07 Feb
Cyber Security in SMS

Upcoming Legislation

As we accelerate our path towards digitalization, IMO issued Resolution MSC.428(98) as a response to the several cyber attacks occurred and to address cyber security within shipping. The Resolution sets the legislation frame for cyber security, requiring “cyber risks to be appropriately addressed in Safety Management Systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021”.To assist with its implementation, IMO issued MSC-FAL.1/Circ.3, entitled “Guidelines on Maritime Cyber Risk Management”, to provide the required guidance on how a Company should respond to MSC. 428 (98), with reference to the following:

  1. Guidelines on Cyber Security Onboard Ships issued by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
  2. ISO/IEC 27001 standard on Information technology
  3. United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).

Key Items to be addressed

Safety Management System is the key document of every shipping company, explaining how to conduct safe operations, based on the ISM code and the required policies for safe operations, protection of people, ship, cargo and environment. In essence, SMS are dynamic systems, meaning that they need to adapt to new requirements and address current needs and possible risks.Addressing cyber risks in Safety Management System, requires additional focus, a new approach and more interaction between company and vessels. The real focus point of the system is to achieve the protection of Company (office) and onboard installed systems from cyber threats (of any kind). The aim is to have specific procedures in place and a cyber security culture to minimize the possibility of being attacked or affected by an attack. Additionally, operators can create response technics to overcome challenges from a cyber attack, ensuring continuity of operations.The new IMO requirements can either addressed as a stand-alone system (Cyber Security Management Plan as part of existing SMS) or a revised SMS which will incorporate all required steps.

Steps required

  1. Set the policy for cyber security. This is the base of cyber structure. It is a declaration of Company’s setting targets and main actions for cyber security. It may cover additional items (like General Data protection) as all such items are related.
  2. Conduct a thorough assessment both in office and on-board ships, in order to identify related systems that may be subject to cyber threat. Systems are to be identified, listed, prioritized on vulnerability as critical or not. All systems should be approved to be used for specific tasks. The supportive software should be authentic, updated and installed by competent personnel.
  3. Implement procedures for cyber policy. The procedures should include the actions for everyone related to above identified systems, setting the privileges, the authority levels and specific actions (in form Dos and Don’ts) for each position. Procedures should include as minimum:
    1. Privileges and authority, including access level for each system
    2. Password instructions
    3. Removal media instructions
    4. Third party access to systems instructions (eg agents, constructors, system technicians, pilots, terminal personnel and any other individual or organization that requires to be granted access to shore or on board systems)
  4. Set an effective response system. The system should have immediate response actions, backup procedures, rectification procedures and alternative ways of conducting day to day routine in order to retain a flawless operation.
  5. As per shipping industry’s culture, all related incidents should be investigated, and lessons learnt and best practices to be used for avoiding similar issues in the future.
  6. Conduct periodical assessment of systems and procedures through audit / management review in order to check effectiveness.

Office/Ship interaction

It is highly recommended to follow the practice of ship shore drills with cyber scenarios. The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI, version 3.0 includes useful real life incidents that can be used as sample scenarios for such drills.Additionally as COVID-19 outbreak has altered operations, more and more Companies now use remote inspections and audits to monitor their managed vessels. These actions require procedures that can affectively produce monitoring results but simultaneously protect the systems used to conduct such operations.

Actions required

Ship Managers should:

  1. Revise existing SMS to include cyber risk management and related procedures
  2. Verify implementation of policies and procedures both ashore and on board
  3. Provide all required resources for equipment (hardware) and/or software upgrades in order to support procedures
  4. Provide ashore and on-board training to personnel for cyber threats/risks and best practices to address them.

Seafarers and Office personnel should:

  1. Follow the procedures and guidance on cyber risk management
  2. Do not use personal equipment on Company’s systems (ashore or onboard)
  3. Be aware of all risks and threats related to cyber
  4. Notify immediately authorized Company’s personnel for any suspicious or identified cyber issue in order to initiate response actions.