Cyber security has been a recurring theme in maritime publications and industry conferences over recent years. At one end of the spectrum are those who have dismissed it as the latest "millennium bug" whilst commentators at the other extreme raise the possibilities of malicious actors taking over vessel operations. Whatever your views on cyber security, the recent ransomware attack shows that the shipping industry is not immune and that issues of cyber security need to be taken seriously.
During the IMO Maritime Safety Committee's recent meeting in June 2017, the Committee adopted the recommendations included in Resolution MSC.428(98) on the implementation of cyber risk management. This means that ship owners and operators will now have to take into account cyber risk management in their safety management systems (SMS). The IMO Committee has also provided a timetable for these changes stating that a company SMS will need to ensure that cyber risks are appropriately addressed no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
Over the last few years BIMCO has played a key role in researching the potential risks posed by the increasing technology onboard ships. This culminated in the first edition of their Guidelines on Cyber Security Onboard Ships (the Guidelines) which were published in January 2016. Yesterday BIMCO published Version 2.0 of the Guidelines which, like the first edition, are supported by the International Chamber of Shipping, Intertanko, Intercargo and the Cruise Lines International Association.
BIMCO represents 60% of the world's merchant fleet. In order to develop the original Guidelines, they worked with the US Coast Guard and the Liberian flag registry including giving maritime researchers access to some BIMCO members' vessels to investigate potential attacks. As with many other studies, the findings have shown significant potential for cyber disruption. The Guidelines are intended to provide assistance to shipowners and operators on how to risk assess their operations, identify the vulnerabilities in their systems and take steps to protect themselves. Rather than being a stand-alone document, they are complementary to existing regulations under the International Safety Management Code (ISM Code) and the International Ship and Port Facilities Security Code (ISPS Code).
BIMCO, quite rightly, stress that approaches to security will be company- and ship-specific, but should be guided by appropriate standards. The Guidelines focussed on six critical aspects of cyber security awareness namely:
- Identifying threats and understanding the cyber security threats to the ship
- Identifying vulnerabilities within the ship’s cyber security system
- Assessing risk exposure and the likelihood of being exploited by external threats
- Developing protection and detection measures in order to minimize impact
- Establishing contingency plans to reduce the threat’s impacts
- Responding to cyber security incidents
Version 2.0 builds on the existing Guidelines, seeking to align them with the IMO Guidelines, rather than attempting to re-write the original version. The updated sections include guidance on:
- How cyber safety (i.e. the loss of availability or integrity of safety critical data and operational technology) is as significant an issue as cyber security
- The need to control and monitor the ship to shore path of internet connections and an increased focus on the ship to shore interface
- Segregating networks onboard and preventing communication between controlled and uncontrolled networks
- Taking a 'defence in depth' approach by using multiple layers of protection measures to protect critical systems and data
- Considering the risk posed by visitors to vessels including authorities, technicians, agents and port officials
- How to ensure an 'Effective Response' including having a team of personnel and / or external experts in place to take the appropriate action
- The losses arising from a cyber incident and the need to ensure appropriate insurances are in place
Version 2.0 of the BIMCO Guidelines can now be considered the most comprehensive guidance for the shipping industry building on the knowledge and experience developed by BIMCO over the last eighteen months.
A word of caution however to the shipowners and operators who choose to ignore the ever increasing industry guidance. If a shipowners' systems are breached, and they cannot show that they acted with reasonable care in managing cyber risks and protecting their ships, then there is a risk that a vessel may be considered unseaworthy in breach of the contract of carriage. That may also have implications on any insurances in place. As the Secretary General of BIMCO, Angus Frew, recently stated "Ignorance is no longer an option as we are all rapidly realising."