As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together—and more frequently connected to the Internet. This increases the risk of unauthorized access or malicious attacks to ships’ systems and networks. Then again, risks may also stem from personnel accessing systems on-board, for example by introducing malware via removable media. Consequently, the need for on-board cyber risk management is growing quickly.

 

A joint maritime industry group—comprised of numerous industry bodies and led by international shipping association BIMCO—has issued the second edition of “The Guidelines on Cyber Security Onboard Ships,” which includes practical advice on how to guard against cyber attacks. It includes information on insurance issues and how to effectively segregate networks, as well as practical advice on managing the ship-to-shore interface, and how to handle cyber security during port calls and when communicating with the shore side. The chapters on “contingency planning” and “responding to and recovering from cyber incidents” have been rewritten specifically for ships and the conditions they would face if a ship’s defenses were breached.

 

The joint industry working group members are: BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Union of Maritime Insurance (IUMI) and Oil Companies International Marine Forum (OCIMF).

 

“Cyber security is certainly a hot topic for all of us now, and this latest guidance includes valuable information, applying a risk-based approach to all of the areas of concern, highlighting how an individual’s unwitting actions might expose their organization,” Angus Frew, BIMCO Secretary General and CEO says. “In light of recent events we urge everyone across the industry to download it … and to consider the risk cyber crime may pose to their ships and operations. Ignorance is no longer an option, as we are all rapidly realizing.”

 

I was particularly interested to read a section noting that cyber safety is as significant as cyber security. Both have equal potential to affect the safety of onboard personnel, ships and cargo. Cyber security is concerned with the protection of IT, OT and data from unauthorized access, manipulation and disruption, the guide explains. Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT. While the causes of a cyber safety incident may be different from a cyber security incident, an effective response to both is based on training and awareness of appropriate company policies and procedures, the guide explains.

 

Cyber safety incidents can, the guide notes, stem from:

  • A cyber security incident, which affects the availability and integrity of OT. For example, corruption of chart data held in an Electronic Chart Display and Information System (ECDIS),
  • A failure occurring during software maintenance and patching,
  • Loss of or manipulation of external sensor data, critical for the operation of a ship. This includes, but is not limited to, Global Navigation Satellite Systems (GNSS).

 

Finally, the guide also explains that when incorporating cyber risk management, companies should also consider if, in addition to a generic risk assessment of the ships it operates, a particular ship needs a specific risk assessment. The company should consider the need for a specific risk assessment if a particular ship is unique within its fleet. This evaluation should consider factors such as the extent to which IT and OT is used on-board, the complexity of system integration and the nature of operations.

 

What are your thoughts on cyber risk management for ships and fleets?