Across the global maritime community, ports, vessels and facilities are increasingly connected to and dependent on cyber systems. Failure to anticipate and prepare for a cyber incident may have significant consequences.
A printer friendly pdf version of this hot topic is available here.
Maritime industry operations and management rely on cyber systems. Global Positioning Systems (GPS), automated equipment, physical security sensors, electronic certificates, cargo tracking, electronic navigation, Automatic Identification Systems (AIS), record-keeping and pre-arrival processing are just some of the equipment and activities that depend on reliable and secure cyber systems. This reliance on computers and computer networks, particularly those connected to the internet, creates a potential vulnerability to cyber attacks as a result of poor cyber security practices.
There are many examples of cyber security incidents related to the maritime industry:
The consequences of a cyber-attack could be wide-ranging. For example, ship collisions could result from hacking of e-navigation and other systems that could lead to:
Cyber risks are therefore of increasing concern and should be considered a part of the overall operational risk picture and addressed in a systematic way.
IMO makes cyber risk management onboard ships mandatory as of 1 January 2021
“The Maritime Safety Committee (MSC) adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems in June 2017. The resolution states that an approved safety management system should take cyber risk management into account in accordance with the objectives and requirements of the ISM Code. Based on the recommendations in MSC-FAL.1/Circ.3, Guidelines on maritime cyber risk management, the resolution confirms that existing risk management practices should be used to address the operational risks arising from the increased dependence on cyber enabled systems.
The guidelines set out the following actions that can be taken to support effective cyber risk management:
IMO Resolution MSC.428(98) encourages IMO member states to ensure cyber risks are addressed in safety management systems no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.
Some Gard Members and clients have been victims of cyber crime where hackers have accessed the e-mail accounts of their service providers and sent emails purporting to be from our Members requesting fees and payments be sent to different bank accounts than usual. This diversion of funds led to one ship being detained because the agents had not received funds for port clearance. This type of phishing scams have been going on since 2013 (read more in chinalawblog.com).
Viewing cyber security as simply an Information Technology (IT) issue is similar to considering the safe operation of a vessel as simply a main engine issue. Addressing cyber security should start with the senior management of a company rather than being delegated to the Vessel Security Officer or head of the IT department.
Any company can be vulnerable to cyber risks. At Gard we strive to protect the interests of our Members and clients in the best possible way. We are developing an internal Information Security Management System to protect the confidentiality, integrity and accessibility of our organisation's information through measures relating to people, processes and IT systems.
Where should you start to improve your cyber security?
Take a holistic approach involving:
1. People – focus on knowledge, behaviour and mind-set
2. Processes – focus on policies, procedures and risk assessments
3. IT systems – focus on firewalls, antivirus and encryption
Cyber security, also known as computer security or IT security, is the protection of information systems from theft of or damage to:
Information security, also known as InfoSec, is the practice of protecting information from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Reference is also made to the IMO Multilingual Glossary on Cyberterms published in May 2016.
BIMCO, together with other leading shipping organisations, launched a set of guidelines in January 2016 to help the global shipping industry prevent major safety, environmental and commercial issues that could result from a cyber incident on-board a ship. The second version of the guidelines was released in July 2017 and includes new information on how to segregate networks, manage ship-to-shore interfaces and handle cyber security during port calls. The 2017 version also has a chapter on the insurance cover. The guidelines have been aligned with the recommendations given in the IMO Guidelines on Cyber Risk Management. See also this useful poster which can help prevent the most common cyber incidents.
US Coast Guard
The US Coast Guard published its Cyber Strategy in July 2015 in response to what it perceives is one of the greatest threats to US economic and national security interests. The Coast Guard’s cyber security website provides access to the strategy document and other cyber-related information, e.g. their Cyber Maritime Bulletins, and can be viewed by using this link: http://homeport.uscg.mil and the following path: Missions > Cybersecurity.
The US Coast Guard published a draft copy of its planned Navigation and Vessel Inspection Circular (NVIC) entitled Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities on 12 July 2017. The draft NVIC provides guidance on how to develop and implement measures and activities for effective self-governance of cyber vulnerabilities, that shipowners and operators may find useful.
The UK Department of Transport (DfT) published its Code of Practice: Cyber Security for Ships on 13 September 2017, providing a management framework that can be used to reduce the risk of cyber incidents that could affect the safety or security of a ship, its crew, passengers or cargo.
The Code of Practice is intended to be used as an integral part of a company's or ship's overall risk management system and subsequent business planning and provides actionable advice on:
Although the Code of Practice refers to Maritime Security Regulations in the UK, its provisions are complementary to those of the SOLAS Convention, the ISM Code and the ISPS Code and it is therefore considered as a useful guidance document for all nationalities of ships.
A copy of the UK’s Cyber Security Code of Practice for Ships can be downloaded via GOV.UK at: https://www.gov.uk/government/publications/ship-security-cyber-security-code-of-practice.
An article published by Reed Smith (available here) provides a breakdown of the Code and shed some light on the cyber security vulnerabilities unique to the shipping industry.