As the world tackles one physically aggressive virus, individuals and businesses are now more vulnerable to virtual viruses than ever before, due to an increasing dependence on technology, remote connectivity and communication. Cyber security threats in the maritime industry have been increasing even before the Coronavirus, due to the fact that more and more stakeholders are embracing digitalised remote connection systems.
However, upcoming requirements by the IMO mean that shipowners and managers have until 1st January 2021 to incorporate cyber risk management into their safety management systems. The IMO Resolution MSC.428(98) recalls the purpose and objectives of the ISM Code, and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance (after 1 January 2021).
Now less than a year away from this deadline, DNV GL hosted a webinar this week regarding the driving force of the ISM code, which provides a comprehensive framework for addressing cyber risks affecting the safe and environmentally sound operation of ships, and identified the practices they have put in place to ensure vessels can comply with the fast-approaching deadline.
“The IMO Resolution MSC.428(98) states that cyber security should be looked into thoroughly, so when cyber security is specifically mentioned, and all risks are being considered, it means that cyber security is now a requirement for the industry...” - Jarle Blomhoff, Group Leader Cyber Safety & Security - Ship Classification at DNV GL
“The IMO Resolution MSC.428(98) states that cyber security should be looked into thoroughly, so when cyber security is specifically mentioned, and all risks are being considered, it means that cyber security is now a requirement for the industry,” began Jarle Blomhoff, Group Leader Cyber Safety & Security - Ship Classification at DNV GL. “The financial risk of having a cyber security incident can be quite large, and most current insurance deals exclude cyber attacks with a clause 380, so it is important to consider this risk.
“Of interest to charter vessels, there are vetting schemes in place looking at cyber security requirements, so if you are good on your cyber security, you not only have a safe ship, but you are also more likely to get a charter contract,” continued Blomhoff.
The complexity of vessels is increasing, and the industry is seeing a higher demand for more advanced software and information. “This means more connectivity, more remote connection, and more integrated connections between systems on board,” Blomhoff explained. “Therefore, we need to see the upcoming deadline as an opportunity. We believe that cyber security resilience is the key to safely realise the benefits of digital shipping.”
Arguably most companies are now looking into remote operation, for example, how they can reduce cost of operation, how can they optimise performance, use less fuel, improve logistics chains, and reduce maintenance.
According to Georg Smefjell, Head of Section at DNV GL, the IMO deciding to use the ISM code to facilitate cyber risk must be approached according to the specific needs of the vessel’s operational profile. “The certification will be the same, the systematics will be the same, but now you will have to consider cyber risk as part of your safety management systems.
“The ISM code has the intention that you develop a safety management system that fits your needs. You use your existing safety management system; you start from the objectives of the ISM code, and then put cyber security into that aspect,” Smefjell continued.
“For ships with limited cyber related systems, you can refer to the IMO guidelines, but for those with more complex cyber related systems you may require a greater level of care such as DNV GL class, or advisory services...” Georg Smefjell - Head of Section at DNV GL
The IMO has stressed that no two organisations are the same, hence why you need to develop measures that are unique to the vessel in question. “For ships with limited cyber related systems, you can refer to the IMO guidelines, but for those with more complex cyber related systems you may require a greater level of care such as DNV GL class, or advisory services,” Smefjell explained.
The cyber risk management approach, therefore, should be resilient and evolve as a natural extension of existing management system practices. “In 2020 and in 2021, [DNV GL] will have cyber security as a focus area in our audits. We will assess the effectiveness of your safety management systems in handling requirements and meeting objectives.”
The IMO has identified five key elements of the management systematics: identification, protection, detection, response and recovery. This means that each vessel must define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations. Secondly, they must implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations. Thirdly, develop and implement activities necessary to detect a cyber-event in a timely manner. Fourthly, develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event. And lastly, identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
In order to aid vessels in identifying how to avoid cyber-attacks, the IMO has also identified the ‘vulnerable systems’ which may be prone to attacks. These include: bridge systems, propulsion and machinery management and power control systems, access control systems, passenger servicing and management systems, passenger facing public networks, administrative and crew welfare systems, and communications systems.
“In order to become compliant to these regulations, we must start by identifying our objectives, make a cyber risk assessment, execute proper policy and procedure, and identify roles and responsibilities” - Svante Einarsson, Team Leader Cyber Security at DNV GL
“In order to become compliant to these regulations, we must start by identifying our objectives, make a cyber risk assessment, execute proper policy and procedure, and identify roles and responsibilities,” began Svante Einarsson, Team Leader Cyber Security at DNV GL, stressing that this must be a continuous process of improvement, where managers continuously reflect on ‘are we achieving our objectives?’, ‘are we making reports and improving on this?’, ‘do we fill in the gaps on things we have missed?’.
“We must be protecting our vessels in terms of confidentiality, integrity and availability. This will have a direct impact to the different functions of our vessel, for example, navigation, ballasting and propulsion. These give you a starting point in order to make an inventory to identify the systems related to these functions - what is the hardware providing the backbone of these systems and what is the software that is running them - so that you can execute change management that can work on these systems and proper cyber risk management,” Einarsson explained. This is very similar to any safety risk assessment and other requirements in accordance to the ISM code, where you consider ‘which system can I protect?’, ‘how likely is it that these systems can be compromised?’, and ‘what could be the potential consequence and therefore the risk?’.
However, there are some differences when looking at cyber risk management, as likelihood is not as easy to predict in terms of cyber-attacks. “We have to identify ease of access to the system in terms of how easy this system would be to reach and infiltrate. The consequence scheme is different too, as we also have to ask ourselves ‘what do we do if someone attacks the system and compromises our confidentiality and integrity?’. This is harder to notice and we might not know until an emergency situation,” Einarsson concluded.
DNV GL’s recommended approach to build cyber security resilience holistically requires three key components. Process: update your procedures and policies to reflect cyber security best practices, and implement practices into your organisation. Technology: ensure segregation of your networks and ensure system security and hardening of connections (removable devices, malicious code, backup & recovery etc.). People: train your onboard & shore personnel, perform emergency drills and define roles & responsibilities.
As outlined above, the proper management of cyber risks is expected to be verified by administrations during the first annual review of a company's DoC following 1 January 2021, so now is the time to consider whether these practices are in place.
Effective management of cyber risks by companies, in accordance with the international regulatory requirements, is understood to be demonstrated by having evidence of the continuous improvement of approved safety management systems conforming to the requirements of the ISM Code (to take into account cyber risks); and the implementation of policies and procedures for effective cyber risk management.
During the current global pandemic, there are cyber attackers who are thriving on exploiting our human instinct to click on links, and as reported by DNV GL, according to Check Point Threat Intelligence, Coronavirus-related domains are 50% more likely to be malicious than other domains registered at the same period, so it is imperative that strong cyber security systems are in place.
During the COVID-19 Crisis as a good will gesture, while many people are at home, in port, on board or working remotely, we are allowing our loyal and expert audience, complete and complimentary access to our SuperyachtNews Premium Content and unlimited access to our digital library of The Superyacht Report - issues 175-200. Click here to sign up now.