A risk-based approach is crucial to sound cyber security
Information and communications technology is increasingly relied upon for ship safety, security, and the protection of the marine environment. Examples of ship-based cybertechnologies include:
- navigation systems, including electronic charts;
- global and dynamic positioning systems;
- radar and automatic identification systems;
- communications systems, including radio and data communications;
- integrated bridge systems; and
- control systems for on-board electro-mechanical systems including engines, generators, ballast tanks, life support, fuel and oil pumps, watertight doors, fire alarms and controls, cargo hold fans and environmental controls.
The significant efficiency gains afforded by cybertechnologies also carry risks to critical systems and processes linked to the operation of systems integral to shipping. Security breaches may compromise ship safety, security, shipboard personnel, cargo, sensitive data and disrupt operations at the ship or fleet level.
Owners and operators may also incur financial losses, legal responsibility and reputational damage.
These potential far-reaching consequences have increased the need for cyber risk management in the shipping industry to guard against current and emerging threats and vulnerabilities to cybertechnologies.
Malicious actions, as well as the unintended consequences of benign actions, may expose vulnerabilities in operational or information technology. Vulnerabilities created by accessing, interconnecting or networking systems can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyberdiscipline.
These vulnerabilities may impact ship safety, security and the protection of the environment as well as the security, confidentiality, integrity and availability of information.
Vulnerable systems include:
- Bridge systems;
- Cargo handling and management systems;
- Propulsion and machinery management and power control systems;
- Access control systems;
- Passenger servicing and management systems;
- Passenger facing public networks;
- Administrative and crew welfare systems; and
- Communication systems.
Cyber risk management is the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders.
The goal of maritime cyber risk management is to support safe and secure shipping, which is operationally resilient to cyber risks.
Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
Effective cyber risk management should address vulnerabilities and consider safety and security impacts resulting from their exposure or exploitation in information technology systems.
Rapidly changing technologies and threats require a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices. In considering potential sources of threats and vulnerabilities and associated risk mitigation strategies, a number of potential control options for cyber risk management should also be taken into consideration, including amongst others, management, operational or procedural, and technical controls.
A risk-based approach identifying gaps between an organization’s current, and desired, cyber risk management postures to be addressed through a prioritized cyber risk management plan may be helpful to determine how to efficiently apply resources.
The IMO’s Guidelines on Maritime Cyber Risk Management outline high-level recommendations to safeguard all organizations in the shipping industry from cyberthreats and vulnerabilities. These recommendations can be incorporated within existing risk management processes to support safe and secure shipping which is operationally resilient to cyber risks.
The IMO recommends implementing the following functional elements concurrently on a continuing basis within an organization’s risk management framework:
- Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
- Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
- Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
- Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
- Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
Effective cyber risk management should ensure an appropriate level of awareness of cyber risks at all levels of an organization commensurate with the roles and responsibilities in the cyber risk management system.
The 2018 BIMCO Cyber Security Guidelines were developed with input from the Liberian Registry and the United States Coast Guard and endorsed by the International Chamber of Shipping, Intertanko, Intercargo and the Cruise Lines International Association.
The document offers guidance to shipowners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships.
Company plans and procedures for cyber risk management should be seen as complementary to existing security and safety risk management requirements contained in the International Safety Management Code (ISM) Code and the International Ship and Port Facility Security (ISPS) Code.
The Guidelines focus on six critical aspects of cyber security awareness namely:
- Identifying and understanding cyber security threats to the ship;
- Identifying vulnerabilities within ship cybertechnologies;
- Assessing risk exposure and probability of exploitation by external threats;
- Developing protection and detection measures;
- Establishing contingency plans to reduce the threat’s impacts; and
- Responding appropriately to cyber security incidents.
Cyber security should be considered at all levels of the company, from senior management ashore to crew on board, as an inherent part of the safety and security culture necessary for safe and efficient ship operations.
While the Guidelines provide the most comprehensive framework for unique issues onboard ships, cyber risk management and the measures implemented to safeguard vulnerabilities must be specific to the company, ship, operation and/or trade.
The IMO’s inclusion of cyber security in the International Safety Management (ISM) Code, effective 2021. will require shipowners and managers to incorporate cyber-risk management within their ship safety plans. Promoting organizational awareness of cyber security is essential to managing cyber risks in shipping.
Our computer-based Cyber and Ship Security Training is designed to familiarize users with important cyber security topics, as well as general security, stowaways, and anti-piracy measures, with a view to improving maritime safety and security and mitigating risks to seafarers, vessels, and companies alike.
- MSC-FAL.1/Circ. 3 Guidelines on Maritime Cyber Risk Management
- 2018 BIMCO Cyber Security Guidelines produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
- ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework)