A MANAGERIAL PERSPECTIVE vs 2021 IMO CYBER SAGETY REQUIREMENTS.
DON’T WAIT ANOTHER YEAR…
Our suggestion is that there is no reason for the Management of Maritime Shipping Companies
to wait, or be sceptic about Cyber-Safety compliance.
Is Cyber-Safety for Maritime Shipping Companies a new thing?
Corporate knowledge regarding Cyber-safety has existed since the development of ICT systems, along with their supportive nature on industrial/operational technologies. Cyber-Safety is not a new concept at all!
What’s relatively new, is the enforcement by the IMO giving specific guidelines to tackle Cyber-Related risk scenarios which can impact the solvency of the Maritime Shipping Industry (MCS-FAL.1/Circ.3 – clarified as mandatory by TN 24/2017). The ISM Code forces Maritime Shipping Companies to establish, control, balance and maintain proactive and reactive safeguards, giving weighting on the vessels’ side.
Why did the IMO do that?
The Maritime Shipping Industry, just like any other industry, has reached the point where it displays greater reliance on integrated ICT and OT systems. Thus, the IMO incorporated Cyber-Safety rules into the ISM code.
We understand that Cyber-Safety compliance demands are hard to achieve. If completely met by internal resources, the invested capital and in-house expertise required tends to be high enough to cause a lot of skepticism and even worse procrastination.
What is Cyber-Safety and what specifically is Onboard Cyber-Safety?
Onboard Cyber-Incidents include any risk-introducing incidents that disturb the onboard ICT health-state, such as system failures/interruptions, compromised access, malware injected into networks/devices through portable media, and so on.
Cyber-Safety, like any other safety requirement, is about detecting risks, understanding how to mitigate them, and finally maintaining physical/logical systems, labor and processes, as ample and adequate proof to justify the support of mitigation scenarios, finally documented through an SMS.
Cyber-Safety is definitely not just about a sole SMS, nor a case of fictitious hackers forcing firewalls acquiring vessels from afar, neither a sole case of asset management. It is a clear case of everlasting labor, engaging ICT systems and human resources in perpetuity.
What is Onboard Cyber-Safety?
Onboard Cyber-Safety is intimately related to how fleet ICT systems are set, deployed and maintained, as the ISM code addresses. All systems and equipment/devices, whether interconnected/integrated or not, must be appropriately blueprinted, tracked, analyzed, and assessed against possible risks and vulnerabilities, managing the overall onboard ICT architecture behavior against Cyber-Risks via specific scientific ICT practices.
The capacity to understand what to expect, defend the integrity of, and seamlessly restore failed or compromised onboard systems from shore, is the foundation of onboard Cyber-Safety. As a result, it is critical to deploy complete, end-to-end, integrated, and responsibly governed onboard ICT architectures.
Necessity is what drives evolution. The problem is that, in comparison to the traditional reflexes of Maritime Shipping Companies regarding change management, the ICT safety field evolves at breakneck speed, and with such instability in the global arena, it is time to move beyond the traditional “this is how things have always been done” mentality.
What are the specifics of MCS-FAL.1/Circ.3 & TN 24/2017?
Guidelines are as comprehensive as they can be, rather than being short and vague, as some in the industry have argued. They handle the complexity of maintaining onboard ICT architectures in considerable depth, using three lengthy references provided as comprehensive advice detailed at MCS-FAL.1/Circ.3, two of which are widely used in the corporate ICT industry:
1. Guidelines on Cyber Security Onboard Ships.
2. ISO/IEC 27001 standard on Information technology.
3. US NIST Framework - Improving Critical Infrastructure Cybersecurity.
The first paper provides an overview of the Cyber-Perils introduced by IT and OT systems, whether they are integrated or not. Each device, network, system, and process must be hardened, analyzed, monitored, and controlled.
The second document supplements the first by including specified ICT industry controls and safeguards via ISO 27001. ISO 27001, like in any other ICT-dependent sector, is used to address, establish, and manage an integrated Cyber-Safe environment. This allusion implies unequivocally that every vessel must be viewed as a unified and managed datacenter.
The third complements the first two in terms of Total Quality Management through continuous improvement in onboard Cyber-Safety. As addressed for fleets, the NIST five functions (Identify, Protect, Detect, Respond, and Recover) demand for capacity to monitor, remediate, and recover events on compliant ICT architectures through quick, effective, and efficient actions by expert teams.
However, there is a catch. Vessels cannot be attended when at sea, expanding Cyber-Protection beyond the conventional corporate CIA triad.
We are in 2021. Do PSCOs seek ample proof or just an SMS?
Flags, Port State Authorities, and Classification Societies must strictly adhere to the standards outlined above. Flag administrations (for example, Liberia) incorporate the foregoing within their audit procedures. Current Work Instructions for PSCOs (e.g., USCG) give extensive examples of how to seek enough ample proof for onboard ICT infrastructures, managed to comply with all of the above.
In fact, current PSCOs work instructions demonstrate that compliance is related to the behavior and capabilities of onboard ICT systems, as well as the capability of ICT teams to support these architectures. Cyber-Related SMS processes can be created only if the latter are in place. It does not the other way around, as was thought a year ago.
Such work instructions are detailed enough, and we are only at the beginning of PCSOs’ experience curve on this field. Yes, Work Instructions will get harder in 2022 and 2023.
Flexible organizations, such as Maritime Shipping Companies, are less likely to internally devote the ideal scale of resources to meeting all of the aforementioned needs. However, IQ Solutions SA and Bureau Veritas Marine & Offshore suggest a Type Approved for Cyber-Safety workaround.
VCell Cyber, the complete onboard ICT environment by IQ Solutions SA, Type Approved for Cyber-Security by Bureau Veritas Marine & Offshore is a solid compliance recipe.
The recipe toward full onboard regulatory compliance for Cyber-Safety by Maritime Shipping companies includes three steps:
The first step toward full regulatory compliance for a Maritime Shipping Company is to boldly identify current gaps in effort, skill, and resources in comparison to requirements.
The following phase will be to establish fleet-wide architectural ICT homogeneity tailored for compliance.
The final stage is to collaborate with an experienced, class approved, and competent ICT service provider to manage your Company's ICT fleet environments on a daily basis, supporting your Company’s compliance with pragmatic reliable processes, acumen, effort and architectures.
As a consequence, gaps are filled, internal ICT fleet managers make key day-to-day technological decisions, while the heavy workload and consultation is passed to the ICT services provider, and fleets are always kept compliant.
Our above recommended compliance recipe is implemented using VCell Cyber, the only comprehensive end-to-end onboard ICT environment awarded with a Type Approval for Cyber-Security from a major Classification Society. What shipping companies gain is an instantaneous upgrade of their fleets and fleet management departments to compliance with all of the aforementioned mandatory ISM Cyber-Safety criteria.
As a result of fleet-wide VCell Cyber adoption, a robust SMS may be formed, accompanied by pragmatic, sufficient ICT proof for PSCOs of indisputable nature. VCell Cyber serves as a Maritime Shipping Company’s peace of mind against the before mentioned complicated and mandatory Cyber-Safety requirements.