Can cyber threats be regulated?
There’s another digital deadline looming, but this is no millennium bug, promising to unleash chaos but delivering little by way of real impact. The IMO’s amendments to the International Safety Management Code come into force from January 1, 2021 and the industry may not be quite as prepared as it should be.
2020 has demonstrated once again the vulnerability of an already strained maritime supply chain to cyber-attack; from some of the biggest lines to the industry’s own regulator, cyber threats continue to disrupt shipping operations.
IMO member states – in particular the US Coast Guard – encouraged the adoption of a resolution that encourages ship operators to implement stricter IT security policies and practices.
As is generally accepted, the maritime industry is not a first-mover when it comes to technology and this extends from a laggardly approach to updating shipboard IT systems and an unwillingness to embrace newer technology. Given the possible negative impact of cyber-attacks, IMO has acknowledged that this is a risk that needs to be more closely regulated and monitored.
On the face of it the changes are simple. From January 1, 2020 the IMO requires that cyber security precautions be referenced in the Document of Compliance of the ISM Code.
The main challenge for owners is how to interpret a resolution written in very broad terms which is open to multiple interpretations. What actions must they take and what is merely required to be in compliance? In a very simplified way, one can say that implementing the suggested measures described in IMO2021 means taking actions across three different categories; awareness, procedures and technology.
IMO2021 suggests that companies must establish awareness about cyber risk across the organisation and that this must be established from top to bottom. It should not be treated as a ‘IT department’ issue to solve alone as the risk lies within the entire organisation. Most in the industry should already have seen the best practice guidelines issued by BIMCO, INTERTANKO, CLIA which can be used as a starting point.
The regulation further suggests that procedures should be implemented both onboard ship and ashore to prevent and detect cyber-attacks. Crew need to have procedures onboard regarding simple dos and don’ts in terms of hardware, software updates, websites and information on phishing and other risks. They may also extend these procedures towards what to do when a risk is identified – the ship may need to inform the shore and notes or actions provided on corrective action.
The issues of awareness and procedures mainly address behaviour, knowledge and understanding of what to do to keep risk at a minimum. The technology vertical represents the tools available to mitigate the cyber risk.
The traditional means of protection would typically include anti-virus protection, firewalls, content filters and separated networks. In addition, more sophisticated tools are available such as system monitoring which can include remote and automatic scripting and updating of PC operating systems and ERP programs.
Cyber detection services are also available for deeper inspections and penetration into the IT network, identifying risks not picked up by firewalls or anti-virus routines. Important too is an understanding that a growing number of threats come not via IT risks but from Operational Technology (OT); shipboard navigation, propulsion, cargo and other systems that are internet-connected but not necessarily secure.
Cyber matters too because it is widely assumed that security will assume greater importance as digitalisation and connectivity in shipping increases. The issue for owners and operators is how far they can remove the burden of compliance from seafarers and instead use a systems-based approach that identifies threats and manages risks, enabling technology to play a positive role.
The industry’s largest, long term players are likely to already meet the IMO2021 requirements but for a small operator with limited IT outfit, they present an important, if unwelcome additional burden. For one with a sophisticated network encompassing IT and OT systems, it presents an additional series of tasks for crew unless it can be managed with a minimum of additional administration.
Compliance with voluntary cyber security guidelines until now have tended to succeed or fail on the basis of the human element, relying on an intention to do the right thing. It is precisely this lack of transparency over how the tasks are performed and the updates recorded that the regulation seeks to change.
At the very least, companies should implement risk control processes and measures and contingency planning and in particular develop and implement activities necessary to detect a cyber-event. They should develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
Whether cyber threats can truly be ‘regulated’ in the sense that risks will decrease is doubtful. What the IMO is establishing is a minimum baseline requirement that all operators should look to meet and surpass. Industry vetting systems such as SIRE and TMSA already exceed its requirements and scrutiny of cyber is likely to continue increasing.
An active strategy to protect IT and OT systems from cyber threats represents an ongoing investment of time and resources, but inaction is not an option. Owners and operators will have to take cyber seriously; to not do so means taking even greater risks.
More about new Cyber Security Regulations
Individual companies will clearly vary in terms of systems, personnel, procedures and preparedness. The risks to a specific ship will also be unique and dependent upon the specific integration of cyber systems aboard.
It is nonetheless up to ship owners and operators to assess their cyber risks and to implement appropriate mitigating measures. Each ‘Document of Compliance’ holder must consider their own cyber risks and implement necessary measures in their SMS.
For this reason, Voyager Worldwide has implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. You can read more about these provisions here in our Voyager Cyber Security Procedures.