Companies need to be identifying and safeguarding against maritime cyber risks now to be ready for the first annual verification of the Company’s Document of Compliance after 1 January 2021.
The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.
The Maritime Safety Committee adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages Administrations to ensure that cyber risks are appropriately addressed in existing safety management systems required by the International Safety Management (ISM) Code no later than the first annual verification of the Company's Document of Compliance after 1 January 2021.
Cyber Risks within Maritime Environments
Cyber risks in the maritime environment are intrinsically linked to people, processes and the IT/OT used on ships and offshore installations and in your premises ashore can impact your organisation in many ways. As well as the more traditional confidentiality, integrity and availability (CIA triad) impacts, safety and pollution prevention are the overriding factor on ships operating in the maritime environment.
Figure 1 – Asset values using CIA Triad + Safety
The shipping industry has been managing safety and pollution risks in accordance with the ISM Code since 1998. However, bringing cyber risks into play can often be challenging as they are usually harder to quantify, understand and relate to the physical world around.
Some lessons can be brought across from other industries, and frameworks such as NIST are very helpful in aligning thinking and practice to cyber risk management. But there are unique considerations that need to be factored in when applying a robust risk management process to cyber risks within marine and offshore industries.
- Ships move. The locations they are in change and therefore the risks faced change. In some areas they may have internet connectivity through shore based networks, in others via satellite, in others none at all. The impact from Global Navigation Satellite System spoofing will depend on the routes taken.
- Cargo may change. What a ship is carrying will change the expected impact of any cyber risk being realized.
- Crews may change. A crew taken on-board in one region may present different risks, in part due to differing levels of understanding of cyber risks and different levels of use of IT, including social media.
- Networked environments are built around IT and OT systems. It may seem obvious, but how these systems are linked and operated will change the potential impacts significantly and could act as a threat vector.
- Route choice. Where ships sail can be impacted by political tensions and events.
- Adoption of technology. The potential for automation, integration and cloud/shore based services to enhance the performance of ships and offshore installations brings the potential for “always on” connectivity to on-board systems. The adoption of these technologies will challenge the traditional perception of the attack surface available for cyber threats.
- Legacy systems. Ships are built with a long lifespan. Land based sectors can update, change and install new technology quickly and implement patching and other basic controls on a daily basis. Delivering this on-board a ship that is only in dry dock maintenance at fixed periods can be a real challenge. In addition, ships often have systems which have embedded software that cannot be updated or upgraded. Managing cyber risks means moving away from the idea that a system is on the ship for life, and that it can continue to be used as part of a network even if it is unsupported or outdated.
IMO & Maritime Cyber Risk Management Guidance
The IMO has published guidelines for maritime cyber risk management and recommend that stakeholders need to take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities relating to the digitisation, integration and automation of processes and systems in shipping.
The IMO sets out the goal of maritime cyber risk management as being:
To support safe and secure shipping, which is operationally resilient to cyber risks.
The key recommendations from the IMO include:
- Effective cyber risk management should start at the senior management level and should embed a culture of cyber risk awareness into all levels of the organisation.
- A risk based approach should be adopted with a comprehensive assessment to compare an organisation's current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritised cyber risk management plan.
- The 5 NIST Cyber Security Framework domains should be considered as part of the response to the risk management review (Identify, Protect, Detect, Respond and Recover).
- All operational systems should be included and the process and effectiveness reviewed regularly.
- A plan to communicate awareness throughout the organisation should be implemented.
The Guidelines also identify particular systems that should be considered:
- Bridge systems
- Cargo handling and management systems
- Propulsion and machinery management and power control systems
- Access control systems
- Passenger servicing and management systems
- Passenger facing public networks
- Administrative and crew welfare systems
- Communication systems
The IMO is not prescriptive in how these recommendations should be implemented, but refers to best practice from NIST, industry organisations and ISO/IEC 27001 as sources of additional guidance and standards.
The Guidance is not mandatory, but captures an overall approach which Companies should take into account when addressing maritime cyber risks within safety management systems (SMS) required by the International Safety Management (ISM) Code. The Guidance also applies to other stakeholders in the maritime industry that interface with ships and shipping. The purpose of the Guidelines is to promote safe and secure shipping; not just safe and secure ships.
IMO & Maritime Cyber Risk Management Requirements
In order to comply with the requirements of the ISM Code, every Company should develop, implement and maintain a SMS. The SMS should embrace the objectives of the Code to ensure safe ship operations and prevention of pollution.
The adoption by the IMO of resolution MSC. 428(98) in June 2017 means that Companies are required to specifically evaluate their cyber risk exposure when continuously improving their SMS, establishing necessary organization, procedural and technical measures to ensure safe ship operations and prevention of pollution. This resolution:
- AFFIRMS that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
- ENCOURAGES administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
- ACKNOWLEDGES the necessary precautions that could be needed to preserve the confidentiality of certain aspects of cyber risk management.
- REQUESTS member states to bring this resolution to the attention of all stakeholders.
To support safe and secure shipping requires all Companies and organisations that interface with the shipping industry to manage their maritime cyber risk exposure, taking into account the particular characteristics of their activities at sea, in ports or ashore providing services and equipment to the industry. For further details on how Nettitude and LR can help in your specific sector, please contact us or visit our website to learn more about how we can help Marine and Offshore organisations protect themselves from cyber risks.