The world of maritime cybersecurity is relatively new, and there’s an increasing amount of information on this topic in the maritime media. In fact, Pacific Maritime Magazine has included a bi-monthly column focused on this topic to help readers better understand why cybersecurity is important to the trade and to offer some references and guidance to readers when they wish to learn more about cybersecurity for their ships and ports.
In the area of international cybersecurity guidelines, there are several entities producing detailed cybersecurity recommendations that ship owners are expected to observe. These organizations include the International Maritime Organization (IMO), International Association of Classification Societies (IACS) and the collective group of 16 shipping organizations that published the Guidelines on Cybersecurity Onboard Ships.
This column offers a route for the reader to better understand these organizations and their purpose in the realm of maritime cybersecurity. This information can help ship operators and owners access some readily usable tools to help build a security program and improve their shipboard cybersecurity posture.
International Maritime Organization
The IMO is a specialized agency of the United Nations responsible for regulating shipping. The IMO was technically established in 1948 and held its first meeting in 1959. IMO is headquartered in London and has about 175 member states.
IMO’s primary purpose is to develop, promulgate and maintain a regulatory framework for global shipping focused on such key issues as maritime safety, environmental and climate change concerns, legal topics, security and the efficiency of shipping.
Obviously, computer controls on ships were more analog than digital, but in 2017 IMO and its Maritime Safety Committee realized that maritime cybersecurity was becoming a seminal issue. The IMO then issued “Guidelines on Maritime Cyber Risk Management” (MSC-FAL.1/Circ.3, 5 July 2017) to provide high-level recommendations on maritime cyber risk management to shipping. The protections offered information on topics supporting effective cyber risk management.
IMO defines maritime cyber risk as a measure of the extent to which a technology asset (think information and operational technology) is threatened by a potential circumstance or event which may result in operational, safety or security failures because of systems being corrupted, lost, or compromised.
The IMO Guidelines have suggested that the following shipboard systems are vulnerable to cyberattack and/or compromise:
- Bridge systems
- Cargo-handling and management systems
- Propulsion and machinery management and power-control systems
- Access control systems
- Passenger servicing and management systems
- Passenger-facing public networks
- Administrative and crew welfare systems, and
- Communication systems.
IMO states that its guidelines are primarily intended for all organizations in the shipping industry and are recommendations. However, IMO Resolution MSC.428(98), adopted in June 2017, specifically “encourages” ship owners and operators to ensure that cyber risks are appropriately addressed in Safety Management Systems (SMS) no later than the first annual verification of the company’s Document of Compliance after Jan. 1, 2021.
The IMO Guidelines (we will cover them further later in this column) are only four pages long and rather shallow in specifics; however, they do recommend:
Guidelines on Cyber Security Onboard Ships by the Baltic and International Maritime Council (BIMCO), et al;
ISO/IEC 27001 Standard on Information Technology, by the International Organization for Standardization and the International Electrotechnical Commission, and
The U.S. National Institute of Standards and Technology (NIST) Cyber Security Framework.
Also, it is important to note that the IMO views it as the ship owner/manager’s responsibility to identify, protect, detect, respond to and recover from cyberattacks through adequate cyber security planning that can be audited as part of the ship’s SMS.
International Association of Classification Societies
IACS is a not-for-profit membership organization establishing minimum technical standards and requirements addressing maritime safety and environmental protection. It offers technical support, compliance verification and research and development. According to IACS, more than 90% of the world’s cargo-carrying tonnage is covered by its 11 member societies. Since 1969, IACS has been recognized as the principal technical adviser to the International Maritime Organization.
Because of the strong demand in the shipping industry for cybersecurity guidance, and because of the 2017 IMO resolution requiring cyber risks be addressed in Safety Management Systems, the IACS Cyber Systems Panel and the Joint Industry Working Group on Cyber Systems (JWG/CS) prepared Recommendation on Cyber Resilience No. 166 in July 2020.
Recommendation No. 166 is 57 pages and includes eight sections and three appendices. Annex A, entitled “Guidance on Operational Aspects Addressed in Recommendations,” is particularly helpful to the ship owner/operator since it lists assumptions and expectations of procedures and operational aspects.
The recommendation applies to onboard OT systems and systems connected to OT in a way that may affect their operation. It also applies to equipment and systems that may have an impact on human safety, the safety of the vessel or safety of the marine environment as identified by SOLAS and the International Convention for the Prevention of Pollution from Ships (MARPOL). The IACS recommendation applies to newbuild ships only, yet can serve as guidance for existing ships.
The recommendation includes the following sections for the ship owner/operator when building their cybersecurity program and SMS documentation:
- Reference guidelines and standards
- Terms and definitions
- Goals for design and construction
- Functional requirements
- Technical requirements
- Verification testing
- Appendix A: Detailed list of standards
- Appendix B: Documents referred in the recommendation, and
- Appendix C: Mapping of sub goals to technical and verification requirements.
Again, this particular document can be a very useful guide when developing your ship’s—as well as corporate—cybersecurity program, policies and procedures.
Guidelines on Cybersecurity Onboard Ships
This was produced and supported by BIMCO, the Digital Containership Association, INTERCARGO, INTERTANKO, International Chamber of Shipping, the World Shipping Council, Maersk and nine other shipping-related industry organizations. This document is a “textbook” on how to build a cyber risk management program.
It is a fairly easy read and offers a perspective on how cyber risks should be managed in a shipping environment. The reader can learn about the risk assessment process, and it highlights the importance of evaluating threats, vulnerabilities and the likelihood of an event on cyber assets. The document also offers advice on how to respond to and recover from cyber incidents.
The guideline offers useful and important information on the role of senior management in the cyber security program. It is important to recognize that cyber risks can evolve from technical problems into business and reputational challenges requiring senior leadership’s involvement. It also offers some excellent questions on page 6 to be used as a basis for informing and involving senior management about the importance of addressing cyber risks onboard ships.
Summary
You have now been exposed to the maritime security alphabet soup—IMO, IACS, SMS, SOLAS, etc., plus some of the documents you can rely on to set up your cybersecurity program, policies and procedures. Besides being aware of IMO and IACS requirements, you may find your time well spent on studying the Guidelines on Cybersecurity Onboard Ships. However, this is not the complete list, only the “starter.”
Overall, it is in yours and your company’s best interest to at least be familiar with these requirements and guidelines and ensure your designated cybersecurity leaders have these “on the shelf” for immediate reference and use.
Your work is just beginning, and as cyberattacks evolve, you can expect more changes to these guidelines.
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the tragedy of 9/11. He was previously U.S. Navy Nuclear and Surface Warfare Officer, and has published a book entitled Critical Infrastructure Risk Assessment—The Definitive Threat Identification and Threat Reduction Handbook which has been awarded the 2021 ASIS Security Book of the Year.