The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.

These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.

Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.

The IMO and International Maritime Regulation

Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.

Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.

In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.

Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.

The IMO’s 2021 Cyber Guidelines

The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.

Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.

The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.

As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.

This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.

The Work that Remains to Secure Ports

SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.

While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.

Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.

With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.

While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.

Conclusion

The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

This article appears courtesy of CIMSEC and may be found in its original form here. 

Life itself arose from the oceans. The ocean is vast and covers 140 million square miles, some 72 per cent of the Earth’s surface. The ocean has always been an important source of food for the life it helped generate, and from earliest recorded history it has also served trade and commerce, adventure and discovery. It has separated and brought people together.

Even now, when the continents have been mapped and their interiors made accessible by road, river and air, most of the world’s people live no more than 200 miles from the sea and relate closely to it.

Freedom of the Seas

The oceans had long been subject to the freedom of-the-seas doctrine – a principle put forth in the 17th century, essentially limiting national rights and jurisdiction over the oceans to a narrow sea belt surrounding a nation’s coastline. The rest of the seas were declared free for all and belonged to none. While this situation lasted into the twentieth century, by mid-century there was an impetus to extend national claims over offshore resources.

There was a growing concern over the toll taken on coastal fish stocks by long-distance fishing fleets and over the threat of pollution and wastes from transport vessels and oil tankers carrying noxious cargoes that plied sea routes across the globe. The threat of pollution was always present for coastal resorts and all forms of ocean life. The navies of the maritime powers were competing for a worldwide presence in surface waters and even under the sea.

United Nations Law of the Sea Convention (UNCLOS)

The United Nations is working to ensure the peaceful, cooperative, legally defined uses of the seas and oceans for the individual and common benefit of humankind. Urgent calls for an effective international regime over the seabed and the ocean floor beyond a clearly defined national jurisdiction set in motion a process that spanned 15 years and saw the creation of the United Nations Seabed Committee, the signing of a treaty banning nuclear weapons on the seabed, the adoption of the General Assembly’s declaration that all seabed resources beyond the limits of national jurisdiction are the common heritage of mankind, and the convening of the Stockholm Conference on the Human Environment.

The UN’s groundbreaking work in adopting the 1982 Law of the Sea Convention stands as a defining moment in the extension of international law to the vast, shared water resources of our planet. The convention has resolved several important issues related to ocean usage and sovereignty, such as:

• Established freedom-of-navigation rights
• Set territorial sea boundaries 12 miles offshore
• Set exclusive economic zones up to 200 miles offshore
• Set rules for extending continental shelf rights up to 350 miles offshore
• Created the International Seabed Authority
• Created other conflict-resolution mechanisms (e.g., the UN Commission on the Limits of the Continental Shelf)

Protection of marine environment and biodiversity

The UN Environment Programme (UNEP), particularly through its Regional Seas Programme, acts to protect oceans and seas and promote the sustainable use of marine resources. The Regional Seas Conventions and Action Plans is the world’s only legal framework for protecting the oceans and seas at the regional level. UNEP also created The Global Programme of Action for the Protection of the Marine Environment from Land-based Activities. It is the only global intergovernmental mechanism directly addressing the link between terrestrial, freshwater, coastal and marine ecosystems.

The United Nations Educational, Scientific and Cultural Organization (UNESCO), through its Intergovernmental Oceanographic Commission, coordinates programmes in marine research, observation systems, hazard mitigation and better managing ocean and coastal areas.

The International Maritime Organization (IMO) is the key United Nations institution for the development of international maritime law. Its main task is to create a fair and effective, generally accepted and implemented legal framework for the shipping industry.

Marine shipping and pollution

To ensure that shipping is cleaner and greener, IMO has adopted regulations to address the emission of air pollutants from ships and has adopted binding energy-efficiency measures to reduce greenhouse gas emissions from international shipping. These include the landmark International Convention for the Prevention of Pollution from Ships of 1973, as modified by a 1978 Protocol (MARPOL), and the 1954 International Convention for the Prevention of Pollution of the Sea by Oil.

Polar Code

In 2017, the International Code for Ships Operating in Polar Waters (Polar Code) entered into force. The Polar Code covers the full range of design, construction, equipment, operational, training, search and rescue and environmental protection matters relevant to ships operating in the inhospitable waters surrounding the two poles. It was an important regulatory development in the field of transport and trade facilitation, alongside a range of regulatory developments relating to maritime and supply chain security and environmental issues.

Piracy

In recent years there has been a surge in piracy off the coast of Somalia and in the Gulf of Guinea. Pirate attacks are a danger to the welfare of seafarers and the security of navigation and commerce. These criminal acts may result in the loss of life, physical harm or hostage-taking of seafarers, significant disruptions to commerce and navigation, financial losses to shipowners, increased insurance premiums and security costs, increased costs to consumers and producers, and damage to the marine environment.

Pirate attacks can have widespread ramifications, including preventing humanitarian assistance and increasing the costs of future shipments to the affected areas. The IMO and UN have adopted additional resolutions to complement the rules in the Law of the Sea Convention for dealing with piracy.

The United Nations Office on Drugs and Crime (UNODC), through its Global Maritime Crime Programme (GMCP) combats transnational organized crime in Africa focusing on countering piracy of the Horn of Africa and Gulf of Guinea. The programme has delivered support to states in the region by carrying out trials and imprisonment of piracy suspects as well as developing maritime law enforcement capabilities through the facilitation of training programmes. From the piracy prosecution model, prisoner transfers and training of members in the judicial system of the Atlantic and Indian Ocean, to full-time mentoring to coast guards and police units in Somalia, Kenya and Ghana, the UNODC GMCP has accomplished many successes in a challenging environment. This has been achieved through a variety of programmes aimed at promoting maritime safety and bolstering the countries’ rule of law and justice systems.

Resources:

• Related stories from the UN system
• United Nations Convention on the Law of the Sea (IMO)
• Oceans and Law of the Sea
• Oceans and Seas (UNEP)
• Review of Maritime Transport (UNCTAD)