The link between people and technology is processes. IMO has given ship owners and managers until 1 January 2021 to incorporate cyber risk management into their Safety Management System (SMS) or else ships risk being detained by port state control. This includes all commercially operated vessels over 500GT. It may also include other vessels depending upon Flag State requirements, for example yachts operating mini-ISM systems. However, Flag States are still to issue detailed guidance on their interpretations of the resolution.
Companies operating approved safety management systems are “required to take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”. In practice this means that the company has to risk assess their IT systems – including systems used to operate the vessel – and issue procedures to manage all cyber security risks.
All risk assessments, procedures and training needs to be completed by the company no later than the first annual verification of the company’s Document of Compliance after 1st January 2021.
This requirement applies to all vessels operated by the Company and the Company infrastructure ashore. Due to cyber threats from external sources this will include interactions with company suppliers, customers, port operators, agents, regulators etc.
There have been a number of high profile hacks of large shipping companies over the last few years. The well-publicized NotPetya ransomware attack on Maersk in late June 2017 cost the company up to US$300 million. There has also been speculation in the global press regarding vulnerabilities to ships from cyber attack and the potential catastrophic consequences.
Companies are required to comply with industry best practice and assess potentially vulnerable systems. These include, but are not limited to.
- Bridge Systems
- Cargo handling and management systems
- Propulsion and machinery management and power control systems
- Access control systems
- Passenger servicing and management systems
- Passenger facing public networks
- Administrative and crew welfare systems
- Communication systems
Changes to a mixture of operational systems and IT hardware may be required to ensure that the company is compliant.
Flag State auditors will be concentrating on cyber security systems at the company DOC audit in 2021. It is also expected that Port State Control will ask for evidence of compliance with cyber security best practice during inspections after 1st January 2021.