The International Maritime Organisation (IMO) has set out new requirements for cyber security systems. From 1 January 2021, cyber security will come under the ISM Code, which aims to provide an International Standard for the Safe Management and Operation of Ships.
The incorporation of cyber security into the International Safety Management Code makes it an essential aspect of risk management that ship owners and managers must take into account. A key aspect of the management of cyber risk is raising awareness of cybersecurity through specialist training.
There are various ways in that ships are vulnerable to cyberattack, from taking control of on-board satellite communications to exploiting vulnerabilities in access control networks. A vessel’s Information Technology (IT) and its Operational Technology (OT) can both be at risk, and the threat that cyberattack poses can impact on passengers, crew, shoreside facilities, as well as on owners.
And the implications of cybercrime can be long-reaching. There can be an immediate loss of revenue, for example, if hackers find their way into private information, but there are also issues such as reputational damage to consider too. There are also risks to personal safety, and even the potential for loss of life as a result of cyberattack enabling acts of Maritime Piracy.
From 1st January 2021, owners and managers will have to comply with industry best practice in assessing the vulnerabilities of their systems. In practical terms, this means risk assessing their IT, which includes both operating and communications systems.
But because cyberthreats can come from external sources, this also will cover all interactions with customers, suppliers, port operators and others. The new regulations apply to all commercially-operated vessels over 500 gross tonnage (GT). Potentially vulnerable systems on board vessels include:
Protecting vessels against cyberattacks is not simply a matter of compliance. While the 1st January is clearly a landmark date, what really matters is how individuals approach the threat. And nor is it only a technological issue. Although technology can offer degrees of protection against cybercrime, what makes the real difference is the human factor.
Seafarers, operational staff, and others involved in the port and maritime sector need to be up to speed on cyber risk, so that they can work proactively to protect their industry against it. Compliance generally deals with risks that are already known, but cyber criminals keep evolving their methods, just as digital technology itself keeps evolving.
On the other hand, a clear, risk-based strategy should equip crew and others with the skills they need to proactively identify potential risks, going beyond minimum requirements.
Robust cyber risk management requires dedicated training of all personnel involved. Fundamentally, this needs to focus on awareness, including a general knowledge of cyber threats, best practice for reducing risk and how to identify cyberattacks when they happen.
Then there is the whole management of cyber security, including how to develop a Cyber Security Assessment and Plan, and understanding what the most appropriate measures are for tackling these types of threat. It is also vital that the right roles and responsibilities are in place, along with clear processes.
Managing cyber security and cyber risk is an ongoing commitment, requiring that all those involved stay up to date with technological and regulatory developments.
Training can be an issue for the port and maritime sector. Typically, it is a challenge to co-ordinate face-to-face training sessions for seafarers, and, during the Covid-19 pandemic, classroom-based training is even more complex. The ideal solution is e-learning, through dedicated online courses. These overcome any access issues for individuals and enable them to learn and absorb skills highly effectively at their own pace.
For more details about our specialist e-learning courses, please telephone +44 (0) 161 763 4427, or fill in our contact form, and we’ll be back in touch as soon as possible.