Tanker management self-assessment (TMSA) may be voluntary in principle but for tanker operators seeking regular charters from oil majors meeting its requirements is a fundamental commercial imperative.

Whereas traditional class requirements give a snapshot of a vessel’s quality at a given moment in time, TMSA was devised to gauge quality of a company’s operations over time. The second edition of the programme, which was introduced in 2008, comprised twelve elements covering a range of safety and performance metrics. In April last year, OCIMF, the industry body that devised and maintains the assessment programme, released a highly anticipated update, that took effect from 1 January 2018.

The update from TMSA2 to TMSA3 was a radical overhaul. The biggest change was the introduction of a completely new element on maritime security that zeroed in on cyber risk management. “While there was a growing awareness of cyber risk in the shipping industry, until that point it was nearly always framed in the future tense. It was raised as a hypothetical issue, one that would have to be addressed in the years to come,” observes Jason Stefanatos, Senior Research Engineer in DNV GL’s Maritime R&D and Advisory team. “Offering operators less than a year to prepare or risk losing business, TMSA3 brought it solidly into the present.”

Holistic approach

Effective cyber security is built on three pillars: people, processes and technology. “There’s still a common misconception that it’s a matter for the company IT department and that as long as I remember my password, it doesn’t affect me. But that’s no longer today’s reality,” Stefanatos stresses.

IT departments do play an important role in implementing technical mitigations such as firewalls and intrusion detection systems and so forth, and it is true these defences successfully prevent many attempted attacks. However, processes are also essential. “End-users – both crews at sea and staff ashore – need to know how to react to the attack or system failure that wasn’t prevented or anticipated by technical safeguards,” he warns. More importantly, he adds: “You need people to be aware of the risks and to take them seriously.”

TMSA3’s new maritime security section – Element 13 – is intended to instil these behaviours and encourage operators to adopt such a holistic approach. To attain the lowest score (Level 1), procedures for identifying threats applicable to the vessel and shore sites must be demonstrated. Reaching Level 2 requires guidance and mitigation measures in all procedures, as well as the promotion of cyber security good-practice among vessel personnel. Satisfying Level 3 calls for security procedures to be regularly updated. The highest grade, Level 4, demands that novel or innovative methods for minimizing cyber risk are evidenced.

Leadership and change

Although cyberrisk management is addressed in greatest depth in Element 13, it exerts a gravitational pull on other elements covered by TMSA. Providing an effective response to cyberrisk, for instance, will require good leadership (Element 1). Meanwhile, management of change (MoC, Element 7) will have to incorporate software and system configuration management. The latter aspect is particularly important.

Satisfying Level 1 of MoC requires that documented procedures are in place for implementing change and for assessing its impact, as well as specifying the framework for granting approval. Level 2 demands that all documentation and records affected by the change are identified and amended or annotated.

Reaching Level 3 calls for a comprehensive software management procedure covering both shipboard and shore systems. Crucially this goes beyond items typically associated with standard business IT infrastructure and should include operational technology (OT), such as the PLCs (Programmable Logic Controllers) and related interfaces for controlling onboard machinery.

Threat evolution

The threat landscape is evolving faster than ever, says Stefanatos. Hackers have grown up and become professional. They are more organized and have more resources at their disposal. Consequently, techniques and tactics have grown in sophistication.

In the 2000s, office IT systems were the predominant target. In other words, the PC on your desk. But these days, attacks directed at OT – the embedded systems and PLCs – are growing increasingly frequent. “It’s a worrying trend. Whereas before it was mostly a company’s finances and reputation at risk, now that has escalated to safety of life, property and the environment. The stakes are much higher,” Stefanatos observes.

One of the first obstacles facing any operator implementing the new TMSA requirements is to decipher and establish a common interpretation of what they mean, a task which, according to Stefanatos, isn’t as straightforward as it sounds: “Some are open to interpretation depending on what perspective you’re approaching them from. Senior managers, for example, may arrive at different conclusions to those working in the IT department or working as an ETO on a ship. It is essential everyone agrees before getting started.”

Demanding work

Another challenge is the sheer amount of work involved in performing the necessary risk assessments for all IT and OT systems. “Because the procedures and documentation are new, they must be created from scratch. Tanker owners are familiar with how TMSA works, but few quite anticipated the scale of the task facing them,” explains Stefanatos recalling conversations with clients.

Operators can purchase pro forma procedures off the shelf, but he emphatically cautions against taking such shortcuts: “A cookie-cutter approach defeats the object. Unless you properly investigate and drill down into the potential security gaps particular to your company, you won’t be able to find the vulnerabilities specific to your operations. In turn, you won’t be able to devise effective remedial actions or countermeasures.”

GET THE SAFETY4SEA IN YOUR INBOX!

While the workload might be daunting, ultimately managing cyber risk is no different to managing any other risk. The equipment and terminology may be unfamiliar but the approach is fundamentally the same as, say, managing any hot work that modifies a vessel’s structure. Software changes, for example, should not be done ad hoc. They should be planned, approved, and recorded. They should be categorized as minor or major to ensure personnel with appropriate authority can approve. This is very similar to the process for gaining approval prior to carrying out welding.

Close collaboration

In 2016, DNV GL compiled and published a set of recommended practice (RP), which details the principles and processes that underpin effective cyber risk management. It provides an authoritative resource for operators of tankers – or any ship type – intending to build a cyber risk management system under their own steam.

However, feedback from and conversations with tanker operators using the RP highlighted a clear need for a more collaborative approach. “Operators understood the guidance as it was written down on paper but translating that into action was proving harder than expected,” notes Stefanatos. This realization prompted DNV GL to start providing dedicated advisory services to assist operators meet TMSA3 requirements.

DNV GL experts work alongside the operator to familiarize themselves with the existing management system and then carry out a gap analysis. This reveals what safeguards are already in place, what requires attention and what’s missing. These outcomes facilitate a highly methodical approach to developing procedures that are effective at reducing risk and that mesh neatly with the specific nuances of an operator’s structure and working practices.

The final stage is for the procedures to be tested to ensure that all the identified gaps have been addressed and that they would stand up under the scrutiny of a TMSA vetting inspection. Depending on the level of customer engagement, the whole process can take between six and eight weeks to complete.

Positive feedback

With only a short window of opportunity between TMSA3 being announced and it taking effect, DNV GL has experienced strong uptake for its advisory services from across the tanker segment, including a number of reputed Greek operators.

Frantzeskos Kontos, Technical Manager at Prime Marine Management, says cyber security is no longer a paperwork exercise. “In recent times, we’ve identified many minor threats – and a handful of more serious ones – on our vessels, so it was urgent we took action to prevent further escalation. The inclusion of cyber security in TMSA gave us an additional commercial impetus.”

Collaborating with DNV GL enabled the Greek operator to detect gaps existing in its management system and address them swiftly and systematically. Procedures were enhanced and new control measures were introduced as a direct result of DNV GL’s proposals and recommendations. “There were some challenging discussions along the way, but, on reflection, they produced tangible results,” reports Kontos.

Initially educating and bringing employees on board was challenging, Kontos admits. “DNV GL’s training resources proved effective in communicating the criticality of cyber security to staff at all levels and across company operations, on shore and at sea.”

Minerva Marine also turned to DNV GL to help it develop a cyber resilience strategy that both complies with TMSA3 and aligns with forthcoming IMO requirements. Part of the project was to carry out a vulnerability assessment on board a Minerva vessel. Company IT manager Eftihia Benaki says: “In addition to the potential financial and reputational damage, cyber risk now carries significant safety and environmental implications. The assessment was invaluable in revealing the technical gaps we faced and identifying the areas we needed to focus on.” She adds: “DNV GL provided a depth of resource and level of specialism that we didn’t have internally.”

The Massachusetts Institute of Technology (MIT) calls cyber security a negative target: it is impossible to ever be 100 per cent secure. This is for two reasons. Firstly, it’s highly dynamic with new threats and risks emerging on a daily basis and, secondly, there is a large attack surface for hackers to exploit. This latter aspect is especially true in a complex supply chain environment, such as shipping, characterized by interactions with and between numerous and diverse stakeholders. However, as we have seen, it is possible to take steps and minimize exposure to these risks and plan a response for when the unexpected happens. This is what TMSA3 essentially seeks to achieve by incentivizing preparedness.

While TMSA3 has made cyber risk management a priority for tanker operators, it is only a matter of time before similar requirements arrive in other market segments. The advisory services developed by DNV GL for TMSA3 sit alongside with associated cyber security offerings including gap analysis for various global standards; a growing range of practical services including penetration testing and incident response drills; and training courses for raising awareness and tackling phishing and social engineering. These can be deployed in various configurations to manage risk on bulk carriers – should RightShip evolve in this direction – and across the global fleet when IMO requirements to incorporate cyber risk within ISM take effect in 2020.

Reflecting on the maritime industry’s response to cyber risk has evolved, Stefanatos observes: “Misha Glenny, a British computer journalist specializing in cyber security, famously quipped that there are two types of companies in the world: those that know they’ve been hacked and those that don’t. Maybe the day has come to add a third type: those that have prepared and are confident they can respond.”

Source: safety4sea

The OCIMF Tanker Management and Self Assessment programme was originally introduced in 2004 as a tool to help companies assess, measure and improve their management systems. It is an essential complement to IMO Conventions, Codes and Circulars and is intended to encourage self-regulation and promote continuous improvement to enhance the safety of merchant shipping and achieve incident free operations.

This fully updated and revised third edition reflects current legislation, expectations and emerging issues, and incorporates feedback from companies and users of previous editions of TMSA. Key new features to the text include:

• Updated industry legislative requirements, including the Manila Amendments to the Maritime Labour Convention 2006, the Polar Code and the Ballast Water Management Convention

• A new element 13 covering Maritime Security

• Expanded best practice guidance to complement key performance indicators and remove ambiguity and duplication

• Streamlining and merging of elements to improve consistency and make conducting the self assessment easier

• Revised Environmental and Energy Management Element, which now incorporates the OCIMF Energy Efficiency and Fuel Management paper that was a supplement to TMSA2

As well as this printed guide, the TMSA programme includes a useful online tool for recording self assessment as well as a database for sharing reports, providing ship operators with an interactive and constantly evolving platform to monitor and improve their performance and attain high standards of safety.

Source: witherbyseamanship

The 10th Element, which focuses on environment and energy management is the critical practice of identifying and assessing pollution generated from maritime operations as well as the safe reduction and disposal residual waste. TMSA 3 encourages reporting procedures & contingency planning to be implemented to cover hazardous incidents. It is a requirement that a maritime organization monitor its performance quarterly and provide benchmarks across the fleet to ensure environmental action plans meet standards such as ISO 14001 & MARPOL Annexes.

How can ShipNet help with the 10th Element of TMSA 3?

Setup Procedures:

Setup and monitor environment management plans along with the identification of sources of emissions and measures to increase energy efficiency.

Monitor:

Record and monitor sources emissions, fuel consumptions to consistently take steps to achieve objectives outlined in the company policies.

11th Element – Emergency preparedness and contingency planning

The 11th Element of TMSA 3 looks at the requirements of implementing an effective response in dealing with onboard emergencies where a vessels crew is required to undertake training exercises-based merchant shipping legislation. Maritime organizations are required to develop safety procedure drills along with shore-based response teams to partake in training. TMSA 3 identifies the need for maritime organizations to undertake media training and to arrange security management.

How can ShipNet help with the 11th Element of TMSA 3?

Through the ShipNet One application you can plan and execute drills and emergency exercises while preparing the company and vessel emergency response plans both for office as well as site-specific. Within the application, define the scope and frequency of the planned exercise for automated scheduling. Gain access to all records automatically through history. Prepare KPI targets as per company policies and monitor the frequency of exercises carried out throughout the fleet for continual improvement.

12th Element – Measurement, analysis, and improvement

The 12th Element is considered one of the most vital aspects of a successful safety management system. A maritime business must ensure system manuals are utilized as a part of daily operations and that they are analyzed for their effectiveness and to ensure they have not become outdated. By giving regular audits indicates how well the safety management system is adhering to industry best practice guidelines and how well the system is performing overall, along with the connected vessels and shore support offices.

How can ShipNet help with the 12th Element of TMSA 3?

Inspections:

Through the ShipNet One application, onboard Safety Officers or Junior Officers can implement ship safety inspections and asses the safety culture. The application also provides the ability to plan and prepare for inspections and audits based on set schedules.

Through the ShipNet One application you can also:

• Review previous inspection details across the fleet and data, enabling improved preparation.
• Identify problem areas, individuals, and inspectors.
• Perform inspections based on standard or custom checklists and create findings automatically from checklist questions.
• Identify observations and non-conformities and determine their corrective actions.
• Make use of KPI / RCA / Measurement lists to analyze observations and findings.
• Assign tasks to individuals in the organization and perform actions to close each finding.
• Measure the performance of vessels, observations, and non-conformities, areas of most concern through interactive dashboards and reports.

Sharing:

Share best practices and critical information across the fleet using the document system to promulgate safety alerts or fleet circulars. Share information circulars across the fleet. Generate custom reports using our report designer to share among customers.

13th Element – Maritime Security

The 13th and newest Element of TMSA 3 focuses on Maritime Security, which mainly consists of the use of Risk Assessment solutions to identify and mitigate risks. It is a requirement to adhere to BMP 4 guidelines, so it is necessary to define and maintain a stock of equipment for vessel hardening. It is also a requirement to define an Operational Security Area to monitor the number of transits of vessels. Best practice requires travel advisory and threat level circulated data sharing across a fleet as well as the verification of armed guard’s qualification criteria before employing them onboard vessels.

How can ShipNet help with the 13th Element of TMSA 3?

Operational:

Monitor and track operational security events using the occurrence system and ensure that vessels are secure from threats

• Use of Risk Assessment solution to identify and mitigate risks
• Define and maintain stock of equipment for vessel hardening as per BMP 4 guidelines
• Define Operational Security Area and monitor the number of transits of vessels as per Operation Security Reports made in the solution
• Circulate travel advisory and threat level data sharing to vessels using the document system
• Verify armed guard’s qualification criteria before employing them onboard vessels using our standard measurement lists

So there we have it. Our ShipNet One integrated platform has been built around industry regulations to assist with maritime organizations in implementing their safety management systems efficiently and proactively. Through years of development in line with the world’s major shipping companies, the platform not only meets the requirements but encourages continuous and effective improvement and compliance with TMSA 3.

Digitalisation and decarbonisation are driving a period of unprecedented change in the maritime industry, underpinned by the regulatory agenda.
As the implementation date of IMO 2021 draws near, it is clear that we must rethink our attitudes to technology. In Part 1 of this blog, we explored the key challenges facing shipping companies and their readiness to facilitate the move to digitalisation.

Here in part 2, we look at decarbonisation and cyber security. What might shipping companies do to prepare for, and comply with, the regulatory requirements on the horizon?

Digitalisation will ultimately create a two-tier shipping market, divided into those owners and operators who have the best access to the latest information and those who do not.

The difference between this relatively recent position and the days of employing simple but effective means of checking vessel arrivals or departures or bidding for cargoes is that almost anyone who wants to, can pay to access the data on vessel positions, port traffic, weather or other information.

This matters too because in the space of a little over a decade, new targets on environmental efficiency will force the industry to adopt new working practices. Most critically this includes new fuels as the means of complying with IMO targets on the reduction of carbon intensity on a vessel by vessel basis.

Collection, analysis and interpretation of every bit of data from ship systems at that point becomes critical – potentially the difference between success or failure to comply. The data that ships produce on their emissions will be reported automatically and this data will inform not just regulations but market measures, including the cost at which lenders make capital available to shipping companies.

Cyber Critical Systems

New technology and the need for sustainability are two fundamental forces acting on the maritime industry; the other is security of the IT networks on which both rely. The IMO has adopted cyber-security related amendments to the International Safety Management Code (ISM Code) while the tanker sector has already made similar requirements part of Tanker Management Safety Assessment (TMSA) version 3.

While the first represents mandatory regulation, the second is a ‘licence to operate’ for owners carrying hazardous cargoes. The ISM Code will require demonstration that action has been taken to address cyber security, TMSA will require shipowners to demonstrate that they have the latest available IT operating system and other software updates as well as specific security patches either as part of a Port State Control inspection or in pre-qualifying a vessel to carry cargo.

The industry’s largest, long term players are likely to already meet these requirements but for an operator with limited IT outfit, they present an unwelcome burden. For one with a sophisticated network encompassing IT and OT, it presents an additional series of tasks for crew unless it can be managed with a minimum of additional administration.

Compliance with voluntary cyber security guidelines until now have tended to succeed or fail on the basis of the human element, relying on an intention to do the right thing. It is precisely this lack of transparency over how the tasks are performed and the updates recorded that the regulation seeks to change.

Marlink estimates that at least 50% of software updates are still performed by the collection of physical media such as a CD for manual update with the balance performed ‘over the air’ and automatically applied.

Supporting the change

Marlink realised some years ago that as maritime connectivity continued to improve, so shipowner needs would shift towards deeper relationships with partners who could support their digitalisation and decarbonisation strategies and provide them with integrated compliance solutions.

At the heart of our digital enablement strategy is ITLink, which allows shipping companies to develop, test and deploy IT solutions fleetwide. This can extend from operating system patches or upgrades to applications and even complete ERP systems. Marlink is enabling owners to transfer these tasks away from crew towards specialists onshore who can develop and implement the programs they need, test them for robustness and share them across a fleet with a single click.

When it comes to IMO2021 compliance, that means crew no longer have to worry about proving their systems have the latest updates; ITLink’s intuitive dashboard provides inspectors with single view of system status. In addition, Marlink’s CyberGuard portfolio provides a range of solutions to further protect vessels from cyber threats and ensure compliance.

Unlike some asset management application providers, Marlink believes the data from these shipboard systems is the property of the shipowner and the enhanced visibility of asset condition is something that they should be able to act on knowing the data is secure and confidential.

Finally, our use of advanced cloud technology enables the transfer of data with far higher compression and greater efficiency, offering an intriguing glimpse into where the industry is going in terms of access to data and navigation content for ships.

This means a greater number of maritime information vendors can digitalise their products and improve access by mariners to high quality data and applications. This enables services like ITLink to provide ‘over the air’ security and other updates and offers the potential to provide further applications and digital content for safety, operations and route optimisation.

The future is here

Regardless of short term shocks and disruptions, the course ahead for the shipping industry is set.

In the medium term, as owners engage with more complex IT network requirements, they will be able to enjoy expanded access to cloud-based applications and storage, increasing asset connectivity and bringing ‘virtual’ systems and applications onboard.

The ability of shoreside personnel to maintain and troubleshoot IT networks and to provide crew with the tools they need to demonstrate cyber resilience and compliance means that seafarers can concentrate on safe operations rather than be distracted by technology.

As the long term trend sees the cost of IT capex, opex and compliance fall over time, the resulting gains; in terms of improved voyage performance and vessel efficiency, will combine to improve shipping’s environmental profile, moving the industry towards its goal of digitalised, decarbonised and cyber-secure operations.

Read part 1 of this blog here

In August, the Tahlequah Main Street Association began accepting submissions for the Big Idea, which will provide a grant up to $5,000 for the best project idea to enhance Tahlequah.

The Big Idea is a microgrant funded by TMSA’s reinvestment funds. The Big Idea consists of three phases: gathering Big Idea submissions, selecting a winner from chosen finalists, and implementing the winning idea.

“It’s to aid in the revitalization and beautify our downtown area,” said TMSA director Jamie Hale. “Submissions have begun, but anyone with an idea for our downtown can enter it by the Sept. 4 deadline with our online tool on our website.”

According to TMSA, to complete the application, one needs a detailed description of the Big Idea; an estimated cost with supporting documentation; and an estimated timeline to complete the project. If a Big Idea is chosen, the applicant must see that the project is completed.

Finalists will be narrowed to three to five individuals, who will be notified in September that they’ve been selected. Upon selection, finalists will meet with a TMSA representative to review the work plan for their Big Idea and TMSA will assist each submission in creating a video showcasing the project.

“We are very excited to announce that this year’s event will be held virtually. Attendees will watch each finalist’s video and vote online for their most favorite idea for downtown Tahlequah,” said Hale. “Once all the votes are cast, we will determine the 2020 Big Idea winner.”

Eligible projects must align with the TMSA mission to revitalize downtown Tahlequah and strengthen it as the heart of the city. Projects must be able to be completed by June 2021.

Past Big Idea winners have included building facade rehabilitation and the addition of murals throughout the corridor.

“We applied for the Big Idea 2020 because we thought we could help make a difference with the beautification of downtown. Murals can help to bring people in,” said ALL Designs owner and 2020 Big Idea winner Amanda Lamberson. “Maybe they will visit a new store for the first time after taking a picture. Maybe a picture they post will entice a friend to come visit a new store, or maybe it’s simply grandparents in another state will have a new picture of their grandkid to see.”

The three murals were placed on the buildings of Lift Coffee Bar, the Phoenix Professional Building, and Sand Tech.

“We participated in the event as a new business to help promote our brand. We also presented our idea to add to the growing street art scene in Tahlequah,” said Lift co-owner Justin Guile. “Our investment in the building and the art has transformed the corner of Muskogee and Downing. We appreciate all those who voted for us to win the Big Idea and voted us Best Coffee Shop in our first year in business.”

Grant Lloyd, local attorney and owner of Phoenix Professional building, said the murals added a “unique vibrancy to downtown Tahlequah.”

“We wanted to offer a snapshot of the heart of our town on one of our buildings,” said Lloyd.

Addie Wyont with Sand Tech said interactive art helps to draw people into the community to take pictures, shop, and help all downtown businesses with foot traffic.

“We love our mural, and so many people from in town and outside of Tahlequah have come to take pictures,” Wyont said. “The Big Idea is so helpful to our small businesses that would like to upgrade their facade, ideas or more. The $5,000 grant can go a very long way.”

Applications can be submitted by community organizations, business owners, building owners, or individual community members.

For more information on this event and others provided to Tahlequah by TMSA, visit www.tahlequahmainstreet.com. To submit an idea, go to https://form.jotform.com/202086696340053.

As announced on 24 June 2020 key elements of the European Barge Inspection Scheme (EBIS) will transition to OCIMF’s SIRE programme from 1 January 2021. This will create a single barge inspection scheme within Europe.

To oversee the smooth transfer of EBIS into SIRE, the OCIMF/EBIS Transition Taskforce has been established, which includes members of the EBIS Board of Directors, OCIMF Members and secretariat. The first meeting of the taskforce was hosted remotely on 13 August 2020. Representatives of the wider European inland barge industry will be invited to future meetings.

OCIMF/EBIS Transition Taskforce will coordinate all activity relating to the transition of key elements of EBIS, including the EBIS vessel questionnaire templates – technical information templates currently in development by EBIS, Version 9. The Taskforce will also provide oversight on all work relating to:

• Integrating EBIS member applications to become SIRE programme recipients.
• Supporting accredited EBIS Inspectors looking to attain SIRE Cat 3 accreditation for the European region following application and completion of a training course.
• Assisting vessel Owners and Operators in transferring their fleet’s EBIS technical information into the SIRE database.

Over the course of the transition period, training courses and webinars will be hosted by the OCIMF/EBIS Transition Taskforce to support OCIMF member companies, existing EBIS member companies, accredited EBIS and SIRE Inspectors as well as vessel Owners and Operators. Details of the training courses and webinars will follow in due course.

Should you have any queries or require support, please contact Matthew Graham, Barge Advisor, matthew.graham@ocimf.org