A third edition of industry cyber risk management guidelines has addressed the requirement to incorporate cyber risks in the ship’s safety management system (SMS). The new edition also reflected a deeper experience with risk assessments of operational technology (OT) such as navigational systems and engine controls, and provides more guidance for dealing with the cyber risks to the ship arising from parties in the supply chain.
Dirk Fry, chair of BIMCO’s cyber security working group and Director of Columbia Ship Management Ltd, said that “the industry will soon be under the obligation to incorporate measures to deal with cyber risks in the ship’s safety management system. This had not been tackled in the previous versions”, adding that “the third edition provides additional information which should help shipping companies carry out proper risk assessments and include measures in their safety management systems to protect ships from cyber-incidents. A new dedicated annex provides measures that all companies should consider implementing to address cyber risk management in an approved SMS”.
He noted that this was “much easier said than done”, noting that criminals trying to exploit companies or breach their security were getting more inventive by the minute.
Fry noted that the new guidelines were the third edition in as many years, which reflected “the constantly evolving nature of the risks and challenges”.
In 2017 the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encouraged administrations to ensure that cyber risks were appropriately addressed in SMS no later than the first annual verification of the company’s Document of Compliance after January 1st 2021.
The same year, IMO developed guidelines that provided high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms. The commitment of senior management to cyber risk management was a central assumption on which the Guidelines on Cyber Security Onboard Ships had been developed.
The Guidelines had been aligned with IMO resolution MSC.428(98) and IMO’s guidelines and provide practical recommendations on maritime cyber risk management covering both cyber security and cyber safety.
A typical incident was recounted, where an unrecognized virus in an ECDIS delayed the sailing of a new-build dry bulk ship for several days. The ship was designed for paperless navigation and was not carrying paper charts. The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship’s master and officers. A producer technician had to visit the ship and, after spending a significant time in troubleshooting, discovered that both ECDIS networks were infected with a virus. The virus was quarantined and the ECDIS computers were restored. The source and means of infection in this case were unknown, but the delay in sailing and costs in repairs came to hundreds of thousands of dollars.
BIMCO, InterManager, International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Chamber of Shipping (ICS), International Union of Marine Insurance (IUMI), Oil Companies International Marine Forum (OCIMF) and World Shipping Council (WSC), produced the third edition.
The work was supported by:
Anglo Eastern, Colombia Ship Management, Maersk Line, Moran Shipping Agencies as well as the cyber security experts NCC, SOFTimpact, Templar Executives and Cyber Keel.
SOURCE: BIMCO, INSURANCE MARINE NEWS