TMSA 3 Archives - Page 2 of 3 - SHIP IP LTD


The 10th Element, which focuses on environment and energy management is the critical practice of identifying and assessing pollution generated from maritime operations as well as the safe reduction and disposal residual waste. TMSA 3 encourages reporting procedures & contingency planning to be implemented to cover hazardous incidents. It is a requirement that a maritime organization monitor its performance quarterly and provide benchmarks across the fleet to ensure environmental action plans meet standards such as ISO 14001 & MARPOL Annexes.

How can ShipNet help with the 10th Element of TMSA 3?

Setup Procedures:

Setup and monitor environment management plans along with the identification of sources of emissions and measures to increase energy efficiency.


Record and monitor sources emissions, fuel consumptions to consistently take steps to achieve objectives outlined in the company policies.

11th Element – Emergency preparedness and contingency planning

The 11th Element of TMSA 3 looks at the requirements of implementing an effective response in dealing with onboard emergencies where a vessels crew is required to undertake training exercises-based merchant shipping legislation. Maritime organizations are required to develop safety procedure drills along with shore-based response teams to partake in training. TMSA 3 identifies the need for maritime organizations to undertake media training and to arrange security management.

How can ShipNet help with the 11th Element of TMSA 3?

Through the ShipNet One application you can plan and execute drills and emergency exercises while preparing the company and vessel emergency response plans both for office as well as site-specific. Within the application, define the scope and frequency of the planned exercise for automated scheduling. Gain access to all records automatically through history. Prepare KPI targets as per company policies and monitor the frequency of exercises carried out throughout the fleet for continual improvement.

12th Element – Measurement, analysis, and improvement

The 12th Element is considered one of the most vital aspects of a successful safety management system. A maritime business must ensure system manuals are utilized as a part of daily operations and that they are analyzed for their effectiveness and to ensure they have not become outdated. By giving regular audits indicates how well the safety management system is adhering to industry best practice guidelines and how well the system is performing overall, along with the connected vessels and shore support offices.

TMSA3 Diagram
How can ShipNet help with the 12th Element of TMSA 3?


Through the ShipNet One application, onboard Safety Officers or Junior Officers can implement ship safety inspections and asses the safety culture. The application also provides the ability to plan and prepare for inspections and audits based on set schedules.

Through the ShipNet One application you can also:

  • Review previous inspection details across the fleet and data, enabling improved preparation.
  • Identify problem areas, individuals, and inspectors.
  • Perform inspections based on standard or custom checklists and create findings automatically from checklist questions.
  • Identify observations and non-conformities and determine their corrective actions.
  • Make use of KPI / RCA / Measurement lists to analyze observations and findings.
  • Assign tasks to individuals in the organization and perform actions to close each finding.
  • Measure the performance of vessels, observations, and non-conformities, areas of most concern through interactive dashboards and reports.


Share best practices and critical information across the fleet using the document system to promulgate safety alerts or fleet circulars. Share information circulars across the fleet. Generate custom reports using our report designer to share among customers.

13th Element – Maritime Security

Maritime Security

The 13th and newest Element of TMSA 3 focuses on Maritime Security, which mainly consists of the use of Risk Assessment solutions to identify and mitigate risks. It is a requirement to adhere to BMP 4 guidelines, so it is necessary to define and maintain a stock of equipment for vessel hardening. It is also a requirement to define an Operational Security Area to monitor the number of transits of vessels. Best practice requires travel advisory and threat level circulated data sharing across a fleet as well as the verification of armed guard’s qualification criteria before employing them onboard vessels.

How can ShipNet help with the 13th Element of TMSA 3?


Monitor and track operational security events using the occurrence system and ensure that vessels are secure from threats

  • Use of Risk Assessment solution to identify and mitigate risks
  • Define and maintain stock of equipment for vessel hardening as per BMP 4 guidelines
  • Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution
  • Circulate travel advisory and threat level data sharing to vessels using the document system
  • Verify armed guard’s qualification criteria before employing them onboard vessels using our standard measurement lists

So there we have it. Our ShipNet One integrated platform has been built around industry regulations to assist with maritime organizations in implementing their safety management systems efficiently and proactively. Through years of development in line with the world’s major shipping companies, the platform not only meets the requirements but encourages continuous and effective improvement and compliance with TMSA 3.


Digitalisation and decarbonisation are driving a period of unprecedented change in the maritime industry, underpinned by the regulatory agenda.
As the implementation date of IMO 2021 draws near, it is clear that we must rethink our attitudes to technology. In Part 1 of this blog, we explored the key challenges facing shipping companies and their readiness to facilitate the move to digitalisation.


Here in part 2, we look at decarbonisation and cyber security. What might shipping companies do to prepare for, and comply with, the regulatory requirements on the horizon?

Digitalisation will ultimately create a two-tier shipping market, divided into those owners and operators who have the best access to the latest information and those who do not.

The difference between this relatively recent position and the days of employing simple but effective means of checking vessel arrivals or departures or bidding for cargoes is that almost anyone who wants to, can pay to access the data on vessel positions, port traffic, weather or other information.

This matters too because in the space of a little over a decade, new targets on environmental efficiency will force the industry to adopt new working practices. Most critically this includes new fuels as the means of complying with IMO targets on the reduction of carbon intensity on a vessel by vessel basis.

Collection, analysis and interpretation of every bit of data from ship systems at that point becomes critical – potentially the difference between success or failure to comply. The data that ships produce on their emissions will be reported automatically and this data will inform not just regulations but market measures, including the cost at which lenders make capital available to shipping companies.

Cyber Critical Systems

New technology and the need for sustainability are two fundamental forces acting on the maritime industry; the other is security of the IT networks on which both rely. The IMO has adopted cyber-security related amendments to the International Safety Management Code (ISM Code) while the tanker sector has already made similar requirements part of Tanker Management Safety Assessment (TMSA) version 3.

While the first represents mandatory regulation, the second is a ‘licence to operate’ for owners carrying hazardous cargoes. The ISM Code will require demonstration that action has been taken to address cyber security, TMSA will require shipowners to demonstrate that they have the latest available IT operating system and other software updates as well as specific security patches either as part of a Port State Control inspection or in pre-qualifying a vessel to carry cargo.

The industry’s largest, long term players are likely to already meet these requirements but for an operator with limited IT outfit, they present an unwelcome burden. For one with a sophisticated network encompassing IT and OT, it presents an additional series of tasks for crew unless it can be managed with a minimum of additional administration.

Compliance with voluntary cyber security guidelines until now have tended to succeed or fail on the basis of the human element, relying on an intention to do the right thing. It is precisely this lack of transparency over how the tasks are performed and the updates recorded that the regulation seeks to change.

Marlink estimates that at least 50% of software updates are still performed by the collection of physical media such as a CD for manual update with the balance performed ‘over the air’ and automatically applied.

Supporting the change

Marlink realised some years ago that as maritime connectivity continued to improve, so shipowner needs would shift towards deeper relationships with partners who could support their digitalisation and decarbonisation strategies and provide them with integrated compliance solutions.

At the heart of our digital enablement strategy is ITLink, which allows shipping companies to develop, test and deploy IT solutions fleetwide. This can extend from operating system patches or upgrades to applications and even complete ERP systems. Marlink is enabling owners to transfer these tasks away from crew towards specialists onshore who can develop and implement the programs they need, test them for robustness and share them across a fleet with a single click.

When it comes to IMO2021 compliance, that means crew no longer have to worry about proving their systems have the latest updates; ITLink’s intuitive dashboard provides inspectors with single view of system status. In addition, Marlink’s CyberGuard portfolio provides a range of solutions to further protect vessels from cyber threats and ensure compliance.

Unlike some asset management application providers, Marlink believes the data from these shipboard systems is the property of the shipowner and the enhanced visibility of asset condition is something that they should be able to act on knowing the data is secure and confidential.

Finally, our use of advanced cloud technology enables the transfer of data with far higher compression and greater efficiency, offering an intriguing glimpse into where the industry is going in terms of access to data and navigation content for ships.

This means a greater number of maritime information vendors can digitalise their products and improve access by mariners to high quality data and applications. This enables services like ITLink to provide ‘over the air’ security and other updates and offers the potential to provide further applications and digital content for safety, operations and route optimisation.

The future is here

Regardless of short term shocks and disruptions, the course ahead for the shipping industry is set.

In the medium term, as owners engage with more complex IT network requirements, they will be able to enjoy expanded access to cloud-based applications and storage, increasing asset connectivity and bringing ‘virtual’ systems and applications onboard.

The ability of shoreside personnel to maintain and troubleshoot IT networks and to provide crew with the tools they need to demonstrate cyber resilience and compliance means that seafarers can concentrate on safe operations rather than be distracted by technology.

As the long term trend sees the cost of IT capex, opex and compliance fall over time, the resulting gains; in terms of improved voyage performance and vessel efficiency, will combine to improve shipping’s environmental profile, moving the industry towards its goal of digitalised, decarbonised and cyber-secure operations.

Read part 1 of this blog here


In August, the Tahlequah Main Street Association began accepting submissions for the Big Idea, which will provide a grant up to $5,000 for the best project idea to enhance Tahlequah.

The Big Idea is a microgrant funded by TMSA’s reinvestment funds. The Big Idea consists of three phases: gathering Big Idea submissions, selecting a winner from chosen finalists, and implementing the winning idea.

“It’s to aid in the revitalization and beautify our downtown area,” said TMSA director Jamie Hale. “Submissions have begun, but anyone with an idea for our downtown can enter it by the Sept. 4 deadline with our online tool on our website.”

According to TMSA, to complete the application, one needs a detailed description of the Big Idea; an estimated cost with supporting documentation; and an estimated timeline to complete the project. If a Big Idea is chosen, the applicant must see that the project is completed.

Finalists will be narrowed to three to five individuals, who will be notified in September that they’ve been selected. Upon selection, finalists will meet with a TMSA representative to review the work plan for their Big Idea and TMSA will assist each submission in creating a video showcasing the project.

“We are very excited to announce that this year’s event will be held virtually. Attendees will watch each finalist’s video and vote online for their most favorite idea for downtown Tahlequah,” said Hale. “Once all the votes are cast, we will determine the 2020 Big Idea winner.”

Eligible projects must align with the TMSA mission to revitalize downtown Tahlequah and strengthen it as the heart of the city. Projects must be able to be completed by June 2021.

Past Big Idea winners have included building facade rehabilitation and the addition of murals throughout the corridor.

“We applied for the Big Idea 2020 because we thought we could help make a difference with the beautification of downtown. Murals can help to bring people in,” said ALL Designs owner and 2020 Big Idea winner Amanda Lamberson. “Maybe they will visit a new store for the first time after taking a picture. Maybe a picture they post will entice a friend to come visit a new store, or maybe it’s simply grandparents in another state will have a new picture of their grandkid to see.”

The three murals were placed on the buildings of Lift Coffee Bar, the Phoenix Professional Building, and Sand Tech.

“We participated in the event as a new business to help promote our brand. We also presented our idea to add to the growing street art scene in Tahlequah,” said Lift co-owner Justin Guile. “Our investment in the building and the art has transformed the corner of Muskogee and Downing. We appreciate all those who voted for us to win the Big Idea and voted us Best Coffee Shop in our first year in business.”

Grant Lloyd, local attorney and owner of Phoenix Professional building, said the murals added a “unique vibrancy to downtown Tahlequah.”

“We wanted to offer a snapshot of the heart of our town on one of our buildings,” said Lloyd.

Addie Wyont with Sand Tech said interactive art helps to draw people into the community to take pictures, shop, and help all downtown businesses with foot traffic.

“We love our mural, and so many people from in town and outside of Tahlequah have come to take pictures,” Wyont said. “The Big Idea is so helpful to our small businesses that would like to upgrade their facade, ideas or more. The $5,000 grant can go a very long way.”

Applications can be submitted by community organizations, business owners, building owners, or individual community members.

For more information on this event and others provided to Tahlequah by TMSA, visit To submit an idea, go to


As announced on 24 June 2020 key elements of the European Barge Inspection Scheme (EBIS) will transition to OCIMF’s SIRE programme from 1 January 2021. This will create a single barge inspection scheme within Europe.

To oversee the smooth transfer of EBIS into SIRE, the OCIMF/EBIS Transition Taskforce has been established, which includes members of the EBIS Board of Directors, OCIMF Members and secretariat. The first meeting of the taskforce was hosted remotely on 13 August 2020. Representatives of the wider European inland barge industry will be invited to future meetings.

OCIMF/EBIS Transition Taskforce will coordinate all activity relating to the transition of key elements of EBIS, including the EBIS vessel questionnaire templates – technical information templates currently in development by EBIS, Version 9. The Taskforce will also provide oversight on all work relating to:

  • Integrating EBIS member applications to become SIRE programme recipients.
  • Supporting accredited EBIS Inspectors looking to attain SIRE Cat 3 accreditation for the European region following application and completion of a training course.
  • Assisting vessel Owners and Operators in transferring their fleet’s EBIS technical information into the SIRE database.

Over the course of the transition period, training courses and webinars will be hosted by the OCIMF/EBIS Transition Taskforce to support OCIMF member companies, existing EBIS member companies, accredited EBIS and SIRE Inspectors as well as vessel Owners and Operators. Details of the training courses and webinars will follow in due course.

Should you have any queries or require support, please contact Matthew Graham, Barge Advisor,


What are the key elements of TMSA 3 (Tanker Management Self Assessment)?


On the 10th of April 2017, OCIMF (The Oil Companies International Marine Forum) released TMSA 3, the latest edition of the Tanker Management and Self-Assessment (TMSA) programme providing Tanker companies with a means to improve and measure their safety management systems.

TMSA 3 revised and updated all twelve of the existing elements from the previous two editions and introduced a thirteenth – ‘Maritime Security.’

What are the 13 key elements of TMSA 3?

The 13 key elements of TMSA 3 are as follows:

Leadership and the safety management system

Recruitment and management of shore-based personnel

Recruitment, management, and wellbeing of vessel personnel

Vessel reliability and maintenance including critical equipment

Navigational safety

Cargo, ballast, tank cleaning, bunkering, mooring and anchoring operations

Management of change

Incident reporting, investigation, and analysis

Safety management

Environmental and energy management

Emergency preparedness and contingency planning

Measurement, analysis, and improvement

Maritime security

the newest element ‘Maritime Security‘ mainly consists of:

  • Use of Risk Assessment solution to identify and mitigate risks
  • Define and maintain a stock of equipment for vessel hardening as per BMP 4 guidelines.
  • Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution.
  • Circulate travel advisory and threat level data sharing to vessels using the document system.
  • Verify armed guards qualification criteria before employing them onboard vessels using our standard measurement list



The International Association of Classification Societies (IACS) has published nine of its 12 recommendations on cyber safety for ships.

IACS initially addressed the subject of software quality with the publication of UR E22 in 2006.  Recognizing the huge increase in the use of onboard cyber-systems since that time, IACS has developed this new series of recommendations with a view to reflecting the resilience requirements of a ship with many more interdependencies. They address the need for:

•     A more complete understanding of the interplay between ship’s systems
•     Protection from events beyond software errors
•     In the event that protection failed, the need for an appropriate response and ultimately recovery.
•     In order that the appropriate response could be put in place, a means of detection is required.

Noting the challenge of bringing traditional technical assurance processes to bear against new and unfamiliar technologies, IACS has launched the recommendations in the expectation that they will rapidly evolve as a result of the experience gained from their practical implementation. So, as an interim solution, they will be subject to amalgamation and consolidation.

More than 90 percent of the world’s cargo carrying tonnage is covered by the classification design, construction and through-life compliance rules and standards set by the 12 member societies of IACS.

The 12 Recommendations are:

Recommended procedures for software maintenance of shipboard equipment and systems (published)

Shipboard equipment and associated integrated systems to which these procedures apply can include:
– Bridge systems;
– Cargo handling and management systems;
– Propulsion and machinery management and power control systems;
– Access control systems;
– Ballast water control system;
– Communication systems; and
– Safety system.

Recommendation concerning manual / local control capabilities for software dependent machinery systems (published)

IMO requires through SOLAS that local control of essential machinery shall be available in case of failure in the remote (and for unattended machinery spaces, also automatic) control systems. For traditional mechanical propulsion machinery, this design principle is well established. The same design requirement applies to computerized propulsion machinery, i.e. complex computer based systems with unclear boundaries and with functions maintained in the different components.

Contingency plan for onboard computer based systems (published)

Computer based systems are vulnerable to a variety of failures such as software malfunction, hardware failure and other cyber incidents. It is not possible for all failure risks to be eliminated so residual risks always remain. In addition, a limited understanding of the operation of complex computer based systems together with fewer opportunities for manual operation can lead to crews being ill-prepared to use their initiative to responding effectively during a failure.

IMO and Classification Society rules contain many context specific examples of requirements for independent or local control in order to provide the crew with the means to operate the vessel in emergencies or following equipment failures. These requirements have generally been introduced when automation or remote control is introduced to individual pieces of equipment or functions and address concerns regarding its possible failure of the new features. The introduction of technologies which integrate different vessel’s functions creates the opportunity for two or more systems to be impacted by a single failure simultaneously.

Where, due to high computer dependence, manual operation is no longer practical or where the number of systems simultaneously affected is too high for manual operation to be practical with existing crew levels then the value of local control as a form of reassurance is limited, however the crew will still need to be provided with practical options to try to manage threats to human safety, safety of the vessel and/or threat to the environment.

If the practical options are not considered during the design and installed during construction of the vessel then the vessel and its crew could be, due to the introduction of new technologies, exposed to risks which they cannot manage.

Practical options could include limiting the extent of potential damage so that manual control is still achievable or providing backup systems which could be used in a worst case systems failure. Whatever form of contingency is provided to address failures it is important that it is well documented, tested and that the crew is aware and trained.

Requirements related to preventive means, independent mitigation means, engineered backups, redundancy, reinstatement etc. are dealt with in the other relevant recommendations.

Network Architecture (published)

Ship control networks have evolved from simple stand-alone systems to integrated systems over the years and the demand for ship to shore remote connectivity for maintenance, remote monitoring is increasing.

Incorporation of Ethernet technology has resulted in a growing similarity between the once disconnected fieldbus and Internet technologies. This has given rise to new terms such as industrial control networking, which encompasses not only the functions and requirements of conventional fieldbus, but also the additional functions and requirements that Ethernet-based systems present.

The objective of the present recommendation is to develop broad guidelines on ship board network architecture. The recommendation broadly covers various aspects from design to installation phases which should be addressed by the Supplier, system integrator and yard.

Data Assurance (published)

Regulation strongly focuses on system hardware and software development, however, data related aspects are poorly covered comparatively. Data available on ships has become very complex and in a large volume, meaning a user is unlikely to spot an error and it would be unreasonable to expect them to do so. Cyber systems depend not only on hardware and software, but also on the data they generate, process, store and transmit. These systems are also becoming more data intensive and data centric, often used as decision support and advisory systems and for remote digital communication.

Data Assurance may be intended as the activity, or set of activities, aimed at enforcing the security of data generated, processed, transferred and stored in the operation of computer based systems on board ships. Security of data includes confidentiality, integrity and availability; the scope of application of Data Assurance covers data whose lifecycle is entirely within on board computer based system, as well as data exchanged with shore systems connected to the on board networks.

Physical Security of onboard computer based systems (to be published Q4, 2018)

Network Security of onboard computer based systems (published)

Network security of onboard computer-based systems consists in taking physical, organizational, procedural and technical measures to make the network infrastructure connecting Information Technology and/or Operational Technology systems resilient to unauthorized access, misuse, malfunction, modification, destruction or improper disclosure, thereby ensuring that such systems perform their intended functions within a secure environment.

Vessel System Design (to be published Q4, 2018)

Inventory List of computer based systems (published)

For effective assessment and control of the cyber systems on board, an inventory of all of the vessel’s equipment and computer based systems should be created during the vessel’s design and construction and updated during the life of the ship: tracking the software and hardware modifications inside ship computer based systems enables to check that new vulnerabilities and dependencies have not occurred or have been treated appropriately to mitigate the risk related to their possible exploitation.

Integration (published)

Integration refers to an organized combination of computer-based systems, which are interconnected in order to allow communication and cooperation between computer subsystems e.g. monitoring, control, Vessel management, etc.

Integration of otherwise independent systems increases the possibility that the systems responsible for safety functions can be subject to cyber events including external cyberattacks and failures caused by unintentionally introduced malware. Systems which are not directly responsible for safety, if not properly separated from essential systems or not properly secured and monitored in an integrated system, can introduce routes for intrusion or cause unintended damage of important systems. It is necessary to have a record and an understanding of the extent of integration of vessels’ systems and for them to be arranged with sufficient redundancy and segregation as part of an overall strategy aimed at preventing the complete loss of ship’s essential functions.

Remote Update / Access (published)

Information and communications technology (ICT) is revolutionizing shipping, bringing with it a new era – the ‘cyber-enabled’ ship. Many ICT systems on-board ships connect to remote services and systems on shore for monitoring of systems, diagnosis and remote maintenance, creating an extra level of complexity and risk. ICT systems have the potential to enhance safety, reliability and business performance, but there are numerous risks that need to be identified, understood and mitigated to make sure that technologies are safely integrated into ship design and operations.

Communication and Interfaces (to be published Q4, 2018)


OCIMF is pleased to announce the release of the seventh edition of the SIRE Vessel Inspection Questionnaire (VIQ7).

This edition has undergone an extensive revision process which has brought the VIQ up-to-date with respect to changes in legislation and best practices. The SIRE Focus Group, which has led the work on the revision of this document, has examined the questions to determine whether these continue to remain relevant and has reduced the overall set of questions by up to 90 questions.

The section on Structural Condition in the existing VIQ6 (Chapter 7) has been reduced and merged with Chapter 2. A new chapter (Chapter 7) has been developed to cover Maritime Security which has 21 new questions covering Policies and Procedures, Equipment and Cyber Security.

The section on Mooring (Chapter 9) has been significantly reviewed to incorporate the revisions and best practices that will be introduced in the Mooring Equipment Guidelines, Fourth Edition (MEG4). Operators will be encouraged to align their procedures and equipment with the guidance provided in MEG4 as soon as possible.

The existing chapter on Communications (Chapter 10) has been reduced and merged with Chapter 4, which is now a section on Navigation and Communications.

A set of 10 questions on LNG Bunkering has been added to the section on Engine and Safety Compartments (Chapter 10). These questions have been developed in conjunction with advice and guidance from SIGTTO and SGMF.

The following templates within the seventh edition of the SIRE Vessel Inspection Questionnaires (VIQ7) are now available to integrators upon the OCIMF Staging environment and will be released to the Production environment on the 17September 2018.

  • Template 4401 – VIQ7 (Petroleum)
  • Template 4402 – VIQ7 (Chemical)
  • Template 4403 – VIQ7 (LPG)
  • Template 4404 – VIQ7 (LNG)



GDPR TMSA Cyber Security


Tanker owners should be prepared for new EU and IMO cyber security regulations as they must already comply with maritime security requirements under OCIMF’s TMSA 3, writes Martyn Wingrove

There are increasing amounts of cyber security-related regulations that shipping companies will have to comply with, but tanker owners are already ahead of the game. Ship operators will need to include cyber in ship safety and security management under the ISM Code from 1 January 2021.

Before that, they need to be aware of cyber and data security regulations, including the EU general data protection regulation (GDPR) and the EU directive on the security of networks and information systems (NIS).

Much of the requirements under these forthcoming or new regulations are already within Oil Companies International Marine Forum (OCIMF)’s third edition of the Tanker Management and Self Assessment (TMSA) best practice guidelines. This came into force on 1 January this year, with a new element on maritime security and additional requirements of key performance indicators and risk assessments.

Regulation changes were outlined at Riviera Maritime Media’s European Maritime Cyber Risk Management Summit, which was held in London on 15 June. The event was held in association with Norton Rose Fulbright, whose head of operations and cyber security Steven Hadwin explained that “data protection and cyber security needs to be taken seriously from a legal point of view.”

Data, such as information on cargo and charterers, could “become a considerable liability”. If data is lost “then GDPR could be in play” said Mr Hadwin. Regulators “could impose a fine of up to 4% of that organisation’s global annual turnover.”

PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year.  “These regulations have teeth” he said because of the potential size of fines and damage to a company’s reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.

Class support

During the summit, class societies provided cyber security guidance as they collectively attempted to define cyber secure ship notations. Lloyd’s Register cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network and the operational technology (OT) and employ staff to “stop people sharing data or compromising procedures”.

Tanker owners “need to identify any compromise before an attacker tries to penetrate”, Ms Cassi explained, noting that shipping companies need to “investigate the vulnerabilities through analytics and machine learning”, understand the behaviour of potential threats and use predictive analysis.

ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on operational technology, such as ECDIS and radar, as some remain unchanged since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and that their USB sticks are clean of malware.

ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. “Managing connection points and human resource deals with the biggest threat to OT systems on board,” said Mr Skinitis.

DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video for instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.

These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC-provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.

Cyber regulations and guidance for shipping

EU General Data Protection regulation (GDPR) came into effect from 25 May 2018

IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code

TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018

EU privacy rule (PECR) of individuals traffic and location data

Rightship added cyber security to inspection checklist

BIMCO – guidelines based on International Association of Classification Societies




TMSA 3, From January 2018, tanker operators are required to use TMSA3 to monitor and improve performance. In comparison with TMSA2, the new edition of TMSA is more extended in length and presents new challenges to ship operators with the introduction of new requirements.

It is noticeable that for the first time, this self-assessment tool for oil tankers introduces maritime security as Element 13 referring also to cyber security.

Cyber security is currently one of the most discussed topics on the industry and many considerable efforts have been made so far to mitigate threats. Thus, TMSA 3 aims to establish procedures in order to respond to industry’s needs.

‘’For the first time, TMSA introduces maritime security as Element 13 including cyber security’’

Also it features an expanded best practice guidance to complement the KPIs and enhanced guidelines for risk assessment, auditing and review ashore and onboard along with guidance for all related tools to be employed.

Other major changes introduced are the expansion of Element 6 on Cargo, Ballast, Tank Cleaning, Bunkering, Mooring & Anchoring Operations, and an updated Element 10 combining Environmental and Energy Management.

In the latest edition, special focus has been given on the continuous improvement cycle by taking into consideration additional KPIs towards effective performance management. Specifically, TMSA3 introduces 85 new KPIs in total. In this context, 25 KPIs have moved to a lower level and there are indexes concerning customer focus, leadership and engagement of people.

On the whole, the TMSA3 addresses issues regarding performance management. The method that a shipping company uses to measure performance is a prominent topic for discussion within the maritime industry. The new edition makes an effort to overhaul the process, not only with the streamline of KPIs but also with the introduction of non-financial measurements and the assessment of soft skills.

Furthermore, TMSA3 introduces a different approach by focusing on the human element and behavioral safety suggesting that crew competence is the tool for crew retention and development.

TMSA 3 at a glance

Expanded best practice guidance to complement the KPIs.
Revised and enhanced best practice guidance to remove ambiguity and duplication.
Additional requirements for HSSE strategic planning, KPI setting and performance monitoring, review and improvement.
Streamlining and merging of elements to improve consistency and make self-assessment easier.
Enhanced guidelines for risk assessment, auditing and review ashore and onboard along with guidance for all related tools to be employed.
Extensively Revised Element 6 and 6A – Cargo, Ballast, Tank Cleaning, Bunkering, Mooring and Anchoring Operations, with additional KPIs and guidance.
Extensively Revised Element 10 – Environmental and Energy Management (previously Environmental Management) incorporates the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to the TMSA 2.
A New element: Element 13 – Maritime Security.




Changes in the cyber security industry

MARITIME CYBER SECURITY, A recent set of attacks against critical infrastructure entities, such as oil and gas pipeline operators, utilities and even some city and state governments reveal new motives and methods. The attackers were not out to steal data but were looking to disrupt services. The attackers used a new attack vector that has not been seen before. Instead of attacking their primary targets directly, they attacked less secure vendors that those targets use. We will be looking at how they did this and then how it can be prevented.

Step one – Reconnaissance

Before launching an attack, hackers first identify a vulnerable target and explore the best ways to exploit it. The initial target can be anyone in an organization. The attackers simply need a single point of entrance to get started. Targeted phishing emails are common in this step, as an effective method of distributing malware.

The whole point of this phase is getting to know the target.
The questions that hackers are answering at this stage are:

  1. Who are the important people in the company? This can be answered by looking at the company web site or LinkedIn.
  2. Who do they do business with? For this they may be able to use social engineering, by make a few “sales calls” to the company. The other way is good old-fashioned dumpster diving.
  3. What public data is available about the company? Hackers collect IP address information and run scans to determine what hardware and software they are using. They check the ICAAN web registry database.

The more time hackers spend gaining information about the people and systems at the company, the more successful the hacking attempt will be.

Step two – Weaponization

In this phase, the hacker uses the information that they gathered in the previous phase to create the things they will need to get into the network. This could be creating believable Spear Phishing e-mails. These would look like e-mails that they could potentially receive from a known vendor or other business contact. The next is creating Watering Holes, or fake web pages. These web pages will look identical to a vendor’s web page or even a bank’s web page. But the sole purpose is to capture your user name and password, or to offer you a free download of a document or something else of interest. The final thing the attacker will do in this stage is to collect the tools that they plan to use once they gain access to the network so that they can successfully exploit any vulnerabilities that they find.

Step three – Delivery

Now the attack starts. Phishing e-mails are sent, Watering Hole web pages are posted to the Internet and the attacker waits for all the data they need to start rolling in. If the Phishing e-mail contains a weaponized attachment, then the attacker waits for someone to open the attachment and for the malware to call home.

Step four – Exploitation

Now the ‘fun’ begins for the hacker. As user names and passwords arrive, the hacker tries them against web-based e-mail systems or VPN connections to the company network. If malware-laced attachments were sent, then the attacker remotely accesses the infected computers. The attacker explores the network and gains a better idea of the traffic flow on the network, what systems are connected to the network and how they can be exploited.

Step five – Installation

In this phase the attacker makes sure that they continue to have access to the network. They will install a persistent backdoor, create Admin accounts on the network, disable firewall rules and perhaps even activate remote desktop access on servers and other systems on the network. The intent at this point is to make sure that the attacker can stay in the system as long as they need to.

Step six – Command and control

Now they have access to the network, administrator accounts, all the needed tools are in place. They now have unfettered access to the entire network. They can look at anything, impersonate any user on the network, and even send e-mails from the CEO to all employees. At this point they are in control. They can lock you out of your entire network if they want to.


Step seven – Action on objective

Now that they have total control, they can achieve their objectives. This could be stealing information on employees, customers, product designs, etc. or they can start messing with the operations of the company. Remember, not all hackers are after monetizable data, some are out to just mess things up. If you take online orders, they could shut down your order-taking system or delete orders from the system. They could even create orders and have them shipped to your customers. If you have an Industrial Control System and they gain access to it, they could shut down equipment, enter new set points, and disable alarms. Not all hackers want to steal your money, sell your information or post your incriminating e-mails on WikiLeaks, some hackers just want to cause you pain.





@AnyawbSales - 1 year


@AnyawbSales - 2 years

SQEXpress maritime electronic sms forms platform just released