Assessing cyber security risks is doubly imperative
Several flag states have given ship managers and owners until 1 January 2021 to make sure cyber risk is firmly integrated into their safety management systems. The related IMO rules apply to vessels in all segments, including tankers.
Risk management is fundamental to ensuring safe and secure ship operation. The practice was originally introduced to drive improvements in vessel systems and procedures in the physical domain, but a growing reliance on digital, automated and network-based systems in vessel operation means cyber risks must also be assessed.
IMO first addressed the subject in 2016 in the form of high-level guidelines issued as a circular (MSC.1-Circ.1526), which encouraged but stopped short of compelling owners to assess the vulnerability of information and digital control systems to cyber threats.
IMO toughens up on cyber security
Since then a spate of incidents – most notably the NotPetya ransomware attack on Maersk – have driven home the reality and magnitude of the problem and spurred industry associations such as BIMCO and DNV GL as well as a number of flag state authorities to produce best-practice guides and recommendations.
Then in June 2017, in a resolution adopted by the Maritime Safety Committee (MSC98), IMO recommended “that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code“. Many flag states have made that resolution mandatory for their vessels, which leaves affected ship owners with no other option than to address cyber risks through their safety management system (SMS).
Dealing with cyber security will be a daunting task for many shipping companies. However, tanker owners should be at an advantage thanks to TMSA3, which inserted cyber risk management into its list of vetting requirements. DNV GL Senior Cyber Security Advisor, Svante Einarsson, remarks: “Many tanker operators have carried out detailed risk analyses and made changes to digital infrastructure and procedures for using it ahead of TMSA3 coming into effect in January 2018. Even if the process is not yet complete, it should be well underway.”
Many tanker operators carried out detailed risk analyses and made changes to their digital infrastructure and procedures before TMSA3 took effect in January 2018.
Identifying and documenting cyber risks
Owners now have to make sure work done for TMSA is carried out across, and fully documented in, their SMS. “Auditors will be looking out for evidence when they come on board for their first ISM inspection in 2021”, says Einarsson.
In comparison to TMSA, ISM is somewhat less prescriptive. It does not, for example, provide a list of requirements – such as crew awareness training, response plan, patch management etc. – that can be ticked off. The onus is on owners to both define requirements and describe actions taken to meet them. It is supposed to encourage self-discovery.
The ISM Code requires: commitment from the top of the organization down; that procedures during normal operation and in emergency situations are documented; a methodology for conducting audits to ensure that these procedures are being adhered to; a designated person ashore to serve as a link between ship and shore staff and to check that the SMS is being implemented; and a process for identifying implementation gaps.
Tanker owners now have a double imperative to identify weaknesses and put safeguards and mitigations in place to minimize their exposure to cyber risk and, from a compliance perspective, to ensure these actions are properly documented.
Image copyright information
- donvictorio – Shutterstock