The third edition of the industry cyber risk management guidelines, 'Guidelines on Cyber Security Onboard Ships', highlights the requirement to incorporate cyber risks in the ship’s safety management system. The edition provides guidance for dealing with the cyber risks to the ship arising from parties in the maritime supply chain.
Namely, IMO has given, to shipowners and managers, until the 1st of January 2019 to take into action the measures to manage cyber risk into the vessel's SMS. According to Gard P&I Club, cyber risk is a major challenge maritime industry is still facing. Although some steps have been made, there is still room for improvement.
In addition, shipowners should be responsible on managing cyber risks and conducting continuous operations to have positive results. Training and awareness of appropriate company policies and procedures may provide an effective response to cyber incidents amongst other steps to confront any cyber risks.
On the occasion of the release of the 'Guidelines on Cyber Security Onboard Ships' report that was published in the early days of December 2018, Jarle Fosen has highlighted the key recommendations on how to respond to cyber risks:
#1 Focus on policies, procedures and risk assessments
Companies should take into consideration the risks arising not only from the use of IT equipment but also from OT equipment onboard ships and establish appropriate safeguards against cyber incidents involving either of these.
The company's plans for cyber risk management should align with the existent security and safety plan in the ISPS and ISM Codes. Requirements similar to training, operations and maintenance of critical cyber systems should also be included in specific documentation on-board.
According to IMO's MSC resolution on Maritime Cyber Risk Management an approved safety management system ought to include cyber risk management in accordance with the objectives and requirements of the ISM Code, no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.
All parties managing a vessel have to be aware of their responsibilities, on alignment of realistic expectations and agree on specific instructions the manager requires. Also, such an agreement should take into consideration additional applicable legislation such as the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states.
Moreover, any agreements concerning this kind of responsibilities have to be written and formal.
Companies should also cover service providers’ physical security and cyber risk management processes in supplier agreements and contracts. Coordinating the vessel's port is a difficult task globally and locally.
#2 Ensure that system design and configuration are safe and fully understood and followed
Anyone performing cyber security tasks should acknowledge that the aim of the procedures is to prevent unauthorised access and not simplify to satisfy the regulators.
Experiences from the shipping industry have shown that successful cyber attacks can result in a significant loss of services.
The technology-growth brings challenges and vulnerabilities to the maritime industry, especially if there are unsecured networks and free access to the internet. Gard recommends that companies should thoroughly understand the ship’s IT and OT systems and how these systems connect and integrate ashore, including public authorities, marine terminals and stevedores. This requires an understanding of all computer based systems onboard and how safety, operations, and business can be compromised by a cyber incident.
What's more, several IT and OT systems are easy-to-access remotely. These can be referred to as 'third-party-systems', where the contractor controls the systems from a remote location and can be both two-way data flow or upload-only.
For instance, as Jarle Fosen stated, the systems and work stations with remote control, access or configuration functions could have:
- bridge and engine room computers and work stations on the ship’s administrative network;
- cargo such as containers with reefer temperature control systems or specialised cargo that are tracked remotely;
- stability decision support systems;
- hull stress monitoring systems;
- navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR), dynamic positioning systems (DP)
- cargo handling and stowage, engine, and cargo management and load planning systems;
- safety and security networks, such as CCTV (closed circuit television);
- specialised systems such as drilling operations, blow out preventers, subsea installation systems;
- Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.
Moreover, some usual cyber vulnerabilities are:
- obsolete and unsupported operating systems;
- expired or missing antivirus software and protection from malware;
- inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords;
- shipboard computer networks lacking boundary protection measures and segmentation of networks;
- safety critical equipment or systems always connected to the shore side;
- inadequate access controls for third parties including contractors and service providers.
#3 Provide proper onboard awareness and training
Until now, the weakest factor when it comes to cyber security is the human. It is of a big importance that seafarers are properly trained to help them identify and report cyber incidents.
Onboard personnel have a crucial role in protecting IT and OT systems but can also be careless. Training and awareness should be tailored to the appropriate seniority of onboard personnel including the master, officers and crew.
Source:safety4sea
