IMO has given shipowners and managers until 2021 to incorporate cyber risk management into ship safety, giving the industry another issue to deal with. Owners risk having ships detained if they have not included cyber security in the ISM Code safety management on ships by 1 January 2021.
IMO makes cyber risk management onboard ships mandatory as of 1 January 2021 The Maritime Safety Committee (MSC) adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems in June 2017.
The resolution states that an approved safety management system should take cyber risk management into account in accordance with the objectives and requirements of the ISM Code.
Based on the recommendations in MSC-FAL.1/Circ3, Guidelines on maritime cyber risk management, the resolution confirms that existing risk management practices should be used to address the operational risks arising from the increased dependence on cyber enabled systems.
The guidelines set out the following actions that can be taken to support effective cyber risk management:
1 Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, pose risks to ship operations.
2 Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
3 Detect: Develop and implement processes and defences necessary to detect a cyber incident in a timely manner.
4 Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for shipping operations or services which have been halted due to a cyber incident.
5 Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident
GUIDELINES ON MARITIME CYBER RISK MANAGEMENT
These are high-level recommendations for maritime cyber risk management by the IMO.
Maritime cyber risk refers to a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
Stakeholders should take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to digitisation, integration and automation of processes and systems in shipping.
Risk management is fundamental to safe and secure shipping operations. Risk management has traditionally been focused on operations in the physical domain, but greater reliance on digitisation, integration, automation and network-based systems has created an increasing need for cyber risk management in the shipping industry.
Cybertechnologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment.
1 Bridge systems;
2 Cargo handling and management systems;
3 Propulsion and machinery management and power control systems;
4 Access control systems;
5 Passenger servicing and management systems;
6 Passenger facing public networks;
7 Administrative and crew welfare systems; and
8 Communication systems.
Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions).
In general, these actions expose vulnerabilities (e.g. outdated software or ineffective firewalls) or exploit a vulnerability in operational or information technology. Effective cyber risk management should consider both kinds of threat.
Effective cyber risk management should also consider safety and security impacts
resulting from the exposure or exploitation of vulnerabilities in information technology systems.
This could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g. inappropriate use of removable media such as a memory stick).
The goal of maritime cyber risk management is to support safe and secure shipping, which is operationally resilient to cyber risks.
How to start
Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organisation and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
One accepted approach to achieve the above is to comprehensively assess and compare an organisation’s current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritised cyber risk management plan.
This risk-based approach will enable an organisation to best apply its resources in the most effective manner.
The Guidelines present the functional elements that support effective cyber risk management.
These functional elements are not sequential – all should be concurrent and continuous in practice and should be incorporated appropriately in a risk management framework:
1 Identify 4 Respond
2 Protect 5 Recover
Cyber risk management
Cyber risk management should:
- Identify the roles and responsibilities of users, key personnel, and management both
ashore and on board
- Identify the systems, assets, data and capabilities, which if disrupted, could pose risks to
the ship’s operations and safety
- Implement technical measures to protect against a cyber incident and ensure continuity of
operations. This may include configuration of networks, access control to networks and
systems, communication and boundary defence and the use of protection and detection
- Implement activities and plans (procedural protection measures) to provide resilience
against cyber incidents. This may include training and awareness, software maintenance,
remote and local access, access privileges, use of removable media and equipment disposal
- Implement activities to prepare for and respond to cyber incidents.
In recognising that some aspects of work to include cyber risk management in safety management systems may include commercially sensitive or confidential information, companies should consider protecting this information appropriately.
As mentioned above, the risk assessment process starts by assessing the systems on board, in
order to map their robustness to handle the current level of cyber threats.
Elements of a ship security assessment can be used when performing the risk assessment, which should physically test and assess the IT and OT systems on board including:
- Identification of existing technical and procedural controls to protect the onboard IT and OT systems (more information can be found with the Critical Security Controls9)
- Identification of IT and OT systems that are vulnerable, the specific vulnerabilities identified, including human factors, and the policies and procedures governing the use of these systems (the identification should include searches for known vulnerabilities relevant to the equipment, the current level of patching and firmware updates)
- Identification and evaluation of key ship board operations that are vulnerable to cyber
- Identification of possible cyber incidents and their impact on key ship board operations,
and the likelihood of their occurrence to establish and prioritise protection measures.
Furthermore, any identified cyber vulnerability in the factory standard configuration of a critical system or component should be disclosed to facilitate better protection of the equipment in the future.