Tanker management self-assessment (TMSA) may be voluntary in principle but for tanker operators seeking regular charters from oil majors meeting its requirements is a fundamental commercial imperative.

Whereas traditional class requirements give a snapshot of a vessel’s quality at a given moment in time, TMSA was devised to gauge quality of a company’s operations over time. The second edition of the programme, which was introduced in 2008, comprised twelve elements covering a range of safety and performance metrics. In April last year, OCIMF, the industry body that devised and maintains the assessment programme, released a highly anticipated update, that took effect from 1 January 2018.

The update from TMSA2 to TMSA3 was a radical overhaul. The biggest change was the introduction of a completely new element on maritime security that zeroed in on cyber risk management. “While there was a growing awareness of cyber risk in the shipping industry, until that point it was nearly always framed in the future tense. It was raised as a hypothetical issue, one that would have to be addressed in the years to come,” observes Jason Stefanatos, Senior Research Engineer in DNV GL’s Maritime R&D and Advisory team. “Offering operators less than a year to prepare or risk losing business, TMSA3 brought it solidly into the present.”

Holistic approach

Effective cyber security is built on three pillars: people, processes and technology. “There’s still a common misconception that it’s a matter for the company IT department and that as long as I remember my password, it doesn’t affect me. But that’s no longer today’s reality,” Stefanatos stresses.

IT departments do play an important role in implementing technical mitigations such as firewalls and intrusion detection systems and so forth, and it is true these defences successfully prevent many attempted attacks. However, processes are also essential. “End-users – both crews at sea and staff ashore – need to know how to react to the attack or system failure that wasn’t prevented or anticipated by technical safeguards,” he warns. More importantly, he adds: “You need people to be aware of the risks and to take them seriously.”

TMSA3’s new maritime security section – Element 13 – is intended to instil these behaviours and encourage operators to adopt such a holistic approach. To attain the lowest score (Level 1), procedures for identifying threats applicable to the vessel and shore sites must be demonstrated. Reaching Level 2 requires guidance and mitigation measures in all procedures, as well as the promotion of cyber security good-practice among vessel personnel. Satisfying Level 3 calls for security procedures to be regularly updated. The highest grade, Level 4, demands that novel or innovative methods for minimizing cyber risk are evidenced.

Leadership and change

Although cyberrisk management is addressed in greatest depth in Element 13, it exerts a gravitational pull on other elements covered by TMSA. Providing an effective response to cyberrisk, for instance, will require good leadership (Element 1). Meanwhile, management of change (MoC, Element 7) will have to incorporate software and system configuration management. The latter aspect is particularly important.

Satisfying Level 1 of MoC requires that documented procedures are in place for implementing change and for assessing its impact, as well as specifying the framework for granting approval. Level 2 demands that all documentation and records affected by the change are identified and amended or annotated.

Reaching Level 3 calls for a comprehensive software management procedure covering both shipboard and shore systems. Crucially this goes beyond items typically associated with standard business IT infrastructure and should include operational technology (OT), such as the PLCs (Programmable Logic Controllers) and related interfaces for controlling onboard machinery.

Threat evolution

The threat landscape is evolving faster than ever, says Stefanatos. Hackers have grown up and become professional. They are more organized and have more resources at their disposal. Consequently, techniques and tactics have grown in sophistication.

In the 2000s, office IT systems were the predominant target. In other words, the PC on your desk. But these days, attacks directed at OT – the embedded systems and PLCs – are growing increasingly frequent. “It’s a worrying trend. Whereas before it was mostly a company’s finances and reputation at risk, now that has escalated to safety of life, property and the environment. The stakes are much higher,” Stefanatos observes.

One of the first obstacles facing any operator implementing the new TMSA requirements is to decipher and establish a common interpretation of what they mean, a task which, according to Stefanatos, isn’t as straightforward as it sounds: “Some are open to interpretation depending on what perspective you’re approaching them from. Senior managers, for example, may arrive at different conclusions to those working in the IT department or working as an ETO on a ship. It is essential everyone agrees before getting started.”

Credit: DNV GL

Demanding work

Another challenge is the sheer amount of work involved in performing the necessary risk assessments for all IT and OT systems. “Because the procedures and documentation are new, they must be created from scratch. Tanker owners are familiar with how TMSA works, but few quite anticipated the scale of the task facing them,” explains Stefanatos recalling conversations with clients.

Operators can purchase pro forma procedures off the shelf, but he emphatically cautions against taking such shortcuts: “A cookie-cutter approach defeats the object. Unless you properly investigate and drill down into the potential security gaps particular to your company, you won’t be able to find the vulnerabilities specific to your operations. In turn, you won’t be able to devise effective remedial actions or countermeasures.”

GET THE SAFETY4SEA IN YOUR INBOX!

While the workload might be daunting, ultimately managing cyber risk is no different to managing any other risk. The equipment and terminology may be unfamiliar but the approach is fundamentally the same as, say, managing any hot work that modifies a vessel’s structure. Software changes, for example, should not be done ad hoc. They should be planned, approved, and recorded. They should be categorized as minor or major to ensure personnel with appropriate authority can approve. This is very similar to the process for gaining approval prior to carrying out welding.

Close collaboration

In 2016, DNV GL compiled and published a set of recommended practice (RP), which details the principles and processes that underpin effective cyber risk management. It provides an authoritative resource for operators of tankers – or any ship type – intending to build a cyber risk management system under their own steam.

However, feedback from and conversations with tanker operators using the RP highlighted a clear need for a more collaborative approach. “Operators understood the guidance as it was written down on paper but translating that into action was proving harder than expected,” notes Stefanatos. This realization prompted DNV GL to start providing dedicated advisory services to assist operators meet TMSA3 requirements.

DNV GL experts work alongside the operator to familiarize themselves with the existing management system and then carry out a gap analysis. This reveals what safeguards are already in place, what requires attention and what’s missing. These outcomes facilitate a highly methodical approach to developing procedures that are effective at reducing risk and that mesh neatly with the specific nuances of an operator’s structure and working practices.

The final stage is for the procedures to be tested to ensure that all the identified gaps have been addressed and that they would stand up under the scrutiny of a TMSA vetting inspection. Depending on the level of customer engagement, the whole process can take between six and eight weeks to complete.

Positive feedback

With only a short window of opportunity between TMSA3 being announced and it taking effect, DNV GL has experienced strong uptake for its advisory services from across the tanker segment, including a number of reputed Greek operators.

Frantzeskos Kontos, Technical Manager at Prime Marine Management, says cyber security is no longer a paperwork exercise. “In recent times, we’ve identified many minor threats – and a handful of more serious ones – on our vessels, so it was urgent we took action to prevent further escalation. The inclusion of cyber security in TMSA gave us an additional commercial impetus.”

Collaborating with DNV GL enabled the Greek operator to detect gaps existing in its management system and address them swiftly and systematically. Procedures were enhanced and new control measures were introduced as a direct result of DNV GL’s proposals and recommendations. “There were some challenging discussions along the way, but, on reflection, they produced tangible results,” reports Kontos.

Initially educating and bringing employees on board was challenging, Kontos admits. “DNV GL’s training resources proved effective in communicating the criticality of cyber security to staff at all levels and across company operations, on shore and at sea.”

Minerva Marine also turned to DNV GL to help it develop a cyber resilience strategy that both complies with TMSA3 and aligns with forthcoming IMO requirements. Part of the project was to carry out a vulnerability assessment on board a Minerva vessel. Company IT manager Eftihia Benaki says: “In addition to the potential financial and reputational damage, cyber risk now carries significant safety and environmental implications. The assessment was invaluable in revealing the technical gaps we faced and identifying the areas we needed to focus on.” She adds: “DNV GL provided a depth of resource and level of specialism that we didn’t have internally.”

The Massachusetts Institute of Technology (MIT) calls cyber security a negative target: it is impossible to ever be 100 per cent secure. This is for two reasons. Firstly, it’s highly dynamic with new threats and risks emerging on a daily basis and, secondly, there is a large attack surface for hackers to exploit. This latter aspect is especially true in a complex supply chain environment, such as shipping, characterized by interactions with and between numerous and diverse stakeholders. However, as we have seen, it is possible to take steps and minimize exposure to these risks and plan a response for when the unexpected happens. This is what TMSA3 essentially seeks to achieve by incentivizing preparedness.

While TMSA3 has made cyber risk management a priority for tanker operators, it is only a matter of time before similar requirements arrive in other market segments. The advisory services developed by DNV GL for TMSA3 sit alongside with associated cyber security offerings including gap analysis for various global standards; a growing range of practical services including penetration testing and incident response drills; and training courses for raising awareness and tackling phishing and social engineering. These can be deployed in various configurations to manage risk on bulk carriers – should RightShip evolve in this direction – and across the global fleet when IMO requirements to incorporate cyber risk within ISM take effect in 2020.

Reflecting on the maritime industry’s response to cyber risk has evolved, Stefanatos observes: “Misha Glenny, a British computer journalist specializing in cyber security, famously quipped that there are two types of companies in the world: those that know they’ve been hacked and those that don’t. Maybe the day has come to add a third type: those that have prepared and are confident they can respond.”

Source: safety4sea


The OCIMF Tanker Management and Self Assessment programme was originally introduced in 2004 as a tool to help companies assess, measure and improve their management systems. It is an essential complement to IMO Conventions, Codes and Circulars and is intended to encourage self-regulation and promote continuous improvement to enhance the safety of merchant shipping and achieve incident free operations.

This fully updated and revised third edition reflects current legislation, expectations and emerging issues, and incorporates feedback from companies and users of previous editions of TMSA. Key new features to the text include:

  • Updated industry legislative requirements, including the Manila Amendments to the Maritime Labour Convention 2006, the Polar Code and the Ballast Water Management Convention

  • A new element 13 covering Maritime Security

  • Expanded best practice guidance to complement key performance indicators and remove ambiguity and duplication

  • Streamlining and merging of elements to improve consistency and make conducting the self assessment easier

  • Revised Environmental and Energy Management Element, which now incorporates the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to TMSA2

As well as this printed guide, the TMSA programme includes a useful online tool for recording self assessment as well as a database for sharing reports, providing ship operators with an interactive and constantly evolving platform to monitor and improve their performance and attain high standards of safety.

Source: witherbyseamanship


The 10th Element, which focuses on environment and energy management is the critical practice of identifying and assessing pollution generated from maritime operations as well as the safe reduction and disposal residual waste. TMSA 3 encourages reporting procedures & contingency planning to be implemented to cover hazardous incidents. It is a requirement that a maritime organization monitor its performance quarterly and provide benchmarks across the fleet to ensure environmental action plans meet standards such as ISO 14001 & MARPOL Annexes.

How can ShipNet help with the 10th Element of TMSA 3?

Setup Procedures:

Setup and monitor environment management plans along with the identification of sources of emissions and measures to increase energy efficiency.

Monitor:

Record and monitor sources emissions, fuel consumptions to consistently take steps to achieve objectives outlined in the company policies.

11th Element – Emergency preparedness and contingency planning

The 11th Element of TMSA 3 looks at the requirements of implementing an effective response in dealing with onboard emergencies where a vessels crew is required to undertake training exercises-based merchant shipping legislation. Maritime organizations are required to develop safety procedure drills along with shore-based response teams to partake in training. TMSA 3 identifies the need for maritime organizations to undertake media training and to arrange security management.

How can ShipNet help with the 11th Element of TMSA 3?

Through the ShipNet One application you can plan and execute drills and emergency exercises while preparing the company and vessel emergency response plans both for office as well as site-specific. Within the application, define the scope and frequency of the planned exercise for automated scheduling. Gain access to all records automatically through history. Prepare KPI targets as per company policies and monitor the frequency of exercises carried out throughout the fleet for continual improvement.

12th Element – Measurement, analysis, and improvement

The 12th Element is considered one of the most vital aspects of a successful safety management system. A maritime business must ensure system manuals are utilized as a part of daily operations and that they are analyzed for their effectiveness and to ensure they have not become outdated. By giving regular audits indicates how well the safety management system is adhering to industry best practice guidelines and how well the system is performing overall, along with the connected vessels and shore support offices.

TMSA3 Diagram
How can ShipNet help with the 12th Element of TMSA 3?

Inspections:

Through the ShipNet One application, onboard Safety Officers or Junior Officers can implement ship safety inspections and asses the safety culture. The application also provides the ability to plan and prepare for inspections and audits based on set schedules.

Through the ShipNet One application you can also:

  • Review previous inspection details across the fleet and data, enabling improved preparation.
  • Identify problem areas, individuals, and inspectors.
  • Perform inspections based on standard or custom checklists and create findings automatically from checklist questions.
  • Identify observations and non-conformities and determine their corrective actions.
  • Make use of KPI / RCA / Measurement lists to analyze observations and findings.
  • Assign tasks to individuals in the organization and perform actions to close each finding.
  • Measure the performance of vessels, observations, and non-conformities, areas of most concern through interactive dashboards and reports.

Sharing:

Share best practices and critical information across the fleet using the document system to promulgate safety alerts or fleet circulars. Share information circulars across the fleet. Generate custom reports using our report designer to share among customers.

13th Element – Maritime Security

Maritime Security

The 13th and newest Element of TMSA 3 focuses on Maritime Security, which mainly consists of the use of Risk Assessment solutions to identify and mitigate risks. It is a requirement to adhere to BMP 4 guidelines, so it is necessary to define and maintain a stock of equipment for vessel hardening. It is also a requirement to define an Operational Security Area to monitor the number of transits of vessels. Best practice requires travel advisory and threat level circulated data sharing across a fleet as well as the verification of armed guard’s qualification criteria before employing them onboard vessels.

How can ShipNet help with the 13th Element of TMSA 3?

Operational:

Monitor and track operational security events using the occurrence system and ensure that vessels are secure from threats

  • Use of Risk Assessment solution to identify and mitigate risks
  • Define and maintain stock of equipment for vessel hardening as per BMP 4 guidelines
  • Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution
  • Circulate travel advisory and threat level data sharing to vessels using the document system
  • Verify armed guard’s qualification criteria before employing them onboard vessels using our standard measurement lists

So there we have it. Our ShipNet One integrated platform has been built around industry regulations to assist with maritime organizations in implementing their safety management systems efficiently and proactively. Through years of development in line with the world’s major shipping companies, the platform not only meets the requirements but encourages continuous and effective improvement and compliance with TMSA 3.


Digitalisation and decarbonisation are driving a period of unprecedented change in the maritime industry, underpinned by the regulatory agenda.
As the implementation date of IMO 2021 draws near, it is clear that we must rethink our attitudes to technology. In Part 1 of this blog, we explored the key challenges facing shipping companies and their readiness to facilitate the move to digitalisation.

 

Here in part 2, we look at decarbonisation and cyber security. What might shipping companies do to prepare for, and comply with, the regulatory requirements on the horizon?

Digitalisation will ultimately create a two-tier shipping market, divided into those owners and operators who have the best access to the latest information and those who do not.

The difference between this relatively recent position and the days of employing simple but effective means of checking vessel arrivals or departures or bidding for cargoes is that almost anyone who wants to, can pay to access the data on vessel positions, port traffic, weather or other information.

This matters too because in the space of a little over a decade, new targets on environmental efficiency will force the industry to adopt new working practices. Most critically this includes new fuels as the means of complying with IMO targets on the reduction of carbon intensity on a vessel by vessel basis.

Collection, analysis and interpretation of every bit of data from ship systems at that point becomes critical – potentially the difference between success or failure to comply. The data that ships produce on their emissions will be reported automatically and this data will inform not just regulations but market measures, including the cost at which lenders make capital available to shipping companies.

Cyber Critical Systems

New technology and the need for sustainability are two fundamental forces acting on the maritime industry; the other is security of the IT networks on which both rely. The IMO has adopted cyber-security related amendments to the International Safety Management Code (ISM Code) while the tanker sector has already made similar requirements part of Tanker Management Safety Assessment (TMSA) version 3.

While the first represents mandatory regulation, the second is a ‘licence to operate’ for owners carrying hazardous cargoes. The ISM Code will require demonstration that action has been taken to address cyber security, TMSA will require shipowners to demonstrate that they have the latest available IT operating system and other software updates as well as specific security patches either as part of a Port State Control inspection or in pre-qualifying a vessel to carry cargo.

The industry’s largest, long term players are likely to already meet these requirements but for an operator with limited IT outfit, they present an unwelcome burden. For one with a sophisticated network encompassing IT and OT, it presents an additional series of tasks for crew unless it can be managed with a minimum of additional administration.

Compliance with voluntary cyber security guidelines until now have tended to succeed or fail on the basis of the human element, relying on an intention to do the right thing. It is precisely this lack of transparency over how the tasks are performed and the updates recorded that the regulation seeks to change.

Marlink estimates that at least 50% of software updates are still performed by the collection of physical media such as a CD for manual update with the balance performed ‘over the air’ and automatically applied.

Supporting the change

Marlink realised some years ago that as maritime connectivity continued to improve, so shipowner needs would shift towards deeper relationships with partners who could support their digitalisation and decarbonisation strategies and provide them with integrated compliance solutions.

At the heart of our digital enablement strategy is ITLink, which allows shipping companies to develop, test and deploy IT solutions fleetwide. This can extend from operating system patches or upgrades to applications and even complete ERP systems. Marlink is enabling owners to transfer these tasks away from crew towards specialists onshore who can develop and implement the programs they need, test them for robustness and share them across a fleet with a single click.

When it comes to IMO2021 compliance, that means crew no longer have to worry about proving their systems have the latest updates; ITLink’s intuitive dashboard provides inspectors with single view of system status. In addition, Marlink’s CyberGuard portfolio provides a range of solutions to further protect vessels from cyber threats and ensure compliance.

Unlike some asset management application providers, Marlink believes the data from these shipboard systems is the property of the shipowner and the enhanced visibility of asset condition is something that they should be able to act on knowing the data is secure and confidential.

Finally, our use of advanced cloud technology enables the transfer of data with far higher compression and greater efficiency, offering an intriguing glimpse into where the industry is going in terms of access to data and navigation content for ships.

This means a greater number of maritime information vendors can digitalise their products and improve access by mariners to high quality data and applications. This enables services like ITLink to provide ‘over the air’ security and other updates and offers the potential to provide further applications and digital content for safety, operations and route optimisation.

The future is here

Regardless of short term shocks and disruptions, the course ahead for the shipping industry is set.

In the medium term, as owners engage with more complex IT network requirements, they will be able to enjoy expanded access to cloud-based applications and storage, increasing asset connectivity and bringing ‘virtual’ systems and applications onboard.

The ability of shoreside personnel to maintain and troubleshoot IT networks and to provide crew with the tools they need to demonstrate cyber resilience and compliance means that seafarers can concentrate on safe operations rather than be distracted by technology.

As the long term trend sees the cost of IT capex, opex and compliance fall over time, the resulting gains; in terms of improved voyage performance and vessel efficiency, will combine to improve shipping’s environmental profile, moving the industry towards its goal of digitalised, decarbonised and cyber-secure operations.

Read part 1 of this blog here


In August, the Tahlequah Main Street Association began accepting submissions for the Big Idea, which will provide a grant up to $5,000 for the best project idea to enhance Tahlequah.

The Big Idea is a microgrant funded by TMSA’s reinvestment funds. The Big Idea consists of three phases: gathering Big Idea submissions, selecting a winner from chosen finalists, and implementing the winning idea.

“It’s to aid in the revitalization and beautify our downtown area,” said TMSA director Jamie Hale. “Submissions have begun, but anyone with an idea for our downtown can enter it by the Sept. 4 deadline with our online tool on our website.”

According to TMSA, to complete the application, one needs a detailed description of the Big Idea; an estimated cost with supporting documentation; and an estimated timeline to complete the project. If a Big Idea is chosen, the applicant must see that the project is completed.

Finalists will be narrowed to three to five individuals, who will be notified in September that they’ve been selected. Upon selection, finalists will meet with a TMSA representative to review the work plan for their Big Idea and TMSA will assist each submission in creating a video showcasing the project.

“We are very excited to announce that this year’s event will be held virtually. Attendees will watch each finalist’s video and vote online for their most favorite idea for downtown Tahlequah,” said Hale. “Once all the votes are cast, we will determine the 2020 Big Idea winner.”

Eligible projects must align with the TMSA mission to revitalize downtown Tahlequah and strengthen it as the heart of the city. Projects must be able to be completed by June 2021.

Past Big Idea winners have included building facade rehabilitation and the addition of murals throughout the corridor.

“We applied for the Big Idea 2020 because we thought we could help make a difference with the beautification of downtown. Murals can help to bring people in,” said ALL Designs owner and 2020 Big Idea winner Amanda Lamberson. “Maybe they will visit a new store for the first time after taking a picture. Maybe a picture they post will entice a friend to come visit a new store, or maybe it’s simply grandparents in another state will have a new picture of their grandkid to see.”

The three murals were placed on the buildings of Lift Coffee Bar, the Phoenix Professional Building, and Sand Tech.

“We participated in the event as a new business to help promote our brand. We also presented our idea to add to the growing street art scene in Tahlequah,” said Lift co-owner Justin Guile. “Our investment in the building and the art has transformed the corner of Muskogee and Downing. We appreciate all those who voted for us to win the Big Idea and voted us Best Coffee Shop in our first year in business.”

Grant Lloyd, local attorney and owner of Phoenix Professional building, said the murals added a “unique vibrancy to downtown Tahlequah.”

“We wanted to offer a snapshot of the heart of our town on one of our buildings,” said Lloyd.

Addie Wyont with Sand Tech said interactive art helps to draw people into the community to take pictures, shop, and help all downtown businesses with foot traffic.

“We love our mural, and so many people from in town and outside of Tahlequah have come to take pictures,” Wyont said. “The Big Idea is so helpful to our small businesses that would like to upgrade their facade, ideas or more. The $5,000 grant can go a very long way.”

Applications can be submitted by community organizations, business owners, building owners, or individual community members.

For more information on this event and others provided to Tahlequah by TMSA, visit www.tahlequahmainstreet.com. To submit an idea, go to https://form.jotform.com/202086696340053.


As announced on 24 June 2020 key elements of the European Barge Inspection Scheme (EBIS) will transition to OCIMF’s SIRE programme from 1 January 2021. This will create a single barge inspection scheme within Europe.

To oversee the smooth transfer of EBIS into SIRE, the OCIMF/EBIS Transition Taskforce has been established, which includes members of the EBIS Board of Directors, OCIMF Members and secretariat. The first meeting of the taskforce was hosted remotely on 13 August 2020. Representatives of the wider European inland barge industry will be invited to future meetings.

OCIMF/EBIS Transition Taskforce will coordinate all activity relating to the transition of key elements of EBIS, including the EBIS vessel questionnaire templates – technical information templates currently in development by EBIS, Version 9. The Taskforce will also provide oversight on all work relating to:

  • Integrating EBIS member applications to become SIRE programme recipients.
  • Supporting accredited EBIS Inspectors looking to attain SIRE Cat 3 accreditation for the European region following application and completion of a training course.
  • Assisting vessel Owners and Operators in transferring their fleet’s EBIS technical information into the SIRE database.

Over the course of the transition period, training courses and webinars will be hosted by the OCIMF/EBIS Transition Taskforce to support OCIMF member companies, existing EBIS member companies, accredited EBIS and SIRE Inspectors as well as vessel Owners and Operators. Details of the training courses and webinars will follow in due course.

Should you have any queries or require support, please contact Matthew Graham, Barge Advisor, matthew.graham@ocimf.org


What are the key elements of TMSA 3 (Tanker Management Self Assessment)?

 

On the 10th of April 2017, OCIMF (The Oil Companies International Marine Forum) released TMSA 3, the latest edition of the Tanker Management and Self-Assessment (TMSA) programme providing Tanker companies with a means to improve and measure their safety management systems.

TMSA 3 revised and updated all twelve of the existing elements from the previous two editions and introduced a thirteenth – ‘Maritime Security.’

What are the 13 key elements of TMSA 3?

The 13 key elements of TMSA 3 are as follows:

Leadership and the safety management system

Recruitment and management of shore-based personnel

Recruitment, management, and wellbeing of vessel personnel

Vessel reliability and maintenance including critical equipment

Navigational safety

Cargo, ballast, tank cleaning, bunkering, mooring and anchoring operations

Management of change

Incident reporting, investigation, and analysis

Safety management

Environmental and energy management

Emergency preparedness and contingency planning

Measurement, analysis, and improvement

Maritime security

the newest element ‘Maritime Security‘ mainly consists of:

  • Use of Risk Assessment solution to identify and mitigate risks
  • Define and maintain a stock of equipment for vessel hardening as per BMP 4 guidelines.
  • Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution.
  • Circulate travel advisory and threat level data sharing to vessels using the document system.
  • Verify armed guards qualification criteria before employing them onboard vessels using our standard measurement list

SOURCE


TMSA 3, From January 2018, tanker operators are required to use TMSA3 to monitor and improve performance. In comparison with TMSA2, the new edition of TMSA is more extended in length and presents new challenges to ship operators with the introduction of new requirements.

It is noticeable that for the first time, this self-assessment tool for oil tankers introduces maritime security as Element 13 referring also to cyber security.

Cyber security is currently one of the most discussed topics on the industry and many considerable efforts have been made so far to mitigate threats. Thus, TMSA 3 aims to establish procedures in order to respond to industry’s needs.

‘’For the first time, TMSA introduces maritime security as Element 13 including cyber security’’

Also it features an expanded best practice guidance to complement the KPIs and enhanced guidelines for risk assessment, auditing and review ashore and onboard along with guidance for all related tools to be employed.

Other major changes introduced are the expansion of Element 6 on Cargo, Ballast, Tank Cleaning, Bunkering, Mooring & Anchoring Operations, and an updated Element 10 combining Environmental and Energy Management.

In the latest edition, special focus has been given on the continuous improvement cycle by taking into consideration additional KPIs towards effective performance management. Specifically, TMSA3 introduces 85 new KPIs in total. In this context, 25 KPIs have moved to a lower level and there are indexes concerning customer focus, leadership and engagement of people.

On the whole, the TMSA3 addresses issues regarding performance management. The method that a shipping company uses to measure performance is a prominent topic for discussion within the maritime industry. The new edition makes an effort to overhaul the process, not only with the streamline of KPIs but also with the introduction of non-financial measurements and the assessment of soft skills.

Furthermore, TMSA3 introduces a different approach by focusing on the human element and behavioral safety suggesting that crew competence is the tool for crew retention and development.

TMSA 3 at a glance

Expanded best practice guidance to complement the KPIs.
Revised and enhanced best practice guidance to remove ambiguity and duplication.
Additional requirements for HSSE strategic planning, KPI setting and performance monitoring, review and improvement.
Streamlining and merging of elements to improve consistency and make self-assessment easier.
Enhanced guidelines for risk assessment, auditing and review ashore and onboard along with guidance for all related tools to be employed.
Extensively Revised Element 6 and 6A – Cargo, Ballast, Tank Cleaning, Bunkering, Mooring and Anchoring Operations, with additional KPIs and guidance.
Extensively Revised Element 10 – Environmental and Energy Management (previously Environmental Management) incorporates the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to the TMSA 2.
A New element: Element 13 – Maritime Security.

SOURCE READ FULL ARTICLE


Maritime Cyber Attack

Cyber attacks like the NotPetya malware that struck Maersk are raising concerns about cyber risk and its effects on resilience, according to specialty insurer XL Catlin

Shipping industry firms and port operators are worried about linkage between cyber-attacks and supply chain risk, insurer XL Catlin has warned.

Big interdependencies between systems mean maritime firms face major business continuity risks from online threats.

“The problem is that nobody knows, other than the computer systems, where your goods are,” said Pascal Matthey, head of global lines for marine risk engineering at XL Catlin.

“You might never find your container again. Refrigerated containers might lose power, which would mean huge damage,” said Matthey.

Maersk was among those organisations worst hit by the NotPetya contagious malware attack last year.

The global shipping and logistics firm had to reinstall some 4,000 servers, 45,000 PCs, and 2,500 applications; the process took 10 days and cost the company around $450m.

The company was forced to temporarily switch to manual systems – pen and paper, and lots of overtime – resulting in a temporary 20% drop in volumes.

Another cyber-attack, revealed in 2013, struck two shipping companies operating in the Belgian port of Antwerp, and had reportedly gone undetected for about two years before that.

An organised crime group allegedly used hackers to infiltrate computer networks, allowing cocaine and heroin, hidden in containers shipped from South America, to be intercepted by criminals.

“The idea was not to harm the port but to get things out by hacking the system,” said Matthey, based in the specialty insurer’s Zurich office.

He warned about the potentially catastrophic consequences of a cyber-attack by terrorists, such as targeting a ship and interfering with its steering or navigation to cause a collision in congested waters, such as a port or major trade artery such as the Panama Canal.

Maritime Cyber Attack

“What happened on 9/11, you could perhaps now do with a ship, by steering a large vessel into an oil or gas terminal, which could have disastrous consequences,” said Matthey.

XL Catlin is among those re/insurance firms involved in developing blockchain applications – distributed ledger technology for smart contracts, sharing data instantaneously between the relevant counterparties.

A new blockchain platform for marine insurance contracts at XL Catlin and MS Amlin is expected to go live this year.

Maritime Cyber Attack

SOURCE STRATEGIC RISK READ FULL ARTICLE 


MARITIME CYBER RISK !

The insurance losses and liabilities arising from cyber risks is an increasing area of focus for both shipowners and their insurers, argues Mr. Adrian Durkin, Director (Claims) and Mr. Colin Gillespie, Deputy

Potentially owners may be exposed to gaps in cover arising from cyber incidents – an unsatisfactory situation in today’s connected world. For example, an owner’s hull and machinery insurance may contain a cyber risk exclusion which mirrors, or is derived from, institute clause 380.

There are also cyber exclusions in war risk policies that relate to computer viruses. The war risks clause is derived from market clause 3039. Many other market insurance policies specifically exclude losses or liabilities arising as a result of cyber risks.

Why is Cyber Excluded?

Cyber risks present a range of issues for insurers. Cyber risks are relatively new – claims data relating to these risks is quite limited. Another difficulty is that cyber security is not yet well established in the maritime industry. The sheer complexity of the information technology, operational technology and internet available across the industry also presents a challenge, as does the potential for cyber problems to spread quickly across the globe. As a result the likelihood, extent and costs associated with claims involving cyber risks are difficult to calculate and potentially significant, hence the reluctance to offer cover.

It is in an owner’s interests to scrutinise their various policies in order to identify potential gaps in their insurance cover. It is possible to close the gaps by working with insurers and brokers. This may require owners to demonstrate that they have robust cyber risk management practices in place both ashore and afloat. An additional premium may be payable. The market is responding to these risks – albeit slowly.

P&I Cover for Cyber Risks

The International Group of P&I Clubs’ poolable cover does not exclude claims arising from cyber risks.

This means that club members benefit from the same level of P&I cover should a claim arise due to a cyber risk, as they would from such a claim arising from a traditional risk. As always cover is subject to the club rules.

While there are currently no internationally agreed regulations in force as to what constitutes a prudent level of cyber risk management or protection, this does not mean that owners, charterers, managers or operators of ships can ignore the need to take proper steps to protect themselves in the belief that their club cover will always respond.

If a claim with a cyber element arises, an owner may need to demonstrate that they took all obvious steps to prevent foreseeable loss or liability. As more and more potential cyber risks are being identified, clubs will expect to see the operation of sensible and properly managed cyber risk policies and systems both ashore and on vessels.

MARITIME CYBER RISK

Don’t delay – act now

Barely a month goes by without news of a major cyber-attack affecting a large or high profile commercial or government entity. Cybercrime is a rapidly growing global threat in all industries and the maritime supply chain is vulnerable as the problems experienced by Maersk in 2017 have demonstrated. In that incident problems ashore had a knock on effect on vessels, highlighting the fact that as marine transport operations become more connected, the more chance there is of problems impacting across the system both ashore and afloat.

The authorities and large charterers are concerned about the risk to operations ashore and afloat and are taking steps to drive change in the industry. Actively managing cyber risks is now both a commercial and compliance priority.

Cyber Risks & ISM Code

The IMO’s Maritime Safety Committee (MSC) has confirmed that cyber risks should be managed under the ISM Code.

Resolution MSC.428(98) affirms that an approved safety management system should take into account cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

TMSA 3

Cyber risk management has been included in TMSA 3 under elements 7 and 13. KPI 7.3.3 includes cyber security as an assigned responsibility for software management in the best practice guidelines. Under element 13 cyber security is specifically identified as a security threat to be managed. It seems clear that the oil industry has recognised the need for action from tanker owners and is encouraging action through commercial pressure via TMSA 3. For tanker operators the time to act is already here.

Rightship Inspections

Cyber risk management now forms part of Rightship inspections and a company’s cyber security maturity may be one aspect dry bulk charterers will take into account.

A Daunting Task?

The prospect of dealing with cyber security will be daunting for many shipping companies. It’s new, involves things that may not be fully understood, and most of us are not likely to have received any formal training in such risks.

What is a definite plus is that shipping companies will be very familiar with the risk management framework suggested by the IMO Guidelines on Cyber Risk Management and industry Guidelines on Cyber Security Onboard Ships. We can also use the experience gained in other sectors of industry that have already put cyber security systems in place.

2021 is not far away, but the potential for cyber risks to result in losses or liabilities is clearly already upon us.

Cyber risks can affect almost every part of a shipping company. There will be lots to do to identify risks and vulnerabilities and to take steps to prepare for, and respond to, cyber threats. It’s time for us all to act.

By Adrian Durkin, Director (Claims) & Colin Gillespie, Deputy Director (Loss Prevention), North P&I Club


Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED