Train crew and management in their roles before, during and after a cyber incident as part of a company’s safety management system
Shipowners and managers have just four months before a key deadline in cyber risk management is passed and ship security comes under greater scrutiny.
From 1 January 2021, shipowners must include cyber security in ship safety management systems under amendments in IMO’s International Ship Management (ISM) Code.
Preparations should already be underway to include cyber risks as part of ship’s safety, said Norton Rose Fulbright partner Philip Roche, who said this should include training and security-breach drills.
“There are many threats out there,” said Mr Roche during Riviera Maritime Media’s ‘Minimising cost and disruption after a cyber event’ webinar on 6 August, which was the concluding event of Riviera’s Maritime Cyber Security Webinar Week.
Therefore shipowners “need to consider risk management and cyber attack recovery” he said. “Good safety management requires a plan to be in place now if the ship is to be seaworthy.”
Mr Roche said cyber security is another risk, albeit a novel one, to be managed as part of the safety management of the ship.
“Safety management is a key component of ensuring and demonstrating an owner or operator is exercising due diligence to make his ship seaworthy and cargo worthy.”
This could be policed in the future by port state control, whose inspectors may request information on cyber risk management for a vessel as part of its seaworthiness.
According to Mr Roche in a test for seaworthiness, the ship “must have a degree of fitness, which a prudent shipowner would require the vessel to have at the commencement of its voyage”.
This degree of fitness extends beyond the physical condition of the ship and includes having properly trained crew able to deal with contingencies arising at sea.
Such tests are to be considered against the current state of knowledge of the risks and regulations in the industry.
“This means port state control would take an interest in cyber training and consider cyber risk management and attack recovery,” said Mr Roche.
Therefore, to ensure a ship is seaworthy today, the ship needs to have reasonable measures to protect against a cyber attack, including trained crews who have good cyber hygiene practices and are aware of risks, and a plan to detect, deal with and recover from a cyber attack.
Following ISM Code
To deal with and recover from a cyber attack, there is plenty of shipping industry guidance from IMO, BIMCO, classification societies and other organisations.
Key to this preparation is following the ISM Code, which requires that the safety-management objectives of the company provide for safe practices in ship operations and a safe working environment.
To follow the ISM Code, owners assess all identified risks to ships, personnel and the environment, establish appropriate safeguards, and continuously improve the safety-management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.
Owners can look at IMO guidance on cyber security which covers developing and implementing activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
Ship operators need to identify measures to back-up and restore the cyber systems necessary for shipping operations impacted by a cyber event.
They must also distinguish between an attack affecting IT and an attack on operational technology (OT) which includes cyber threats to ship propulsion control, steering, navigation and communications systems.
“It is important to have resilience, respond to activities and to have back-up and restore systems,” said Mr Roche. “Key is controlling the situation, detecting the problem and preventing recurrence.”
Cyber event response
In an initial assessment of a cyber breach, a response team must find out how the incident occurred, which IT and/or OT systems were affected, then how that happened.
The extent to which the commercial and/or operational data is affected needs to be established, and to what extent any threat remains.
Following this initial assessment, a ship’s data, IT and OT systems need to be cleaned, recovered and restored as far as possible to an operational condition by removing threats from the system and restoring software.
A thorough investigation is then needed to understand the causes and consequences of a cyber incident, with support from an external expert, if appropriate.
To prevent a re-occurrence, implement actions from the outcome of the investigation, addressing any inadequacies in technical and/or procedural protection measures.
Change on board procedures and work culture to prevent another occurrence of a cyber breach. “There needs to be constant reminders of cyber hygiene and someone needs to keep an eye on board, perhaps as a cyber security officer,” said Mr Roche.
Continuously improve the safety-management skills of personnel ashore and aboard ships to prepare for emergencies related both to safety and environmental protection.
Crew can “act as a buffer to reduce the effects of a successful attack” if they are trained and regularly practice, said Mr Roche. “Owners need to run drills” on board ships and involving management, he said. “Everyone – all members of crew and management – need to know their role in the planned response,” he added.
Guidance: what to address in onboard contingency plans
The following is a non-exhaustive list of cyber incidents for contingency plans to consider:
Watch the ‘Minimising cost and disruption after a cyber event’ webinar in full in our webinar library