A MANAGERIAL PERSPECTIVE vs 2021 IMO CYBER SAGETY REQUIREMENTS.
DON’T WAIT ANOTHER YEAR…
There is no reason for the Management of Maritime Shipping Companies to be sceptic about Cyber-Safety compliance.
Is Cyber-Safety for Maritime Shipping Companies a new thing to consider?
Corporate knowledge regarding Cyber-safety has existed since the development of ICT systems, along with their supportive nature on industrial/operational technologies. Cyber-Safety is not a new concept at all!
What’s relatively new, is the enforcement by the IMO giving specific guidelines to tackle Cyber-Related risk scenarios which can impact the solvency of the Maritime Shipping Industry (MCS-FAL.1/Circ.3 – clarified by TN 24/2017 and TN 30/2020). The ISM Code forces Maritime Shipping Companies to establish, control, balance and maintain proactive and reactive safeguards, giving weighting on the vessels’ side.
Why did the IMO do that?
The Maritime Shipping Industry, just like any other industry, has reached the point where it displays greater reliance on integrated ICT and OT systems. Thus, the IMO incorporated Cyber-Safety rules into the ISM code.
We understand that Cyber-Safety compliance demands are hard to achieve. If completely met by internal resources, the invested capital and in-house expertise required tends to be high enough to cause a lot of skepticism and even worse procrastination.
What is Cyber-Safety and what does it specifically mean for vessels?
Onboard Cyber-Incidents include any risk-introducing incidents that disturb the onboard ICT health-state, such as system failures/interruptions, compromised access, malware injected into networks/devices through portable media, and so on.
Cyber-Safety, like any other safety requirement, is about detecting risks, understanding how to mitigate them, and finally maintaining physical/logical systems, labor and processes, as ample and adequate proof to justify the support of mitigation scenarios, finally documented through an SMS.
Cyber-Safety is definitely not just about a sole SMS, nor a case of fictitious hackers forcing firewalls acquiring vessels from afar, neither a sole case of asset management. It is a clear case of everlasting labor, engaging ICT systems and human resources in perpetuity.
What is Onboard Cyber-Safety?
Onboard Cyber-Safety is intimately related to how fleet ICT systems are set, deployed and maintained, as the ISM code addresses. All systems and equipment/devices, whether interconnected/integrated or not, must be appropriately blueprinted, tracked, analyzed, and assessed against possible risks and vulnerabilities, managing the overall onboard ICT architecture behavior against Cyber-Risks via specific scientific ICT practices.
The capacity to understand what to expect, defend the integrity of, and seamlessly restore failed or compromised onboard systems from shore, is the foundation of onboard Cyber-Safety. As a result, it is critical to deploy complete, end-to-end, integrated, and responsibly governed onboard ICT architectures.
Necessity is what drives evolution. The problem is that, in comparison to the traditional reflexes of Maritime Shipping Companies regarding change management, the ICT safety field evolves at breakneck speed, and with such instability in the global arena, it is time to move beyond the traditional “this is how things have always been done” mentality.
What are the specifics of MCS-FAL.1/Circ.3, TN 24/2017 & TN 30/2020?
On the 1st of June 2016 the IMO gave interim guidelines on maritime cyber risk management through MSC.1/Circ.1526, addressing the urgent need to raise awareness on cyber risk threats and vulnerabilities in the Maritime Shipping Industry. The above were thoroughly approved by the Facilitation Committee at its 41st session (FAL 41, 4 to 7 April 2017) and the Maritime Safety Committee at its 98th session (MSC 98, 7 to 16 June 2017), through MSC-FAL.1/Circ.3 ”Guidelines on Maritime cyber risk management” which supersedes the interim guidelines contained in MSC.1/Circ.1526.
By “cyber risk management” the IMO defines “the process of identifying, analyzing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders”.
Following the above, IMO issued Technical Note 24-2017 “CYBER RISK MANAGEMENT INTO THE ISM CODE” making their intentions even clearer, clarifying that cyber safety is a mandatory requirement, which specifically states that “for detailed guidance on cyber risk management, users of these Guidelines should also refer to Member Governments' and Flag Administrations' requirements, as well as relevant international and industry standards and best practices”. For this reason, the IMO gave specific guidelines in a threefold manner:
The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
United States National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).”
Moreover, as per Technical Note 30-2020 “ISM CYBER SECURITY: BE PREPARED” operators should proceed with the following:
First, ship owners must define the high-level structure of their cyber security policy by developing a complete inventory of at-risk systems. This should include onboard and offshore systems, Operation Technology (OT) and Information Technology (IT) and equipment. This allows owners to gain a comprehensive understanding of all systems, in order to assess their risk criticality.
Ships should then undergo a cyber risk analysis that assesses threats and vulnerabilities, as well as the impact of exploitation of IT and OT systems on cyber security. Experts can then determine relevant risk, evaluate equipment surface of attack and consider mitigation measures that have been or should be applied onboard.
Once this is done, owners can develop a set of policies and procedures for cyber risk management that is tailored to their vessel and its equipment. This policy should address onboard cyber safety management rules, define the roles and responsibilities of personnel, include crew training activities and provide crisis management strategies.
The IMO, the European Union (EU), along with Oil Majors and more stakeholders within the industry, have acknowledged the severity of threats and proposed the above frameworks and specific guidelines to address and mitigate onboard cyber risk. Flags, Port State Authorities, and Classification Societies must strictly adhere to the standards outlined above. Flag administrations (for example, Liberia) incorporate the foregoing within their audit procedures.
Current Work Instructions for PSCOs (e.g., USCG) give extensive examples of how to seek enough ample proof for onboard ICT infrastructures, managed to comply with all of the above. In fact, current PSCOs work instructions demonstrate that compliance is related to the behavior and capabilities of onboard ICT systems, as well as the capability of ICT teams to support these architectures. Cyber-related SMS processes can be created only if the latter are in place.
We are in 2022. Do PSCOs seek ample proof or just an SMS?
Flags, Port State Authorities, and Classification Societies must strictly adhere to the standards outlined above. Flag administrations (for example, Liberia) incorporate the foregoing within their audit procedures. Current Work Instructions for PSCOs (e.g., USCG) give extensive examples of how to seek enough ample proof for onboard ICT infrastructures, managed to comply with all of the above.
In fact, current PSCOs work instructions demonstrate that compliance is related to the behavior and capabilities of onboard ICT systems, as well as the capability of ICT teams to support these architectures. Cyber-Related SMS processes can be created only if the latter are in place. It does not the other way around, as was thought a year ago.
Such work instructions are detailed enough, and we are only at the beginning of PCSOs’ experience curve on this field. Yes, Work Instructions do get harder in 2022 and will seek more ample proof by 2023.
Flexible organizations, such as Maritime Shipping Companies, are less likely to internally devote the ideal scale of resources to meeting all of the aforementioned needs. However, IQ Solutions SA and Bureau Veritas Marine & Offshore suggest a Type Approved for Cyber-Safety workaround.
VCell Cyber, the complete onboard ICT environment by IQ Solutions SA, Type Approved for Cyber-Security by Bureau Veritas Marine & Offshore is a solid compliance recipe.
The recipe toward full onboard regulatory compliance for Cyber-Safety by Maritime Shipping companies includes three steps:
The first step toward full regulatory compliance for a Maritime Shipping Company is to boldly identify current gaps in effort, skill, and resources in comparison to requirements.
The following phase will be to establish fleet-wide architectural ICT homogeneity tailored for compliance.
The final stage is to collaborate with an experienced, class approved, and competent ICT service provider to manage your Company's ICT fleet environments on a daily basis, supporting your Company’s compliance with pragmatic reliable processes, acumen, effort and architectures.
“VCell Cyber Class Approved Edition” is a complete, end-to-end, managed ICT environment for vessels designed in compliance with Bureau Veritas NR659 “Rules on cyber security for the classification of marine units” and has been granted the following certifications:
BV Mode II Recognition - Production Quality.
ISO 27001 - Information Security.
Type Approval - Cyber Security.
As a consequence, gaps are filled, internal ICT fleet managers make key day-to-day technological decisions, while the heavy workload and consultation is passed to the ICT services provider, and fleets are always kept compliant. More specifically, the ISM code requires that the cyber security risks of each vessel be identified, evaluated and managed appropriately so that a sufficient cyber security level is ensured for the ship. In addition, protection and detection measures must be developed and response plans should be established to support the vessel’s smooth operation.
Following the above, IQ Solutions delivers for every VCell-ship two documents tailored for VCell infrastructure and the vessel’s ICT systems, namely the VCell Cyber Risk Assessment & Treatment Report and the VCell Cyber Security Manual, thus offering integrated, 360deg cyber risk management services, covering both the technical and the procedural aspects of cyber security
Our above recommended compliance recipe is implemented using VCell Cyber, the only comprehensive end-to-end onboard ICT environment awarded with a Type Approval for Cyber-Security from a major Classification Society. What shipping companies gain is an instantaneous upgrade of their fleets and fleet management departments to compliance with all of the aforementioned mandatory ISM Cyber-Safety criteria.
As a result of fleet-wide VCell Cyber adoption, a robust SMS may be formed, accompanied by pragmatic, sufficient ICT proof for PSCOs of indisputable nature. VCell Cyber serves as a Maritime Shipping Company’s peace of mind against the before mentioned complicated and mandatory Cyber-Safety requirements.