Cyber Security and the ISM Code. How to determine credible cyber security threats.
September 28, 2020 MARITIME CYBER SECURITY
This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security. The requirement to implement effective cyber security measures across a fleet of vessels and in Company offices ashore can be daunting for DPA’s. Particularly as the cyber threat may not be in the direct knowledge and experience of the safety team. Most DPA’s are experienced mariners and have a very well developed sense of what is (and is not) safe with ship-board operations. Cyber security may be outside their technical comfort zone.
However, the important thing for DPA’s to remember is that cyber threats can be assessed using the same methodology as any other maritime risk. The key is to go back to the first principles of safety management.
In particular the ISM Code (Section 1.2 Objectives) requires the following:
- Ensure safety at sea (i.e. ensure that control systems on board can not be compromised by cyber malware to prevent the safe operation of the vessel, particularly navigation and propulsion systems)
- Prevention of human injury or loss of life (i.e. IT systems, especially operation systems, are sufficiently protected when used in critical operations involving enhanced risk to people).
- Damage to the marine environment and property (i.e. bunkering, ballasting and the use of oily water separators).
It is an important point to note that the ISM Code does not specifically require the prevention of commercial risk. This is an interesting point as most cyber crime is committed for commercial gain. Whilst protecting the vessel’s systems to make them safe is a requirement, and will undoubtedly assist against hackers for commercial gain, it is not an explicit requirement of the ISM Code to establish systems solely to prevent commercial wrongdoing . Therefore when implementing enhanced IT security measures the DPA should ask the fundamental question, is this for safety or commercial benefit? If it is only the latter it may be worth considering whether it should be included in the ISM framework (and who should be responsible for the management of that commercial risk).
Moreover, the ISM Code requires the Company to identify risks to its ships, personnel and the environment and thereafter establish appropriate safeguards (ISM Code Section 18.104.22.168). This requirement is usually understood as defining credible risks and put in place measures to manage the risk As Low As Reasonably Practicable (ALARP). DPA’s and Company IT managers should be asking if a cyber threat is credible to their specific operating environment. The subsequent level of protection then needs to be commensurate with the identified cyber threat. It does not need to be bank level security in response to an incredible threat (the equivalent in ship operations terms would be attempts to quantify and manage the risk of a jumbo jet landing on the vessel whilst alongside during cargo operations).
Good cyber security providers have software which will audit the Company’s existing IT systems remotely (usually for a period of a couple of weeks) and report on the actual level of threat the Company is experiencing. This will form the basis of a risk register of known and credible threats. This can then be used to identify a pragmatic and cost effective solution where resources are needed to reduce the known and credible threats to ALARP.