The 01 January 2021 deadline for the implementation of maritime cyber risk management in the Safety Management Systems as per IMO Resolution MSC.428(98) is fast approaching.
Members are reminded of the due date for implementation – the first annual verification of the company’s Document of Compliance after 01 January 2021. While this translates to different target deadlines for each Member and their vessels, it should be recognised that significant preparatory work may be anticipated.
It is also important to acknowledge that the vulnerability of a ship’s systems to a cyber incident continues to be a real threat, as has been experienced in a number of recent high-profile shoreside incidents, such as the “NotPetya” ransomware attack. Whilst that incident did not directly affect vessel operations, the potential vulnerability of on-board systems has been demonstrated by ‘ethical hacking’. Such tests have demonstrated that these attacks, which typically exploit weaknesses in human behaviour, are possible and could result in navigational and control systems being compromised.
In July 2019 the US Coast Guard (USCG) issued a Marine Safety Alert about a cyber incident involving a deep draught vessel on an international voyage and bound for US ports. The vessel reported that it was experiencing a significant cyber incident which affected its shipboard network. A team of experts led by the USCG responded and investigated. It was concluded that although malware had significantly degraded the onboard computer system, essential vessel control systems had not been compromised. The investigation also found that the vessel was operating without effective cyber security measures in place, thereby exposing vulnerabilities of critical vessel control systems. Prior to the incident the security risk presented by the shipboard network was apparently well known to the crew, but this had not been addressed. The USCG stated that it was imperative for the maritime community to adapt to changing technologies and the changing threat landscape by recognising the need for, and implementing basic cyber hygiene measures, thus emphasising the importance of the 2021 cyber security management requirements.
A recently published article on the website of Smart Maritime Network (SMN) explains the vulnerability and ease of access to the communications systems on board vessels where such basic cyber hygiene measures as robust password management was not being implemented.
The Guidelines on CYBER SECURITY ONBOARD SHIPS, produced by BIMCO and supported by a number of maritime stakeholders, is aligned with the MSC resolution and contains recommendations on various processes that should be undertaken for successful implementation of cyber security management.
The NIST (National Institute of Standards and Technology) framework of Identify – Protect – Detect – Respond – Recover sets out the core cyber security activities, the ISM Code and the ISPS Code provides the necessary framework for integration into the company risk management and security protocols and procedures.
The Club has previously recognised the importance of cyber security management on vessel in the loss prevention DVD “Cyber Security – Smart, Safe Shipping”, and Club encourages Members to ensure that early implementation of cyber security management is considered and that the procedures of cyber risk management be seamlessly integrated within the existing safety management system at the earliest opportunity, even where the deadline for implementation is not imminent.