A ship owner’s guide to achieving cyber security
The maritime world is increasingly connected, with the majority of newbuilds and in-service vessels being fitted with digital systems. While this represents a technological leap forward, and has numerous benefits for data collection and ship monitoring, it also dramatically increases surface of attack for cybersecurity criminals. Ship owners have already been the targets of cyber-attacks that have cost them time, money and credibility.
In response to these changes, the maritime industry moved to develop a comprehensive solution for improving cyber security and safety for all vessels. In June 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) for Maritime Cyber Risk Management in Safety Management Systems. This resolution aims to protect vessels from cyber-attacks by requiring ships to account for cyber risk management in their safety management system, in compliance with the ISM code.
On January 1, 2021, IMO Resolution MSC.428(98) officially came into force. Owners must now implement an effective and robust cybersecurity risk management onboard their vessels. This must be reflected in their Safety Management Systems to be audited by Flag administrations and Port State Controls.
What ship owners need to know
Ship owners and technicians can undertake several actions to assess and mitigate cybersecurity risks, methodically developing, applying and maintaining IMO-compliant cybersecurity risk management . These include:
- Mapping information technology (IT) and operational technology (OT) systems, to build a comprehensive inventory of digital assets, including systems, equipment, networks, interconnexions, security mechanisms
- Undertaking a risk assessment including all IT and OT systems to identify critical assets vulnerable to external and internal cybersecurity threats
- Establishing management plans, policies and procedures to respond to cyber incidents
- Incorporating cybersecurity measures into existing safety risk management systems
- Ensuring crew members are aware and trained accordingly
A variety of resources are available to help ship owners undergo these steps. The IMO has published general guidelines that help ships owners identify and detect risks, protect their assets and respond to attacks. Several maritime coalitions and classification societies have also developed more in-depth guidance, offering ship owners step-by-step methods for developing the necessary procedures and documentation. This enables owners to address cybersecurity in compliance the International Safety Management (ISM) Code, the International Ship and Port Facility Security (ISPS) Code and Flags requirements.
Head of Cyber Security
Bureau Veritas Marine & Offshore
IMO’s regulation and IACS UR E26 and E27 represent a positive development for the shipping industry. It ensures that owners, yards and suppliers will work together to minimize and face cyber threats. There is strength in numbers, and by building an end-to-end cyber ecosystem, we marine stakeholders can be more than the sum of our parts.
Meeting Flag Administration requirements
Flag authorities worldwide are now scrutinizing vessels for compliance with cyber regulations. While the approach may vary from country to country, certain requirements feature on every nation’s list. This includes the creation of a policy (or management plan) detailing the basic measures used to achieve the ship owner’s cybersecurity objectives. Owners must be able to demonstrate a clear cybersecurity organization. Owners should also have monitoring and reporting procedures in place to chart both incidents and any corrective and preventive actions implemented. Most flags specify the need for a clear division of responsibilities among onboard and onshore personnel.
Among flag administrations taking a particularly rigorous approach to cyber security enforcement are the US Coast Guard and the French Direction Générale des affaires maritimes, de la pêche et de l’aquaculture (DGAMPA) administration.
New requirements from the International Association of Class Societies (IACS)
In 2024, two IACS Unified Requirements (UR) will become mandatory:
- UR E26 cyber resilience for ships
- UR E27 cyber resilience for equipment
For all contracts signed after 1 January 2024, shipyards and equipment suppliers will have to meet UR E26 and UR E27 requirements for a newbuild to be accepted by a class society. They will also have to provide documentation attesting to the vessel’s compliance, which ship owners will have to update during a vessel’s whole lifecycle.
Buoyed by a complete cyber security ecosystem
An assortment of maritime stakeholders supports ship owners in their efforts to protect their vessels, each working to develop a complete ecosystem for cyber safety:
- Marine equipment manufacturers can provide hardened equipment to be installed onboard ships (e.g., hardened software components)
- Cyber solutions providers offer proactive services to help operators limit cyber risks (e.g., monitoring solutions, incidence response services, training)
- Cyber service providers develop security solutions for connected assets (e.g., cleaning stations, endpoint monitoring, encryption and IT/OT secured infrastructure)
- For all contracts signed after Jan 1st 2024, shipyards will deliver UR E26 compliant newbuilds and ensure the secure onboard integration of hardened connected equipment
- Marine insurers determine the level of onboard cyber risk for inclusion in cyber security insurance policies
- Classification societies can act on a flag state’s behalf, verifying that cyber security measures have been implemented and are being maintained, and offer voluntary notations to help ships prove compliance with regulations
The entire marine value chain is working together and in tandem with ship owners to present a united front and ensure the cyber security of both in-service vessels and new builds.
How Bureau Veritas supports ship owners
At Bureau Veritas, we draw on our comprehensive knowledge of the cyber security ecosystem to help ship owners address cyber threats and comply with Flag authorities and IMO regulations. Our goal is to enable ship owners to protect their assets, define and certify digital designs for shipyards and equipment manufacturers.
To this end, Bureau Veritas has developed three notations for cyber security that cover a wide range of organizational and technical measures.
- CYBER MANAGED confirms that ship owners have developed a complete map of IT and OT systems, undertaken a risk assessment, implemented mitigation measures, incorporated high-level management principles and developed detailed on-board procedures.
- CYBER RESILIENT guarantees compliance with UR E26 requirements that enter into force for all contracts signed after Jan 1st, 2024.
- CYBER SECURE adds extra stringent requirements to those already present in UR E26, which explains why this notation is to be selected for hyper-connected, autonomous or military vessels or demanding owners
To boost our cyber expertise even further, in January 2021, Bureau Veritas acquired Secura, an independent service company providing security testing, audits, training and certification services. By integrating Secura’s knowledge of cyber security for networks, systems, applications and data with Bureau Veritas classification expertise, we can offer clients value-added cyber services such as penetrations tests worldwide.