Written by Geir Inge | 25 April 2019
In an industry that is increasingly reliant on automation and remote monitoring, the need for robust cyber risk management of critical systems and assets on ships has never been more acute.
The International Maritime Organization (IMO) has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management, in which they lay down the law: Ship owners and managers are given until 1 January 2021 to include cybersecurity as part of their ISM Code safety management.
As the global maritime community is faced with the somber prospect of having ships detained if they fail to comply with the new IMO rules, cybersecurity is a hot topic dominating the industry headlines.
IMO states that ships have to be cybersecure. What, exactly, does “cybersecure” look like in practical operation? A growing number of lengthy guidelines are being published, designed to assist companies in formulating their own approaches to cyber risk management onboard ships.
But few of these guidelines offer guidance in plain English, potentially losing both senior management and crew members.
Besides, the cybersecurity guidelines say nothing about how you can determine when your onboard cyber systems are actually secure, or how you can prove it to industry stakeholders. In BIMCO’s own words: “The advice and information given in [the guidelines] is intended purely as guidance to be used at the user’s own risk”.
So where should you start to address cybersecurity and make your fleet IMO compliant?
Implementing robust cybersecurity measures onboard ships requires a ‘total systems’ approach. Cybersecurity needs to be multi-layered, where malware and unwanted data traffic is blocked starting at the DNS-level.
Cybersecurity is not just about technical aspects, though. You need to take into account all the different systems on board. How are they designed and installed, how do they connect, and how will they be managed?
What critical shipboard systems might be connected to uncontrolled networks or directly to the internet?
BIMCO’s Guidelines on Cyber Security Onboard Ships states that shipping companies need to have a cybersecurity management plan in place on their ships. Performing risk assessment on all onboard systems and procedures – to map their robustness – is a crucial part of any effective risk management plan.
You need to know what devices you have onboard, and their vulnerabilities. Then you need to understand impact on operations, assets, etc. if vulnerabilities are exploited and you suffer from unauthorised access, loss of integrity, or loss of availability.
And crucially, how do you respond to and recover from cybersecurity incidents? This means you need to establish incident response plans that can be deployed quickly and effectively.
When all this is thoroughly documented, it’s time to implement practical and robust technical protection measures to safeguard your vessel IT environment.
How do you best protect against cyber events and ensure continuity of your operations?
With an easy-to-implement system that protects your vessels and their onboard IT systems even before an attack occurs, your entire fleet stays connected – without compromising security and safety.
Geir Inge Jensen is the IT Operations Manager at Dualog. Adding over 20 years of experience in network design and cyber security, Geir Inge is passionate about developing solutions and services that help shipping companies create a more cyber-resilient environment onboard their vessels. When he is not fighting maritime cybercrime, you can find him in the mountains enjoying the great outdoors with his camera in hand.