generate a significant cyber risk to the safety of a vessel’s crew, cargo and operation as well as damage to the marine environment.

A maritime cyber risk is defined by the IMO as a potential circumstance or event, which could result in shipping-related operational, safety or security failures as a consequence of IT or OT systems being corrupted, lost or compromised.

Cyber risk management means the process of first identifying, assessing and reporting a cyber-related risk and then minimising it to an ‘as low as reasonably practicable’ (ALARP) level. The IMO’s goal is that this process will result in a global shipping industry which is operationally resilient to cyber risks and not an easy target for Malware criminals or terrorists.

IMO Resolution and Guidelines

 IMO Resolution MSC.428(98), provides a brief statement of the IMO’s ‘high level recommendations’ in relation to cyber risk. The details are provided by the IMO’s Circular, Guidelines on Maritime Cyber Risk Management,  MSC-FAL.1/Circ.3 .

The IMO Guidelines consist of six pages which provide detailed recommendations on maritime cyber risk identification and management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The recommendations are designed to be incorporated into existing SMS manuals and procedures and associated ISPS systems so as to update and enhance these processes.

ICS Guidelines

A very useful explanatory publication, sponsored by the ICS, BIMCO and other leading shipowner organisations, is The Guidelines on Cyber Security Onboard Ships, 3rd Ed. The starting point for the 56 page Guidelines is the confirmation of its alignment with the IMO Resolution and Circular as referred to above. It then expands on the IMO’s requirements and recommendations to explain and illustate the entire process for maritime IT and OT control, inclusive of:

  • Identifying threats and vulnerabilities.
  • Assessing risk exposure.
  • Developing protection and detection measure.
  • Establishing contingency plans.
  • Responding to and recovering from cyber security incidents.

The ICS Guidelines also provide some disturbing examples of cyber threats and losses which have already occurred both on board ships and ashore. One OT example being a shipboard ECDIS system which failed and was then discovered to be infected by a virus. The resulting rectification and delays costing hundreds of thousands of dollars. Another OT example was the inadvertent infection of a shipboard control system by a 3rd party technician inserting a USB device which contained a highly destructive virus. Equally troubling are reports of shipboard IT systems impacted by the insertion of infected USBs by pilots, customs officers and ship agents.

Conclusion and Takeaway

The ICS Guidelines make it clear that the risks of accidental cyber damage

or deliberate cyber-attack to OT and IT systems used in the maritime industry, including on board ship, are very real. The consequences have already proven to be costly and the deliberate causes, such as Malware and Ransomware attacks, are unlikely to disappear and will likely worsen.

MMIA considers it essential that members are fully aware of the IMO’s Resolution MSC.428(98) and MSC-FAL.1/Circ.3 , as further explained by The Guidelines on Cyber Security Onboard Ships.  Further, if members have not already done so, they should implement compliance with the IMO’s ‘high-level recommendations’ no later than 1 Jan 2021. This will include their appropriate incorporation into each ship manager’s and vessel’s SOLAS, Chapter 9, ISM Code and ISPS Code manuals and procedures, or to the equivalent NCVS standards, as applicable to each entered vessel and trade Members are respectfully reminded of their obligations under the MMIA Rules of Entry, General Rules, Rule 26, warranties f. and g., relating to flag state regulatory compliance and IMO convention compliance, inclusive of SOLAS. Members are also reminded of their “due diligence” obligations as required by MMIA Rules, General Rules, Rule 3. Compliance with the IMO’s cyber risk management recommendations referred to in this Risk Bulletin will greatly assist members in ensuring that all of their P&I insurance obligations have been met together with flag state and PSC inspection requirements.

Recent Risk Bulletins

The ‘Magna Carta of Seafarers’ and its Implementing Rules and Regulations (IRR) reinforce the Maritime Labour Convention (MLC) and the Standards of Training and Watchkeeping Convention (STCW) in Philippine national law. Its goal is to benefit not only Philippine seafarers but also the broader maritime industry. This Risk Bulletin discusses the key impacts and considers both the Magna Carta’s merits and challenges.
This Risk Bulletin reminds Members of the need to avoid SOMS area transit security complacency by ensuring full ISPS Code compliance and attention to ReCAAP ship security bulletins and guidelines.
The Maritime Labour Convention 2006 (MLC) as amended, provides a set of mandatory entitlements and optional recommendations for seafarer conditions of work and employment. The latest MLC amendments were finalised in June 2022 and will come into force on 23 Dec 2024.  This Risk Bulletin provides a reminder to Members and their crew managers of the necessity to ensure full understanding and implementation of the latest amendments
Shipboard container cargo fires with severe losses are regrettably common. The first line of defence (as discussed in Risk Bulletin No 86) must always be pro-active fire risk identification and avoidance. This Risk Bulletin focuses on the second and third lines of defence of fire detection and firefighting. The associated IMO regulation and industry concerns as to its insufficiency are also considered.
Fires on board container ships have become the scourge of the container shipping industry.... This Risk Bulletin highlights the serious risks of shipper misdeclarations – deliberate and otherwise - and recommends critically important loss prevention measures.