Vessel operators have until 2021 to incorporate cyber risk management into their safety management systems. Assessing IT and OT infrastructure in a systematic fashion will break a seemingly mammoth undertaking into a series of smaller, more manageable tasks
Ship managers and owners have until 1 January 2021 to make sure cyber risk is firmly integrated into their safety management systems. IMO affirmed the inclusion of cyber risk in the ISM Code in a resolution adopted at the 98th meeting of its Maritime Safety Committee in June 2017, sending out the strongest signal yet that inaction is not an option.
Indeed, for several flag states the global regulator’s recommendation for vessel owners and operators to assess the vulnerability of digital systems “in accordance with the objectives and functional requirements of ISM” amounts to making it a mandatory requirement.
Shipping companies are now as reliant on digital, automated and network-based systems in their day-to-day activities as they are in any other kind of business. Furthermore, the scope of these systems has expanded from basic information management to actually controlling machinery and other onboard equipment.
The deepening integration of operational and information systems adds complexity. In addition to a loss of availability resulting from a system breaking down, whether due to a programming error, a component malfunction or the actions of a virtual intruder, the integrity and confidentiality of business processes are also at risk. Intrusions affecting this latter category are potentially more serious as they are harder to detect: they generally won’t trigger alarms and the immediate impact will be less obvious.
Framework for cyber risk management
The ISM Code is an established framework for driving continuous improvement in safe fleet operation. Rather than attempting to tackle each safety issue individually, it provides a structure that can flexibly accommodate almost any possible need (see box). This focus on process allows it to manage the risks from IT and OT systems in a similar way to minimising physical risks such as fire.
Key requirements of the ISM Code
Incorporating cyber risk into a ship management system (SMS) will typically entail several months’ preparation, depending on the complexity of technological systems on the vessels involved, but in all cases must be completed ahead of the first inspection by ISM auditors after 1 January 2021. DNV GL senior cyber security advisor Svante Einarsson says “Carrying out a rigorous assessment – particularly for the first time – is a taxing and sometimes overwhelming exercise. The whole purpose is to reveal previously unnoticed weaknesses and unconsidered vulnerabilities.”
For some items, the solutions are relatively straightforward, maybe altering a system’s configuration or introducing new rules on usage, but others may require more work, necessitating software upgrades or hardware replacements. To meet the 2021 deadline, employing a combination of technical mitigations, revised (or new) procedures and staff/crew training offer a more practical and cost-effective route than attempting to find and implement technical solutions to every risk.
Because of the inherent unpredictability in the scale of the task that lies ahead, Mr Einarsson urges shipping companies to give themselves plenty of time. “It is better to start early with a limited scope and then gradually expand and add more detail over time as further requirements become apparent.”
Cyber security task management
Assessing the dangers and pinpointing where remedial action is needed in a systematic fashion will split a singular daunting undertaking into a series of smaller tasks that are easier to manage and carry out. Although ISM concentrates on the safety implications of cyber risk, Mr Einarsson suggests preparing for 2021 provides an opportunity to consider the commercial and ethical reasons for losing the control of a vessel’s IT and OT infrastructure.
Risk is a product of the repercussions of a particular event occurring and the likelihood that it will happen. This means a frequent but low impact problem is comparable to a major incident that may only happen once in the lifetime of a vessel. Having defined criteria to measure total risk avoids the vagueness that surrounds arbitrary high, medium and low labels.
In some cases, insurance may prove a more sensible choice than attempting to implement a complicated technical fix. This route would be appropriate for scenarios that are deemed highly improbable and require counter measures that would be excessively costly and introduce additional complexity into a system or working practices.
By the end of the process, the vessel owner should have a catalogue of safeguards aligned with each vulnerability identified during the assessment, together with notes explaining any residual risk. It is critical that safeguards are described in sufficient detail in the supporting documentation – both for compliance purposes and for facilitating changes at a later date. New cyber threats to industrial systems of the sort used on commercial ships are coming to light at an increasing rate. ISM does not prescribe a calendar schedule for assessing new risks but says that they should be accommodated as soon as possible. Or as Mr Einarsson puts it “The SMS should be a living document – it should be regularly updated and improved in response to a continually evolving risk environment.”
Cyber awareness and behavioural change
Risk assessment and technical solutions are just one part of ISM. Like physical safety, cyber security hinges on the actions and behaviour of everyone involved in vessel operation – both at sea and on shore. A vessel’s master, second officer, chief engineer and superintendent are among those that need a robust understanding of cyber risk and the possible consequences on vessel safety, as do its owner and senior managers, who, in addition to directing operations at fleet level, also have the final say on what systems are used on board.
It is just as important, however, that all crew – regardless of rank – and shore-based staff are taught about cyber awareness and are incentivised to abide by rules regarding cyber hygiene, such as respecting the difference between onboard networks for operational use and recreational use and to apply due diligence when interacting with systems, for example, questioning the providence of suspect emails.
Pooling knowledge on cyber risks
Although cyber security is today clearly a much broader issue than putting in defences against viruses and protecting users from spam emails, there is a tendency still for the responsibility to fall on managers of internal IT departments. According to Mr Einarsson, that’s not necessarily bad or wrong. But, he says, their exposure to marine control systems is less than colleagues who have to use and interact with them on a routine basis. In other words, they may lack that deep – almost instinctive – understanding that accumulates from months, or possibly years, of hands-on experience.
Of course, the reverse is also true. Superintendents generally don’t possess detailed knowledge of network architecture, configuration management, database design and so forth. The situation is compounded as the maintenance of software or embedded systems that manage more sophisticated equipment is commonly entrusted to vendors – either through a contractual relationship or a less formal arrangement based on good faith.
The technologies are complex but, as Mr Einarsson points out, so are the chains of responsibility and ownership, which is why a structured and systematic approach to risk assessment involving all stakeholders is essential. “So far, the shipping industry has only just begun to explore the possibilities of digitalisation. In the future, as digital solutions take the place of traditional analogue electrical–mechanical control systems, the relationships between different systems and different stakeholders will become more complicated.”
One strategy for overcoming these divisions is to establish an internal cyber security task force that brings together senior managers from different departments and with different expertise to work as a team. Mr Einarsson remarks “In my experience, collaboration has proven more effective than delegation at overcoming the barriers that traditionally arise in corporate environments.”
Assisting owners in upgrading cyber security
Recognising that many shipping companies are new to cyber risk management, in 2016, DNV GL issued recommended practice documents (DNVGL-RP-0496) intended to translate high-level conceptual requirements into practical language. This freely available guidance offers owners advice and pointers that will set them on the right path as they begin to assess their vessels and corporate practices.
For owners wanting to go further, DNV GL has developed a voluntary cyber security class notation that specifically takes into account operational technology. Formally launched in 2018, it is now working in partnership with the first ship operators including a major European navy, a UK-based ferry operator and a leading cruise line seeking this special recognition.
In assessing vessels, DNV GL’s experts look for evidence of processes adopted to raise awareness of cyber risks and to change unsafe behaviour – not only among the shipping company’s own staff but also in dealing with third parties including vendors. Network architecture is inspected, and penetration tests are conducted to check whether the documented version matches the reality on board. The inspection also covers safeguards for safety critical systems as well as mitigations implemented for older equipment connected to the network that was built before cyber security was the serious concern it is today.
Whether physical or cyber, risks are fact of life. They can never be entirely eliminated. However, by taking a methodical approach to assessing potential scenarios that might arise, we can take steps to prevent the more obvious dangers and be ready to act to minimise the fallout from unexpected ones. This is as true for the virtual world as it is the real one.