Maritime cyber attacks increase by 900% in three years

August 6, 2020 MARITIME CYBER SECURITY

CYBER-attacks on the maritime industry’s operational technology (OT) systems have increased by 900% over the last three years with the number of reported incidents set to reach record volumes by year end. ADVERTISING Addressing port and terminal operators during an online forum last week, Robert Rizika, Naval Dome’s Boston-based Head of North American Operations, explained that in 2017 there were 50 significant OT hacks reported, increasing to 120 in 2018 and more than 310 last year. He said this year is looking like it will end with more than 500 major cyber security breaches, with substantially more going unreported. Speaking during the 2020 Port Security Seminar & Expo, a week-long virtual conference organised by the American Association of Port Authorities, Rizika said that since NotPetya – the virus that resulted in a US$300 million loss for Maersk – “attacks are increasing at an alarming rate”. READ ALSO:Westerhof sues Bonfrere over allegations of match-fixing Recalling recent attacks, he told delegates that in 2018 the first ports were affected, with Barcelona, then San Diego falling under attack. Australian shipbuilder Austal was hit and the attack on COSCO took down half of the shipowner’s US network. He said this year a US-based gas pipeline operator and shipping company MSC have been hit by malware, of which the latter incident shut down the shipowner’s Geneva HQ for five days. A US-based cargo facility’s operating systems were infected with the Ryuk ransomware, and last month the OT systems at Iran’s Shahid Rajee port were hacked, restricting all infrastructure movements, creating a massive back log. Reports of this attack have gone some way in raising public awareness of the potential wider impact of cyber threats on ports around the world. Intelligence from Iran, along with digital satellite imagery, showed the Iranian port in a state of flux for several days. Dozens of cargo ships and oil tankers waiting to offload, while long queues of trucks formed at the entrance to the port stretching for miles, according to Naval Dome. Emphasising the economic impact and ripple effect of a cyber-attack on port infrastructures, Rizika revealed that a report published by Lloyd’s of London indicated that if 15 Asian ports were hacked financial losses would be more than US$110 billion, a significant amount of which would not be recovered through insurance policies, as OT system hacks are not covered. Going on to explain which parts of the OT system – the network connecting RTGs, STS cranes, traffic control and vessel berthing systems, cargo handling and safety and security systems, etc., – are under threat, Rizika said all of them. “Unlike the IT infrastructure, there is no “dashboard” for the OT network allowing operators to see the health of all connected systems. Operators rarely know if an attack has taken place, invariably writing up any anomaly as a system error, system failure, or requiring restart. “They don’t know how to describe something unfamiliar to them. Systems are being attacked but they are not logged as such and, subsequently, the IT network gets infected,” Rizika explained. “What is interesting is that many operators believe they have this protected with traditional cyber security, but the fire walls and software protecting the IT side, do not protect individual systems on the OT network,” he said. An example would be the installation of an antivirus system on a vessel bridge navigation system (ECDIS) or, alternatively, a positioning system in a floating rig DP (Dynamic Positioning), or on one of the dock cranes on the pier side of the port. “The antivirus system would very quickly turn out to be non-essential, impairing and inhibiting system performance. Antivirus systems are simply irrelevant in places where the attacker is anonymous and discreet,” he said. “Operational networks, in contrast to information networks, are measured by their performance level. Their operation cannot be disconnected and stopped. An emergency state in these systems can usually only be identified following a strike and they will be irreparable and irreversible.” Where OT networks are thought to be protected, Rizika said they are often inadequate and based on industrial computerised system, operating in a permanent state of disconnection from the network or, alternatively, connected to port systems and the equipment manufacturer’s offices overseas via RF radio communication (wi-fi) or a cellular network (via SIM). “Hackers can access the cranes, they can access the storage systems, they can penetrate the core operational systems either through cellular connections, wi-fi, and USB sticks. They can penetrate these systems directly.” Rizika said that as the maritime industry moves towards greater digitalisation and increases the use of networked, autonomous systems, moving more equipment and technologies online, more vulnerabilities, more loopholes, will be created. “There will be a whole series of new cyber security openings through which people can attack if systems are not properly protected. “If just one piece of this meticulously-managed operation goes down it will create unprecedented backlog and impact global trade, disrupting operations and infrastructure for weeks if not months, costing tens of millions of dollars in lost revenues.” Naval Dome also predicts that cyber criminals, terrorists and rogue states will at some point begin holding the environment to ransom. “One area we see becoming a major issue is cyber-induced environmental pollution. Think about it: you have all these ships in ports, hackers can easily over-ride systems and valves to initiate leaks and dump hazardous materials, ballast water, fuel oil, etc.,” Rizika warned. Offering advice on the first steps port operators need to take to protect their OT systems, he said a deep understanding of the differences between the two spaces is vital. “There is a disconnect between IT and OT security. There is no real segregation between the networks. People can come in on the OT side and penetrate the IT side. We are actually seeing this now. Successful IT network hacks have their origins in initial penetration of the OT system.” In a pre-recorded message broadcast during Naval Dome’s presentation, Rear Admiral (Retd) Shiko Zana, the CEO of Ashdod Port, said: “We have become more aware of the growing cyber threat to OT systems. Naval Dome has a unique cyber defence solution capable of protecting against both internal and external cyber attack vectors. The solution provides protection for OT systems.” Vanguard

Read more at: https://www.vanguardngr.com/2020/07/maritime-cyber-attacks-increase-by-900-in-three-years/

Cyber security

August 6, 2020 MARITIME CYBER SECURITY

While the IMO has given shipowners and operators until 2021 to incorporate cyber risk into ships’ safety management systems, cyber criminals are already at work. Crises like the COVID-19 pandemic often lead malicious cyber actors to take advantage through various malicious methods.

Also available in Japanese.

To cope with operational issues such as denied physical access, quarantined vessels and travel restrictions, shipowners are now actively opening for remote access and implementing remote digital survey tools towards vessels and encouraging shore staff to work remotely from home.

There is also increased use of mobile devices to access operational systems onboard vessels and core business systems in the company. Unprotected devices could lead to the loss of data, privacy breaches, and systems being held at ransom. Data is an asset and protecting it requires a good balance between confidentiality, integrity and availability.

In an era of cyber everywhere, with more technological transformation, use of cloud, and broader networking capabilities towards vessels, the threat landscape continues to increase. Cyber-criminals will look to attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to destructive cyber attacks. Cyber security depends not only on how company and shipboard systems and processes are designed but also on how they are used – the human factor.

Cyber risks may not be easy to identify

Criminals trying to exploit the maritime industry, the vessels and their crew are well organised and continuously evolve in the way they operate. This reflects the constantly evolving nature of cyber risk in general. Approaches to cyber risk management need to be company- and vessel specific but must also be guided by requirements contained in relevant national, international and flag state regulations.

Shipowners and operators who have not already done so, should undertake risk assessments and incorporate measures to deal with cyber risks in their ship’s safety management systems (SMS) and crew awareness training. Shipowners and operators should also embed a culture of cyber risk awareness into all levels and departments in the office and on board the vessels. The result should be a flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

Most Classification societies (Class) and several marine consulting companies have issued guidelines and recommendations on cyber security onboard vessels. Class, as a Recognized Organization on behalf of Flag State authorities, may now also deliver ISM audits which include cyber risk.

Class is also offering a voluntary cyber secure class notation for verifying secure vessel design and operation and cyber secure type approval to support manufacturers with cyber-secure systems and components. As an advisor, Class may also offer cyber security risk assessment, improvement, penetration testing and training support both on board and in the office.

At Gard we strive to protect the interests of our Members and clients in the best possible way. Our recommendation is to take a holistic approach to the cyber risks to protect the confidentiality, integrity and accessibility of both IT and OT systems through measures covering processes, technology and most importantly people. The easiest and most common way for cyber criminals to gain access, is through negligent or poorly trained individuals.

Recommendation No.1: Focus on policies, procedures and risk assessments

The latest Guidelines on Cyber Security Onboard Ships anticipates that cyber incidents will result in physical effects and potential safety and/or pollution incidents. Therefore, companies need to assess the risks arising not only from the use of IT equipment but also from OT equipment onboard ships and establish appropriate safeguards against cyber incidents involving either of these.

Company plans and procedures for cyber risk management must be aligned with existing security and safety risk management requirements contained in the ISPS and ISM Codes as included in company policies. Requirements related to training, operations and maintenance of critical cyber systems should also be included in relevant documentation on-board.

The IMO Maritime Safety Committee (MSC) adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems in June 2017. The resolution states that an approved safety management system should include cyber risk management in accordance with the objectives and requirements of the ISM Code, no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.

Based on the recommendations in MSC-FAL.1/Circ.3Guidelines on maritime cyber risk management, the resolution confirms that existing risk management practices should be used to address the operational risks arising from the increased dependence on cyber enabled systems. The guidelines set out the following actions that can be taken to support effective cyber risk management:

  1. Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, pose a risk to ship operations.
  2. Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
  3. Detect: Develop and implement processes and defenses necessary to detect a cyber incident in a timely manner.
  4. Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for shipping operations or services which have been halted due to a cyber incident.
  5. Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident.

The Document of Compliance holder is ultimately responsible for ensuring the management of cyber risks on board. Where the ship is under third party management, the ship manager is advised to reach an agreement with the shipowner as to who is responsible for this matter. Emphasis should be placed by both parties on the split of responsibilities, alignment of pragmatic expectations, agreement on specific instructions to the manager and possible participation in purchasing decisions as well as budgetary requirements.

Apart from the ISM requirements, such an agreement should take into consideration additional applicable legislation such as the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states. Managers and owners should consider using these guidelines as a base for an open discussion on how best to implement an efficient cyber risk management regime onboard. Any agreements on responsibility for cyber risk management should be formal and in writing.

Companies should also evaluate and cover service providers’ physical security and cyber risk management processes in supplier agreements and contracts. Similarly, coordination of the ship’s port calls is a highly complex task being both global and local in nature. It includes updates from agents, coordinating information with all port vendors, port state control, handling ship and crew requirements, and electronic communication between the ship, port and authorities ashore.

Agents’ quality standards are important because like all other businesses, agents are also targeted by cyber criminals. Cyber enabled crime, such as electronic wire fraud and false ship appointments, and cyber threats such as ransomware and hacking, call for mutual cyber strategies and cyber enhanced relationships between owners and agents to mitigate these risks.

Recommendation No.2: Ensure that system design and configuration are safe and fully understood and followed

The problem with procedures is that good intentions can become paper pushing exercises. It is therefore important to ensure that those performing tasks involving cyber security understand that the purpose of the procedures is to prevent unauthorised access and not simply to satisfy the regulators or their immediate superiors.

Unlike other areas of safety and security, where historic evidence is available, cyber risk management is made more challenging due to the lack of facts about incidents and their impact. Until we have such evidence, the scale and frequency of attacks will continue to be unknown.

Experience from the shipping industry and other business sectors such as financial institutions, public administrations and air transport have shown that successful cyber attacks can result in a significant loss of services.

Modern technologies may add vulnerabilities to ships especially if there are placed on unsecured networks and given free access to the internet onboard. Additionally, shoreside and onboard personnel may be unaware that some equipment manufacturers maintain remote access to shipboard equipment and its network system. Unknown, and uncoordinated remote access to an operating ship should be an important part of the risk assessment.

Gard recommends that companies fully understand the ship’s IT and OT systems and how these systems connect and integrate with the shore side, including public authorities, marine terminals and stevedores. This requires an understanding of all computer-based systems onboard and how safety, operations, and business can be compromised by a cyber incident.

Some IT and OT systems can be accessed remotely and may have a continuous internet connection for remote monitoring, data collection, maintenance, safety and security. These can be “third-party systems”, whereby the contractor monitors and maintains the systems from a remote location and can be both two-way data flow or upload-only.

Systems and workstations with remote control, access or configuration functions could, for example, be:

  • bridge and engine room computers and workstations on the ship’s administrative network,
  • cargo such as containers with reefer temperature control systems or specialised cargo that is tracked remotely,
  • stability decision support systems,
  • hull stress monitoring systems,
  • navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR),
  • dynamic positioning systems (DP),
  • cargo handling and stowage, engine, and cargo management and load planning systems,
  • safety and security networks, such as CCTV (closed circuit television),
  • specialised systems such as drilling operations, blow out preventers, subsea installation systems,
  • Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.

Below are some common cyber vulnerabilities, which may be found onboard existing ships, and on some newbuild ships:

  • obsolete and unsupported operating systems,
  • outdated or missing antivirus software and protection from malware,
  • inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords,
  • shipboard computer networks lacking boundary protection measures and segmentation of networks,
  • safety critical equipment or systems always connected to the shore side,
  • inadequate access controls for third parties including contractors and service providers.

Recommendation No.3: Provide proper onboard awareness and training

Today, the weakest link when it comes to cyber security is still the human factor. It is therefore important that seafarers are given proper training to help them identify and report cyber incidents.

The latest cyber security surveys show that the industry is more aware of the issue and has increased cyber risk management training, but there is still room for improvement. This has also been confirmed by the 2018 Crew Connectivity Survey by Futurenautics Maritime group with partners, where only 15% of seafarers acknowledge having received cyber security training, and only 33% said the company they last worked for had a policy of regularly changing passwords on board.

When assessing cyber risks, both external and internal cyber threats should be considered. Onboard personnel have a key role in protecting IT and OT systems but can also be careless, for example by using removable media to transfer data between systems without taking precautions against the transfer of malware. Training and awareness should be tailored to the appropriate seniority of onboard personnel including the master, officers and crew.

Gard have previously, together with DNV-GL, published a free to download and share cyber security awareness campaign to build competence towards crew and others – focusing on daily tasks and routines, with the aim to de-mystify the cyber issues for “normal people”. The material is not intended to suggest any industry changes or rule changes, but rather changes in the way people behave and act.

Lastly, we recommend everyone to stay cyber alert and avoid all “COVID-19 phishing” expeditions by:

  • Exercise caution in handling any email with a COVID-19 related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
  • Use trusted sources—such as legitimate, government websites for up-to-date, fact-based information about cyber security and COVID-19.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
  • Remember to disconnect or close temporary remote access given to any external party after finishing the job.

Source: gard.no

The Biggest Challenges and Best Practices to Mitigate Risks in Maritime Cybersecurity

August 6, 2020 MARITIME CYBER SECURITY

Ships are increasingly using systems that rely on digitalization, integration, and automation, which call for cyber risk management on board. As technology continues to develop, the convergence of information technology (IT) and operational technology (OT) onboard ships and their connection to the Internet creates an increased attack surface that needs to be addressed.

Challenges in Maritime Cybersecurity

While the IT world includes systems in offices, ports, and oil rigs, OT is used for a multitude of purposes such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. However, the evolution of digital and communications technology has allowed the integration of these two worlds, IT and OT.

The maritime OT world includes systems like:

  • Vessel Integrated Navigation System (VINS)
  • Global Positioning System (GPS)
  • Satellite Communications
  • Automatic Identification System (AIS)
  • Radar systems and electronic charts
Ship Bridge
Ship Bridge. Images courtesy of Isidoros Monogioudis and Hellenic American University

While these technologies and systems provide significant efficiency gains for the maritime industry, they also present risks to critical systems and processes linked to the operation of systems integral to shipping. These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance, and design of cyber-related systems as well as from intentional and unintentional cyberthreats.

When addressing these cyberthreats, it is important to consider the uniqueness of OT systems, as these assets control the physical world. As such, there are certain challenges to consider, such as:

  • OT systems are responsible for real-time performance, and response to any incidents is time-critical to ensure the high reliability and availability of the systems.
  • Access to OT systems should be strictly controlled without disrupting the required human-machine interaction.
  • Safety of these systems is paramount, and fault tolerance is essential. Even the slightest downtime may not be acceptable.
  • OT systems present extended diversity with proprietary protocols and operating systems, often without embedded security capabilities.
  • They have long lifecycles, and any updates or patches to these systems must be carefully designed and implemented (usually by the vendor) to avoid disrupting reliability and availability.
  • The OT systems are designed to support the intended operational process and may not have enough memory and computing resources to support the addition of security capabilities.

Disruption of the operation of OT systems may impose significant risk to the safety of onboard personnel and cargo, cause damage to the marine environment, and impede the ship’s operation.

In addition to the ongoing integration of IT and OT, the future will bring MAS – Maritime Autonomous Systems. Based on artificial intelligence and Internet of Ships and Sea Services, the new generation of ships will be remotely controlled from the shore. MAS has a “disruptive” potential with implications in terms of technical, economic, environmental, legislative and social impacts in the years to come. This development may also provide opportunities and new concepts which could improve logistics and, therefore, also improve the overall environmental impact of transport.

Maritime Cyber Threat Landscape

Completely digitalized shipping means greater reliance on digital, interconnected control and communication systems, says Isidoros Monogioudis, Adjunct Professor at the Hellenic American University.

Maritime digitalization is planned to increase performance, efficacy, and better collaboration within the industry. However, at the same time it means a significant increase of the digital/cyber “attack” surface. Maritime industry, especially through vessels digitalization and with the numerous different Operational Technology devices deployed, creates a digital landscape previously unknown to a big extent due to the specific hardware and software being used. New security risks will be evolved with the impact being very significant mainly due to the direct connection with the physical world and the consequent operational damage.

In fact, it was only last July that the U.S. Coast Guard issued a safety alert warning all shipping companies of maritime cyber-attacks. The incident that led to this warning happened in February 2019 when a large ship on an international voyage bound for the Port of New York and New Jersey reported “a significant cyber incident impacting their shipboard network.”

The Coast Guard led an incident-response team to investigate the issue and found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.”

This was not the first time the U.S. Coast Guard had released a cyber safety warning. In May 2019, they published a bulletin to raise the awareness of maritime stakeholders of “email phishing and malware intrusion attempts that targeted commercial vessels.”

A cyber incident in ships might have severe consequences for the crew, the passengers, and the cargo on board. Considering that many ships carry harmful substances, a cyber incident might have severe environmental consequences or might lead to hijacking the ship to steal the cargo.

The Baltic and International Maritime Council (BIMCO) has defined a cyber safety incident any incident that leads to “the loss of availability or integrity of safety critical data and OT.”

Cyber safety incidents can be the result of:

  • a cyber security incident, which affects the availability and integrity of OT (for example, corruption of chart data held in an Electronic Chart Display and Information System (ECDIS))
  • a failure occurring during software maintenance and patching
  • loss or manipulation of external sensor data that’s critical to the operation of a ship including but  not limited to Global Navigation Satellite Systems (GNSS)

With more than 90% of the world’s trade being carried by shipping, according to the United Nations’ International Maritime Organization, the maritime industry is an attractive target for cyber attackers. The European Union has recognized the importance of the maritime sector to the European and global economy and has included shipping in the Network and Information Systems (NIS) Directive, which deals with the protection from cyber threats of national critical infrastructure.

Best Practices for Mitigating Maritime Cyber Threats

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should consider cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems.

The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

In addition, BIMCO has developed the Guidelines on Cyber Security Onboard Ships, which are aligned with the NIST Cybersecurity Framework. The overall goal of these guidelines is the building of a strong operational resilience to cyber-attacks. To achieve this goal, maritime companies should follow these best practices:

  • Identify the threat environment to understand external and internal cyber threats to the ship
  • Identify vulnerabilities by developing complete and full inventories of onboard systems and understanding the consequences of cyber threats to these systems
  • Assess risk exposure by determining the likelihood and impact of a vulnerability exploitation by any external or internal actor
  • Develop protection and detection measures to reduce the likelihood and the impact of a potential exploitation of a vulnerability
  • Establish prioritized contingency plans to mitigate any potential identified cyber risk
  • Respond and recover from cyber incidents using the contingency plan to ensure operational continuity

“Maritime industry and its digital exposure have many similarities with industrial systems and the broader OT,” says Isidoros Monogioudis. “In this context, these companies must move very fast to the direction of protecting their systems, providing a reliable operating environment not only from performance perspective but also from security perspective. Both proactive and reactive measures must be developed and applied with the real-time security awareness and visibility being possibly the most critical solution, since OT environment remains extremely sensitive in providing timely and accurate services.”

“Maintaining effective cybersecurity is not just an IT issue but is rather a fundamental operational imperative in the 21st century maritime environment,” said the U.S. Coast Guard in their July 2019 security warning.

Source: tripwire

OFSI Releases Sanctions Guidance for Entities Operating in the Maritime Shipping Sector

August 6, 2020 POST STATE CONTROL

With the UK playing a major role in the global maritime industry and relying on containerised shipping to move 95% of its imports and exports, the importance of sanctions compliance for UK institutions cannot be understated. 

In recent months, we have seen OFAC release a long-awaited advisory for the maritime industry, comprehensively expanding the regulatory focus and placing all maritime industry stakeholders under the microscope. Following in its footsteps, this month the UK’s Office of Financial Sanctions Implementation (OFSI) released a guidance document focussing on financial sanctions guidance for those operating within the maritime shipping sector.

As global law firm Clyde & Co. have said, “It is no coincidence that two of the world’s leading sanctions enforcement bodies have both issued guidance notes to the maritime industry within months of each other.  Industry participants have been warned: there are now very clear expectations of what good sanctions compliance looks like –a failure to meet those expectations could prove costly.

So, what does the OFSI guidance cover?

The guidance looks at methods commonly used to breach sanctions, including ship-to-ship (STS) transfers and switching off or manipulating AIS transmissions. OFSI also provides guidance on specific sanctions regimes relating to DPRK, Iran, Libya, and Syria, in terms of due diligence obligations, policy enforcement, and penalties.

Illicit & suspicious shipping practices

  • STS transfers: A ship-to-ship transfer is the movement of cargo from one ship to another while at sea, rather than in port. While the majority of STS transfers are perfectly legal, they can also be used to conceal the origin or destination of the transferred cargo.
  • AIS transmissions: Vessels conducting illicit ship-to-ship transfers will typically disable AIS to evade detection. Alternatively, vessels manipulate the data transmitted via AIS to conceal a vessel’s next port of call or other information regarding its voyage.
  • False documentation: Complete and accurate shipping documentation is necessary to ensure that all those associated with a transaction understand the parties, goods, and vessels involved in a given shipment. Documents such as bills of lading and invoices can be falsified to conceal what is being shipped and shipment origin
  • Financial system abuse: Bank accounts are often established with the primary purpose of engaging in and concealing illicit activities. These can be used as fronts to conduct transactions in violation of sanctions and facilitating illicit shipping practices. Bad actors also often set up complex corporate ownership and management structures to hide the ultimate beneficiary.
  • Concealment: Those seeking to evade sanctions will often employ tactics that physically conceal illicit cargo onboard a vessel.

While the above practices do not automatically indicate a sanctions violation, OFSI specifies that they should be viewed as red flags that require further investigation, particularly around where these activities took place. Specific regions may present a high risk with respect to financial sanctions compliance, as such due diligence should be carried out as part of a risk-based approach. When dealing with such regions, or when passing through or near waters where non-compliant actors are known to operate, enhanced due diligence should be considered.

Due Diligence

Much like the recent OFAC advisory, OFSI’s guidance stresses the fact that no company is too big to fail, and how it is no longer just financial institutions that need to be concerned with sanctions. All entities across the maritime sector and related supply chains must significantly improve their due diligence and compliance programmes to avoid breaching global sanctions. In the guidance, certain industry players are highlighted:

  • Maritime insurance companies
  • Charterers
  • Unions
  • Classification societies
  • Petroleum companies and refineries
  • Customs and port state controls
  • Flag registries
  • Shipping industry associations

Compliance risk, however, is not only confined to the above industries, so global operators need to take a risk-based approach when deciding whether to conduct business.

What should you be doing? 

With the OFSI advisory coming so soon after the OFAC advisory, there is no longer an excuse for corporates who do not have appropriate systems in place to ensure proper risk-mitigation.

Yet again, the same weaknesses, such as AIS transmissions, have been highlighted as prime avenues for those seeking to flout sanctions programs.

Here at Pole Star, we have a suite of solutions to assist you in ensuring sanctions compliance across all aspects of the maritime supply chain.

PurpleTRAC is our award-winning revolutionary regulatory technology system for institutions with sanctions and risk management exposures in maritime trade, enabling users to screen and track vessels and their associated ownership and management in seconds, by entering only the vessel’s name or IMO number. Within 30 seconds, PurpleTRAC screens for the following:

  • Ship Global Sanctions List: Screens a vessel’s IMO number against our comprehensive sanctions database
  • Company Global Sanctions List: Screens a vessel’s ownership and management against our comprehensive list of sanctions, denied parties, and enforcement actions lists
  • Country Sanctions List: Screens a vessel’s flag, its ownership and management, and countries of registration, domicile, and control
  • Ship Movement History Check: Screens a vessel’s historic movements and trading patterns
  • Port State Control Check: Screens a vessel’s entire port state control inspection history

Further in line with this advisory, PurpleTRAC now has a new extension:  Bill of Lading Verification (BLV), which will allow customers to significantly extend their sanctions risk and compliance investigations by verifying bills of lading in real time.

AMSA inspection campaign to focus on stowage and securing of containers

August 6, 2020 POST STATE CONTROL

In response to several incidents of containers being lost into the sea, the Australian Maritime Safety Authority (AMSA) has initiated a focused inspection campaign on container stowage and securing arrangements, both fixed and portable, that will run from 1 August 2020 to 31 October 2020.

Introduction

Containers lost at sea present a serious safety and an environmental hazard. The World Shipping Council estimates that over the last 12 years (2008-2019), 1,382 containers have been lost at sea on an average each year due to both catastrophic and non-catastrophic incidents. A series of such incidents off Australian coast in recent years has prompted AMSA to launch its focused inspection campaign (FIC) “to demonstrate that inadequate cargo securing arrangements and the loss of cargo in Australian waters is not acceptable”. The purpose of this FIC is two-fold:

Draw shipowners’ and operators’ attention to their obligations under reg. 2 and 5, Chapter VI of SOLAS; and
Specifically focus on the use of cargo information as well as stowage and securing of containers.

Inspection process

This FIC is specific to Australia and will only target foreign vessels in Australian waters that have, or are required to have, cargo securing arrangements approved under regulation 5 of Chapter VI of SOLAS. Inspections can take place either in conjunction with normal port state control (PSC) inspections, or as a standalone inspection where a vessel is not eligible for PSC inspection. Where a deficiency is found, the inspector will discuss it with the Master with a view to ensure that the non-compliance is corrected.

Any data derived from these inspections will not be shared with regional port State control regime databases, such as the Tokyo MoU and Indian Ocean MoU, unless the vessel is deemed non-compliant and the PSC inspector believes clear grounds exist to conduct a full PSC inspection.

Scope of inspection

AMSA has provided a checklist which inspectors will follow when conducting the inspections. The inspectors will typically be focusing on the following areas during inspections:

Cargo Securing Manual
Is there an approved cargo securing manual (CSM) which adequately covers the cargo being carried;
Are crew aware of its contents, particularly stack weight limitations.

Container stowage
Permissible stack weights are not exceeded in current and previous voyages;
Vertical weight distribution has been complied with in current and previous voyages;
The forces on containers and securing systems should not exceed the allowable force limits specified in the CSM;
The vessel has been provided with a verified gross mass (VGM) of containers;
Relevant officers are well familiar with any computer programs used onboard for stowage, stability calculations, lashing forces etc.

Container securing
Securing is in accordance with the CSM;
Lashing equipment is sufficient, in good order, and compatible with the vessel;
Twistlocks, base locks and stacking cones are positioned correctly;
Cargo securing points are not rusty or poorly maintained;
Lashing checks are done during the voyage.

Heavy weather navigation
Safety management system requirements for heavy weather navigation;
Crew’s familiarity with the above.

Recommendations

Gard recommends that members and clients:

Make their crew familiar with the contents of the checklist which will be used by AMSA inspectors; reference can also be made to AMSA’s marine notice 03/2018 ‘Proper stowage of cargo containers’.
Provide training to relevant officers and crew on ensuring compliance with CSM; and
Identify areas of shortcomings and rectify them well before calling Australia.
Source: GARD

U.K. Sanctions Guidance Adds to Warnings for Maritime Sector

August 6, 2020 POST STATE CONTROL

A U.K. enforcement agency is urging the maritime industry to be on the lookout for illicit practices that could be used to evade sanctions, the latest regulator to warn about compliance risks facing the industry.

Guidance by the U.K.’s Office of Financial Sanctions Implementation, which is part of the country’s Treasury department, indicates companies are susceptible to suspicious shipping practices such as the intentional disabling of vessel-tracking systems to conduct illegal trade and the falsifying of documentation for maritime transactions.

Maritime insurance companies, charterers, customs and port state controls, and flag registries are among the sectors exposed to the risks, the agency said.

The guidance, which was issued last week and amplified in a government blog post Monday, adds to a evolving list of guidelines aimed at the maritime industry and underscores compliance complexities facing those operating in the U.S., the U.K. and the European Union, sanctions experts say.

Three U.S. agencies issued guidance for the maritime sector in May, saying the industry may need to develop procedures to avoid being exploited by terrorists and other illicit actors seeking to trade with countries subject to U.S. sanctions.

The U.K. operates the largest share of the global maritime insurance market, and 13 of the major international protection and indemnity associations of marine insurance providers operate from management offices in the U.K., the OFSI said.

Entities and individuals in the maritime sector need to assess their own risks and conduct sufficient due diligence to ensure compliance with sanctions, according to the agency, which emphasized the importance of understanding sanctions regulations in high-risk jurisdictions and using vessel-tracking systems and subscription-based resources to verify ownership structures of customers and business partners.

The guidance highlights the additional compliance obligations for companies operating in the maritime industry as they navigate the similar but different sanctions systems between the U.S. and the U.K., said Eric Lorber, a vice president at advisory firm K2 Intelligence/Financial Integrity Network.

The U.K. is in the process of transitioning to its own set of sanctions compliance guidelines as part of its departure from the European Union.

During the transition period, which ends Dec. 31, individuals and companies in the U.K. are still required to comply with the EU’s sanctions policies, in addition to United Nations sanctions and the U.K.’s own sanctions programs. The U.S. has its own sanctions programs and follows UN sanctions as well.

A shipping company based in the U.K. that conducts U.S. dollar transactions would need to comply with more than one sanctions system.

“It’s the first time you’re beginning to see this balancing act by a number of institutions in the maritime industry between two different regulatory jurisdictions that require similar actions but don’t line up one to one,” he said. “It’s really challenging for an industry that doesn’t have the sanctions expertise.”

Source: wsj

PSC inspection data analysis tool launched by V.Group

August 6, 2020 POST STATE CONTROL

V.Group has launched a new risk analysis tool to improve performance in Port State Control (PSC) inspections, leveraging data collected from the more than 1,000 PSC inspections carried out across the company’s fleet each year.

The PSC Performance Analyser highlights all the risks facing a vessel when preparing for a survey, to allow staff to take proactive action. Using the new tool, V.Group says that it has been able to achieve 83% flawless Port State Control inspections up to the end of quarter two.

The system can monitor trends by country and individual ports, and breaks the data down by office / fleet / customer, with performance analysed by Class Society and by Flag State. Data is displayed within an interactive dashboard.

“With a constantly evolving environment, the need to drive vessel safety and environmentally compliant operations has never been greater. Our new platform uses technology as well as our own in-depth knowledge to provide data to help make the decisions that matter, maximising operational efficiency on behalf of our customers,” said Mike Bradshaw, Global Head of HSEQ at V.Group.

“Our PSC Performance Analyser tool not only looks back over past performance but also looks ahead, highlighting any potential risks ahead of arrival to ensure all management processes are prepared and ready in the selected country. This tool will prove key in continually striving for PSC excellence.”

The launch of the PSC platform follows the recent announcement of V.Group’s new risk-based SIRE Performance analysis platform.

Source: smartmaritimenetwork

Electronic chart display and information system

August 6, 2020 Maritime Safety News

The safety benefits of electronic chart display and information systems (ECDIS) mean ECDIS is now mandatory on your vessel.

The International Maritime Organization (IMO) changed chart carriage requirements for certain kinds of ships on international voyages on 1 July 2012. These changes mean that ships can now carry ECDIS and electronic navigational charts (ENCs) to meet the chart carriage requirement of the International Convention on the Safety of Life at Sea (SOLAS).

By 1 July 2018, almost all vessels on international voyages will be required to carry an approved ECDIS.

Ships calling at Australian ports

Marine Notice 7/2017 offers guidance on ECDIS for ships calling at Australian ports and draws attention to the latest IMO Guidance on the use of ECDIS. More detail can be found in the IMO ECDIS—guidance for good practice.

Flow charts

These flow charts help port state control inspectors to assess the carriage and use of ECDIS on board ships. The flow charts outline potential implementation and operational issues with ECDIS.

ECDIS data presentation and performance check for mariners

Edition 4.0 of the International Hydrographic Organization (IHO) ECDIS presentation library became mandatory for all ships carrying ECDIS on 1 September 2017.

Changes introduced in Edition 4.0 of the IHO ECDIS presentation library invalidate the older tests contained in the ECDIS data presentation and performance checks published in 2011. The IHO provides instructions on how to check that your ECDIS is operating on edition 4.0 of the IHO ECDIS presentation library.

Source: amsa

IMO 2020: Are we ready?

August 6, 2020 IMO

The maritime industry is bracing itself for the rapid approach of January 1, 2020 – the day on which the sulphur limit imposed under IMO 2020 comes into effect. But who is ready for IMO 2020; and who is not?There is a somewhat inconsistent approach to the implementation of IMO 2020 and varying degrees of readiness among port and flag states. If this is not adequately, and urgently addressed, this will result in confusion and delays when IMO 2020 comes into force.

The effect of IMO 2020

IMO 2020 is a term used to describe the implementation of the Regulations to Annex VI of the International Convention for the Prevention of Pollution from Ships (MARPOL). MARPOL is one of the most important international marine environmental conventions and IMO 2020 aims to improve air quality and to protect the environment by reducing sulphur oxide produced by ships.

With effect from January 1, 2020, ships will be required to use:

  1. fuel oils with a sulphur content of 0.5 percent m/m or lower;
  2. an approved equivalent means of compliance such as exhaust gas cleaning systems (EGCS) commonly referred to as “scrubbers”; or
  3. Non-fuel oil alternatives such as switching to liquefied natural gas (LNG) as fuel.

It is anticipated that, at least initially, most ships will utilize new blends of fuel oil which meet the 0.5 percent limit on sulphur in fuel oil or compliant marine gas or diesel oil.

It is important to note that IMO 2020 will not affect designated emission control areas (ECAS) where there is already a stricter sulphur limit of 0.1 percent m/m in place, such as in the Baltic Sea, the North Sea, the North American ECA and the US Caribbean ECA as well as the 0.1 percent sulphur cap already in place in European Union ports.

Who will enforce IMO 2020?

Following the 74th session of the IMO’s Marine Environment Protection Committee (MPEC), the IMO released the 2019 Guidelines for Consistent Implementation of the 0.5 percent Sulphur Limit under MARPOL Annex VI (the 2019 Guidelines) which aim at ensuring a consistent implementation of IMO 2020 across port and flag states. The 2019 Guidelines provide helpful guidance to state parties on interpreting their obligations under, and implementing, IMO 2020.

Enforcement, compliance and monitoring of the IMO 2020 sulphur limit is the responsibility of the state parties that have ratified MARPOL and acceded to Annex VI and are therefore obliged to give effect to, and enforce, its provisions. This includes both flag states (in whose registries ships are flagged) and port states who are obliged to enforce IMO 2020 within their territorial waters.

Port states must enforce the provisions of MARPOL by monitoring vessels within their territorial waters, reporting non-compliance to the relevant flag state, ensuring that there is adequate low sulphur compliant fuel available within their jurisdiction and providing shore-based facilities for the receipt and removal of scrubber waste.

How will ships be monitored for compliance?

Under Annex VI and the 2019 Guidelines, port states should take appropriate measures to ensure compliance. Specifically, port states should conduct initial inspections based on documents including Bunker Delivery Notes (BDN), as well as the use of remote sensing and portable devices. If there are “clear grounds” to conduct a more detailed inspection, the port state may conduct sample analyses and other detailed inspections to verify compliance with the Regulations. What exactly constitutes “clear grounds” is not defined in Annex VI or the 2019 Guidelines.

Regarding the use of remote sensing and portable devices, the 2019 Guidelines indicate that the former can trigger inspections and the latter may be used during initial inspections but the results of both should be considered indicative only. They should not be regarded as evidence of non-compliance although they may be considered clear grounds for expanding the inspection to check for non-compliance.

The 2019 Guidelines expressly provide that all possible efforts should be made to avoid a ship being unduly delayed or detained as a result of the steps taken to implement IMO 2020. In particular, the analysis of fuel oil samples should not unduly delay the operation, movement or departure of a ship. However, delays may be inevitable in ports where there are limited or less efficient mechanisms for testing of fuel oil and particularly where ships are only in port for several hours in order to stem bunkers rather than working cargo.

Non-compliance by ships

When a port state identifies clear grounds of suspected non-compliance of a ship based on its initial inspections, then the port state may require samples of fuel oils to be analyzed. Where a sample is taken from a ship, a receipt should be provided to the ship and the ship should be advised of the outcome of such analysis.

If non-compliance with IMO 2020 is established by a port state, the port state may prevent the ship from sailing until the ship takes suitable measures to achieve compliance, which may include debunkering all non-compliant fuel oil. However, ship’s tanks are designed to receive fuel oil and not to pump it out, which renders debunkering very difficult and time-consuming.

In addition, the port state should report any non-compliance to the flag state. The port state should also advise the state in whose jurisdiction the bunker delivery note was issued in respect of non-compliant fuel oil.

When determining what sanction to impose on a non-compliant ship, a state party must take into account all relevant circumstances and the evidence presented, which may include not taking any steps against the non-compliant vessel. Flag and port state control authorities may take into account the ship’s implementation plan when determining compliance with the 0.5 percent sulphur limit requirement.

What if there is no compliant fuel oil available at a port?

Concerns have been raised that the shift to low sulphur fuel may result in a shortage of compliant fuel on or after January 1, 2020. For ships that have not been fitted with scrubbers, or are not equipped to use alternative fuel such as LNG, this may result in sudden non-compliance when calling at port states after the deadline.

The Regulations and the 2019 Guidelines require that where a ship, despite its best efforts, is unable to obtain compliant fuel, the Master or shipowner must present a record and evidence of actions taken to obtain compliant fuel oil and show that, despite best efforts to obtain compliant fuel oil, no such fuel oil was available. Best efforts to procure compliant fuel oil include, but are not limited to, investigating alternative sources of fuel oil prior to commencing the voyage. If, despite best efforts, it was not possible to procure compliant fuel oil, the Master or shipowner must immediately notify the port and flag state. This notification by the ship is commonly referred to as a Fuel Oil Non-Availability Report (FONAR).

The 2019 Guidelines have a standard reporting format for a FONAR but state parties may develop more detailed guidance for the consistent use and acceptance of these reports, including specifying what evidence should accompany a FONAR. In order to minimise disruption and to avoid delay, the Master or shipowner should submit a FONAR as soon as it is determined, or becomes aware, that it will not be able to procure and use compliant fuel oil. The submission of a FONAR does not render a ship compliant with the Regulations but rather is a factor that shall be taken into account by a port or flag state when determining what steps to take against a ship for non-compliance.

The IMO and the International Chamber of Shipping have confirmed that whilst safety or operational concerns regarding the quality of low sulphur fuels is a sufficient reason for shipowners to issue a FONAR, this does not give ships or shipowners blanket permission to use or carry non-compliant fuel after the deadline. The increased price of low sulphur fuel oil is also not a valid basis for non-compliance. Master and shipowners should retain bunker samples for use in the event that they may use sulphur quality as a basis for alleging the non-availability of compliant fuel oil.

State parties are obliged to take all reasonable steps to promote the availability of compliant fuel oil, to investigate reports of non-availability and to report non-availability of compliant fuel oils in its ports and terminals to the IMO. This process is important to ensure a consistent supply of compliant fuel as well as preventing incentives for ships to use ports where it is known that compliant fuel is not available on an ongoing basis. Critical to this process will be the sharing of information between states parties on reported compliant fuel oil supply issues.

The use of scrubbers

An alternative to the use of low sulphur fuel oil is the fitting of scrubbers to a ship. Scrubbers remove particulate matter, sulphur oxides and nitrogen oxides from the exhaust gases produced by a ship’s engines. Open-loop scrubbers use seawater to remove chemicals and particulates and the waste is then treated before being discharged into the sea. In closed-loop systems, the water is recycled back into the scrubber. Hybrid scrubbers are a combination of open and closed-loop systems.

The Regulations do not prescribe the type of scrubbers that may be used but some jurisdictions have rejected the use of scrubbers or specifically the use of open-loop scrubbers within their territorial waters. Where a ship is fitted with open-loop scrubbers and enters a port in a state where these are not permitted, the ship will be obliged to use compliant fuel oil. Where the ship is fitted with a hybrid loop system, the ship will need to switch over to a closed-loop system.

Jurisdictional approaches to IMO 2020

A number of countries have not ratified MARPOL Annex VI including Argentina, Bahrain, Colombia, Ecuador, Egypt, Hungary, Israel, Mexico, Oman, Pakistan, Qatar, Thailand and Venezuela.

Other countries that have ratified Annex VI have not yet adopted appropriate legislation to give effect to their obligations. South Africa has yet to pass legislation indicating how it intends to enforce IMO 2020. Whilst the South African Maritime Safety Authority previously issued a marine notice authorising the use of all types of scrubbers within South African territorial waters, it subsequently indicated that it would make the decision on whether to allow any types of scrubbers during September 2019. However, at the time of publication no such decision has been taken.

The Maritime and Port Authority of Singapore (MPA) has indicated that Singaporean and foreign-registered ships calling at Singapore will be selected for inspection based on a risk matrix that takes into account the compliance option of the ship and whether a FONAR has been submitted. Inspectors will be equipped with portable sulphur kits for onsite testing of in-use fuel and the MPA may send fuel oil samples to a laboratory for detailed fuel oil analysis. Singapore has banned the use of open-loop scrubbers and ships fitted with hybrid scrubbers will be required to switch to closed-loop mode whilst in Singaporean waters.

As a signatory to MARPOL and Annex VI, Indonesia originally undertook to enforce the Regulations in respect of all ships operating within Indonesian waters. It subsequently backtracked and indicated it would not enforce IMO 2020 sulphur limits in respect of domestic shipping and would only do so in respect of international shipping. As of August 2019, the Indonesian Ministry of Transportation has said that it will enforce IMO 2020 limits in respect of both Indonesian and foreign-flagged ships.

With effect from January 1, 2018, China has already implemented a 0.5 percent sulphur cap within its designated emission control areas, which have subsequently been expanded. Ships may use scrubbers or other alternative means to meet the emission control requirements. From January 1, 2020, oceangoing ships will be required to use low sulphur content fuel not exceeding 0.1 percent m/m when entering China’s inland water ECA and stricter sulphur limits will also be imposed on ships entering other Chinese ECAS over the next few years.

The United States has already implemented a 0.1 percent sulphur cap within its ECA and accordingly ships calling at US ports ought already to be familiar and accustomed to a significantly stricter sulphur limit than that imposed by IMO 2020.

Information regarding the implementation of IMO 2020 in other member states is not always readily available and will need to be clarified and publicised well before January 1, 2020 to ensure that ships calling at those ports can comply with the particular requirements imposed by each jurisdiction.

What still needs to be done?

State parties that have not yet adopted legislation to give effect to their IMO 2020 obligations need to do so as a matter of urgency. Flag and port states must ensure adequate publication of their specific requirements so that ships can ensure timely compliance. MARPOL Annex VI does not specify what penalties are to be imposed for non-compliance, but MARPOL does require that penalties must be sufficiently severe to discourage contravention. Accordingly, member states must determine what civil and possibly criminal penalties will be imposed on non-compliant ships.

Ships that have been fitted with open-loop scrubbers need to be aware of the risk that they may not be permitted to operate these within the territorial waters of certain port states. They will need to ensure that they will be able to procure compliant bunkers in those jurisdictions.

Crew members need to be properly trained and made aware of the importance of accurately recording information in the ship’s logs such as the date, time, and position of the ship when a fuel oil changeover occurs as well as the volume of low sulphur fuel oil in each tank.

Port states need to ensure that they have adequate compliant fuel oil or alternative fuels available from January 1, 2020. They need to ensure that they have adequate inspection and testing protocols in place and port facilities to receive scrubber waste residue.

Conclusion

Much work remains to be done to ensure a consistent approach to compliance with IMO 2020. Given that January 1, 2020 is only a few months away, all relevant parties, including port and flag states, bunker suppliers, shipowners, Masters, charterers and ship builders, need to prepare themselves urgently.

Source: nortonrosefulbright

Port State Control to Target Sulfur Compliance

August 6, 2020 POST STATE CONTROL

The two major port State control regimes, Paris MoU and Tokyo MoU, will increase focus on the sulfur limit regulations after reaching an agreement to carry out a Concentrated Inspection Campaign (CIC) in 2018 focusing on air pollution from ships.

Port State control authorities across 45 countries and five continents – South America, North America, Europe, Asia and Australia – will take part.

Cooperation on efficient enforcement has become even more important after United Nations’ IMO agreed last week that a global sulfur limit of 0.5 percent will enter into force in 2020, said the Danish Maritime Authority.

The decision was made on the basis of a Danish/Dutch proposal, and the 2018 campaign is the result of efforts made by Denmark to ensure enhanced international focus on enforcement. However, as early as in 2015 especially low limits were introduced in the so-called SECAs (Sulfur Emission Control Areas), and thus the Danish authorities are constantly engaged in work on both the political and the technological side of efficient enforcement.

Peter Krog-Meyer, Senior Adviser of the Danish Maritime Authority: “We have achieved two important results. Firstly, all over the world there will be even more focus on whether ships meet the sulfur limits. Secondly, it is a strong signal that so many important port states now clearly show that we have joined forces in our efforts to enhance the enforcement of the sulfur provisions across the borders.”

Krog-Meyer says: “In Denmark, we have been striving to ensure stronger enforcement for years, and the 2018 inspection campaign is merely one element of much greater efforts that are already being made. And this process will be speeded up in 2017 after the IMO decision on a global sulfur limit in 2020.”

A Concentrated Inspection Campaign means that all 45 countries covered by the Port State Control schemes carry out an especially thorough examination of a chosen area, such as sulfur, when their Port State Control Officers embark foreign ships. The efforts made will increase compliance with regulations and contribute to ship crews’ awareness of the new regulations and the consequences of any violations.

Source: maritime-executive

Newer Posts

Older Posts

News

Quick Menu

Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED