- Keywords: Technical, Maritime
Cyber security is a complex subject and, sadly, cannot be fixed simply by purchasing a “magic box”. Neither can it be qualified in one single index or grade of security/risk. For illustrational purposes, cyber security can be divided into three categories: People, Technology and Processes. Each category is equally important and needs to be addressed on a continuous basis for your company to be(come) safer. Indeed, trying to solve the problem by working with only one or two of the categories will be much more expensive than working with all three of them for the same level of security/safety improvement. With that said, some attention to one or more of the categories is a lot better than no attention.
People make mistakes, and in many of the cases where hackers have breached company defence mechanisms, employees or colleagues are the point of entry. What we often see when we are asked to help our customers assess and test their cyber security is that the impact from small mistakes made by crew or employees is bigger than our customers are aware of. The everyday actions of employees and not just some remote criminal hackers present one of the greatest risks to your organization and your customers.
The commitment of your people to protect your organization is a critical component of a strong cyber resilience. In other words, focus on the human aspects of your organization – on developing a positive security culture and attitudes, evident in the actions ashore and on board, and which is practiced by walk-the-talk management. Hence, when working with cyber security in your company, raising cyber security awareness among your staff is probably the most effective prevention.
Technology is becoming increasingly complex, also for the maritime industry. Today’s vessels are no longer composed of several stand-alone control systems. Rather, the systems are all connected, dependent on each other and constantly online. Changes to requirements and continuous software upgrades are contributing to making the security of technology more difficult (and expensive). Still, it is of great importance that the technology side of things is also included in your cyber security strategy (keywords: network segregation, hardening, anti-virus, software patching, etc.).
Most companies today have a good overview of their assets, and they have processes in place for maintaining their systems, but how much attention do you pay to your systems’ cyber risks?
The link between people and technology is processes. IMO has given ship owners and managers until 1 January 2021 to incorporate cyber risk management into their Safety Management System (SMS) or else ships risk being detained by port state control.
On a general basis, we observe that processes are not in place, or what is in place is not enough to give proper guidance in the day-to-day operation or, worse, in case of cyber security events.
Developing procedures to cover cyber security in addition to those already in place for operations, maintenance and safety would seem like yet another paper mill, but it is vital for you company’s safety. We advise you to keep the procedures straightforward with uncomplicated language and make people understand why they are necessary. Furthermore, we recommend you integrate cyber security-related policies, processes and procedures into the present SMS and Planned Maintenance System on vessels, rather than creating independent documents and tools.
10 simple steps to become more cyber-resilient
- Think before you click on links and attachments.
- Protect your passwords.
- Make sure external drives and USBs are clean.
- Be aware when third parties enter your location, systems or data.
- Never connect personal items to the ship/company-critical systems.
- Never use external Wi-Fi for company emails or downloads unless protected by VPN.
- Learn how to install and use two-step authentications.
- Plan for the unknown – learn how to back up and restore.
- Always report errors and mistakes.
- Educate yourself on cyber risks and how it affects your workplace, colleagues and you personally.
Our main concern, as seen from a class perspective, is the lack of awareness when it comes to putting these three elements together. For example, you will not have good safety if you focus solely on making the technology bulletproof and your crew then finds the processes hard to follow or even inadequate.
DNV GL has summarized all these best practices in a video which is freely available for you on our website The video has been produced together with the insurance company GARD and is a great means to enhance awareness and build best practices on board and ashore. We recommend all companies to use the video and supporting materials in their efforts to prevent any cyber-related incidents in future.
- Cyber security awareness video: dnvgl.com/csvideo
- Maritime cyber security services and solutions
- Recommended practice: Cyber security resilience management
- Maritime Cyber Security Awareness E-learning
- DNV GL cyber security class notation (from 1 July 2018)
Email us at email@example.com
EU MRV and IMO DCS - some practical recommendations
This technical news contains some recommendations relevant to both EU MRV and IMO DCS.
Prepare for the Global Sulphur Cap 2020 with the IMO Ship Implementation Plan
The IMO has agreed on 1 January 2020 as the date for switching to 0.50% sulphur fuel globally. Now, as ship owners face the daunting task of preparing for the fuel oil switch, proper planning is essential. The IMO Guidance for developing a Ship Implementation Plan (SIP) is a useful tool, and described further in this technical news.
Survey by remote inspection techniques - use of approved service suppliers
The use of remote inspection techniques (RIT) is increasing. Today, drones, climbers, or robot arms, can be used as an alternative to close-up surveys in both the DNV GL rules and IACS Unified Requirements. RIT may significantly reduce the survey time and costs, while improving the safety of surveyors and the owner’s personnel. From 1 January 2019, DNV GL has approved the use of service suppliers for RIT. This technical news explains how RIT can be used and how suppliers can achieve DNV GL approval.
IMO requirements July 2018 to May 2021
This statutory news summarizes the most important IMO requirements entering into force from 1 July 2018 up to and including 31 May 2021.
Outcome of the IMO SSE 6 meeting - from habitable life boat environments to Ro-Ro deck fires
The IMO sub-committee on Ship Systems and Equipment (SSE) met in London on 4–8 March 2019. This statutory news summarizes the main topics discussed, such as, life-saving appliances, fire safety of Ro-Ro passenger ships, and on-board lifting appliances. All agreements made at the meeting are subject to final approval by MSC 101 in June 2019.
Recommissioning of laid-up ships and mobile offshore units - how to avoid surprises
When the market moves back from a downturn, vessels are leaving the lay-up buoys and the focus shifts from preservation to recommissioning. DNV GL has accumulated its best practices into a revised Recommended Practice (RP) containing a new approach for assurance of non-class equipment and systems during recommissioning.
Sulphur limit in ECAs - increased risk of PSC deficiencies and detentions
DNV GL keeps customers and other stakeholders updated on various aspects of the global 2020 sulphur cap and its implications for maritime shipping. While the global cap of 0.5% is just around the corner – entering into force on 1 January 2020 – this PSC news focuses on existing emission control areas (ECAs) with a 0.10% sulphur limit and the role of port state control (PSC) inspections.
2020 sulphur update - outcome of the IMO PPR 6 meeting
The MEPC sub-committee on Pollution Prevention and Response (PPR) met at the IMO in London, 18-22 February 2019. Top of the agenda was the consistent implementation of the 0.50% sulphur limit under MARPOL Annex VI, in force from 1 January 2020. This statutory news contains a summary of topics related to sulphur and the implementation of the 2020 sulphur cap. Items agreed at the meeting are subject to final approval/adoption at MEPC 74 in May 2019.