Maritime operations increasingly depend on interconnected computer and electronic systems, often connected to the internet. Satellite communications, navigation, cargo control, Global Positioning Systems (GPS), Electronic Chart Display and Information Systems (ECDIS), are some of the operations and equipment that rely on technology. Big data, the Internet of Things and the latest technological developments are already affecting the maritime industry.
At the opposite end of technological advantages, such as speed in communication and automated operations, are the cybersecurity threats that accompany interconnected systems, leading to increased cybersecurity risks for ships and shipping companies. And even though until now most reported cyber-attacks have had as their objective access, loss or leakage of corporate data, researches and penetration tests have shown that cyber-attacks can result in the manipulation of a ship’s navigation or cargo control systems with a major impact on crew safety and normal ship operations.
Identifying the need to protect the maritime industry and address cyber-risks, the IMO, according to the recommendations in MSC-FAL.1/Circ.3 “Guidelines on maritime cyber risk management”, makes cyber-risk management onboard ships mandatory as of 1 January 2021. During the past year, the OCIMF’s TMSA Version 3 cybersecurity vetting requirements and the EU General Data Protection Regulation (GDPR) “forced” the shipping companies to address cybersecurity issues. However, the maritime industry has a long way to go, in order to achieve compliance by 2021.
2020 is expected to be the “cybersecurity year” for the maritime industry, as shipping companies will need to take actions to address all compliance requirements. Α holistic risk-based approach is proposed, which should include the following steps:
- Raise awareness by providing cybersecurity training to both seafarers and office personnel. Research has shown that 80% of threats stem from user ignorance, unintentional errors and careless behavior. Realizing that users are the first line of defense and at the same time the weakest link, shipping companies need to invest and focus in user training.
- Conduct an assessment and technical review of IT and OT systems against the best practices described in the BIMCO “Guidelines on Cyber Security Onboard Ships”, ISO 27001:2013 standard on Information Security and the NIST Framework. This way shipping companies can establish a Cybersecurity Compliance Plan, which will cover all required organizational and technical controls. Organizational controls set the framework ensuring the continuous improvement of the company’s cybersecurity level, while technical controls include firewalls, antivirus, network segmentation, patch management and systems hardening.
- Conduct a Cybersecurity Risk Assessment, based on international methodologies such as ISO 27005:2011, ISO 31000:2009 and NIST SP 800-30. In order to identify threats and vulnerabilities of assets, establish a cyber-risk registry, quantify risks and prepare a treatment plan.
- Define strategic Cybersecurity objectives, aligned with business objectives.
- Develop a Cybersecurity Management System in order to timely detect and effectively treat cyber-risks related to the operation of the company and ships as well as safety of the crew. The Cybersecurity Management System should be aligned with the existing security and safety management requirements contained in the ISPS and ISM codes.
This roadmap can lead to the company’s certification according to ISO 27001:2013 in order to ensure the confidentiality, integrity and availability of the company’s information and data streams. This certification is explicitly stated in MSC-FAL.1/Circ.3 as a means for demonstrating the commitment of the top management in the implementation of cybersecurity best practices.
*For more information on the roadmap to compliance please call 210-2509900, Mrs Lilly Mylona