In response to what is a very modern threat, in January 2016 the Baltic and International Maritime Council (BIMCO) issued guidelines on cyber security on-board ships.
The guidelines recognise that information technology (IT) and operational technology (OT) are more frequently being networked together and are usually connected to the internet, attracting a potential threat from both untargeted and targeted attacks.
There is an ever-greater dependence on electronic systems and computers on-board ships, not only on the bridge but also in areas such as cargo management, communication systems, propulsion controls and crew welfare. Corporate bodies are already aware of the risks to their information security, but increasing dependence on modern technology and connectivity creates ever-greater vulnerability to attack at a ship-specific level.
The guidelines are intended to be read in conjunction with existing security and safety risk management requirements in the ISM and ISPS Codes; key threats identified include those from activists or disgruntled employees, criminals, opportunists, states and terrorists who may have disruptive, financial, political or simply opportunistic motivations.
The measures covered in the guidelines to lower cyber security risk include:
- how to raise awareness of the safety, security and commercial risks for shipping companies if no cyber security measures are in place;
- how to protect shipboard IT and OT infrastructure and connected equipment;
- how to manage users, ensuring appropriate access to necessary information;
- how to protect data used on board ships, according to the level of sensitivity;
- how to authorise administrator privileges for users, including during maintenance and support on-board or via remote link; and
- how to protect data being communicated between ship and shore side.
Whilst the guidelines are indeed only guidelines, as cyber-attacks become an increasing threat consideration will need to be given to what provisions need to be included in charterparties and other operational contracts to impose maintenance and protection obligations in relation to digital systems that form part of the ship’s infrastructure.
A link to the full guidelines can be found here.