The Future Of Maritime Cyber Security
Today´s global maritime sector depends more and more on digitalization, integration of operations, and automation.
The widespread and rapid implementation of IT systems and internet communication for ships at sea in every part of the world brings a new and urgent requirement- maintaining the operational safety of those critical systems.
Cybersecurity is today a priority in the international maritime sector. In what follows we look closely at new requirements which all of us in this industry must now meet. Also, we provide guidance on how to implement cybersecurity in maritime operations.
Neither the International Maritime Organization, IMO, nor national authorities have developed cybersecurity regulations specific to the maritime sector. This will change in the very near future. As of January 1st 2021, cybersecurity requirements will be formalised in Chapter IX of the International Convention for the Safety of Life at Sea, SOLAS, Regulations 1-6, Management for Safe Operation of Ships.
This is not an isolated development. Significant moves towards cybersecurity regulations for shipping have already been taken by other organizations or are in the pipeline. The urgent need to develop cybersecurity regulations for the maritime industry has, in fact, been an area of concern for some time.
In June 2017 the IMO´s Maritime Safety Committee, MSC, agreed guidelines for cyber risk management. These, in turn, became the basis of high-level recommendations for the entire maritime sector,
The guidelines place an obligation on shipowners, operators, and stakeholders to adopt a risk management approach with three overriding objectives: minimizing the danger to crew, to environmental safety, and to the financial consequences of a full or partial loss of availability, integrity and confidentiality of sensitive data.
THE NEW MANDATORY CYBERSECURITY REQUIREMENTS FOR ALL SHIP OWNERS
In the face of emerging cybersecurity threats to the industry and with the MSC resolution in mind, IMO has taken the decision to incorporate mandatory cybersecurity requirements into the International Safety Management Code, ISM.
As of January 1, 2021, cybersecurity must be addressed by all players in the shipping industry and incorporated into their Safety Management Systems, SMS.
One organisation which was quick to respond to these new circumstances was the Oil Companies International Marine Forum, OCIMF. Beginning in January 2018 the OCIMF updated Tanker Management and Self Assessment, TMSA, version 3, with a 13th Performance Element. This new element deals specifically with cybersecurity.
What do developments like these mean for the worldwide maritime sector? More specifically, what does the ISM Code, a SOLAS requirement, and TMSA version 3, best industry practice, require when it comes to preventing cyber crime at sea?
WHAT DOES THE ISM CODE SAY ABOUT INFORMATION SECURITY REQUIREMENTS?
The ISM Code requires modification to a company's SMS and should now include the following.
- Cybersecurity measures to be adopted in the company´s Health, Safety & Environment, Security & Equality / HSES&Q Policy Statement.
- Risk assessments of all OT and IT systems onboard and ashore
- Policy in place for the uses of removable storage.
- Policy and procedure in place regarding network communications and WiFi for vessel crews.
- Policy and procedure in place for monitoring and updating navigation and communication systems.
- Policy in place regarding authorization criteria for remote connections.
- Inventory of all OT systems.
- Internet access policy in place outlining restrictions relating to operations currently being performed onboard.
- Contingency Plans for Emergency R
esponse developed and in place. - Items identified by TMSA and listed below.
WHAT ARE THE TMSA CYBERSECURITY REQUIREMENTS?
- Procedures in place regarding patch management for software.
- Processes and guidance in place for the identification and mitigation of cyber threats.
- Availability of guidelines for cybersecurity set by industry and classification authorities.
- Password management procedures developed.
- A Cyber Awareness Plan to promote security awareness among all personnel, developed and implemented.
DOES THE ISM CODE IMPACT YOU?
Mandatory requirements set out in the ISM Code will cover the following operations of all vessels on international operations, specifically:
- Passenger ships including high-speed passenger craft.
- Oil tankers, chemical tankers, gas carriers, bulk carriers and cargo high-speed craft of 500 GRT and above.
- Other cargo ships (offshore vessels) and mobile offshore drilling units (not bottom founded) of 500 GRT and above.
TMSA version 3 also relates to business operations under the Ship Inspection Reporting Program / SIRE.
HOW CAN YOU COMPLY WITH THE NEW CYBERSECURITY REQUIREMENTS?
TMSA 3 is now in effect. Any business operating under the jurisdiction of the new ISM Code should therefore start planning to update their SMS accordingly. The deadline is no later than the first annual verification of the company's Document of Compliance following January 1st 2021.
For all organizations concerned the message is clear. In order to be prepared and to develop the required business cybersecurity posture, including provisions relating to third party ecosystems, start planning now for the implementation of best-practice. In support of this action IMO has updated it´s guidelines on cybersecurity.