As the maritime community is becoming increasingly connected, vessels technologically sophisticated and vessel operators continuously depending on optimisation of operations, there is a growing demand to harness and utilise digital solutions, both information technology and operation technology.
With digital advancement and utilisation there are also risks to be handled. Cyber security is key to ensuring the safe operation of vessels and safeguarding people, cargo and the environment as required in the International Safety Management (ISM) Code.
Utilising ISM management systematics; setting goals, implementing measures to reach them, monitoring their effectiveness and adjusting existing measures or implementing new ones as a result of the monitoring, is effective both for utilising opportunities and handling the risks.
On 16 June 2017 the International Maritime Organization (IMO) adopted Resolution MSC 428(98) on “MARITIME CYBER RISK MANAGEMENT IN SAFETY MANAGEMENT SYSTEMS”. Under this decision the IMO is:
“AFFIRMING that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.” It is important to note that the IMO is stating to the maritime industry that cyber risk shall be handled in accordance with existing objectives and functional requirements in the ISM code, and it should be noted that there are no amendments to or changes in the Code. This is important as operators, the Document of Compliance (DoC) holders, can and should use existing systematics to handle cyber risk.
The DoC holders and their staff ashore and crew on board should be well versed in the existing safety management systems (SMS) measures and with that they should also be well placed to handle the risk which the IMO identified three years ago. DoC holders must expect that the effectiveness of measures to handle cyber security will be assessed in audits no later than the first annual verification of their DoC after 1 January 2021.
We encourage DOC holders to assess their safety management systems’ effectiveness for handling cyber security, utilising the existing SMS measures when possible and that the development or revision of SMS measures fit their needs.
In doing so it should be noted that the IMO has published “GUIDELINES ON MARITIME CYBER RISK MANAGEMENT” in MSC-FAL.1/Circ.3. In the guidance, the IMO states that:
- Risk management has traditionally been focused on operations in the physical domain, but greater
reliance on digitisation, integration, automation and network-based systems has created an increasing need for cyber risk management in the shipping industry.
- A risk management approach to cyber risks [should be] resilient and evolve as a natural extension of existing safety and security management practices.
- Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.
- The distinction between information technology and operational technology systems should be considered. Information technology systems may be thought of as focusing on the use of data as information. Operational technology systems may be thought of as focusing on the use of data to control or monitor physical processes. Furthermore, the protection of information and data exchange within these systems should also be considered.
- Effective cyber risk management should also consider safety and security impacts resulting from the exposure or exploitation of vulnerabilities in information technology systems. This could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g., inappropriate use of removable media such as a memory stick).
- In considering potential sources of threats and vulnerabilities and associated risk mitigation strategies, a number of potential control options for cyber risk management should also be taken into consideration, including amongst others, management, operational or procedural, and technical controls.
It is recommended to read the whole Guideline as part of the work to handle cyber risk. We also recommend DoC holders use their existing and familiar management systems solutions including the Deming Cycle of “Plan, Do, Check and Act” in handling cyber security.
- Plan:
- Identify cyber security objectives.
- Make an inventory of systems and software.
- Execute cyber risk assessment and identify improvement needs with prioritisation.
- Do:
- Integrate cyber security policies and procedures into the SMS.
- Define and update roles and responsibilities for cyber security.
- Execute cyber security training (general awareness and role based).
- Roll out network segregation and hardening of systems.
- Check:
- Evaluate effectiveness of measures for reaching objectives.
- Analyse cyber incident and event reports, data monitoring, etc.
- Execute internal audits and have management and master’s reviews with cyber security on the agenda.
- Act:
- Seek root causes for any challenges, incidents or deficiencies.
- Execute corrective and preventive actions ashore and to the whole fleet.
- Ensure ongoing compliance and strive for continuous improvement.