Taking charge of cyber security for connected assets
May. 31 2023
The vast majority of today’s ships and offshore units are connected, with digitally integrated and remotely accessible onboard and onshore systems. While increased digitalization offers ship owners and operators key benefits for business operations, management and monitoring, it increases the surface of attack for cybercrime.
If not correctly protected and configured, connected assets can become targets for hacking, ransomware and malware attacks, phishing and denial-of-service. Critical navigation and maintenance systems, such as GPS, AIS, EDCIS, DP and PMS, can be hijacked, disrupting vessel activity, damaging assets and endangering personnel. Hackers can also access and expose sensitive data, or exploit system and software flaws to compromise asset safety and functionality.
Beyond operational disruptions, recovery from cyber-attacks can cost owners and operators dearly, both financially and in terms of lost trust from charterers and clients. As the maritime industry has seen on several occasions, the need to protect onboard and onshore systems for all types of assets is increasingly non-negotiable.
Moving toward industry-wide regulation
In response to this threat, the maritime industry moved to develop a comprehensive solution for improving cyber security and safety for all vessels. In June 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) for Maritime Cyber Risk Management in Safety Management Systems. This resolution aims to protect vessels from cyber-attacks by requiring ships to account for cyber risk management in their safety management systems, in compliance with the ISM code.
On January 1, 2021, IMO Resolution MSC.428(98) officially came into force. Owners now have to implement an effective and robust cybersecurity risk management system on board their vessels. This must be reflected in their safety management systems, and will be audited by Flag administrations and Port State Controls.
The International Association of Classification Societies (IACS) is also revolutionizing the way shipping industry addresses cyber security, with two new Unified Requirements (UR) entering into force on 1 January 2024.
The first, UR E26, concerns cyber resilience for ships. It contains a list of requirements that ensure next generation of vessels will be cyber secure by design. If not UR E26 compliant, a vessel will not be handled by any Class Society. The documentation produced by yard to demonstrate UR E26 compliance will be updated by owners during the whole lifecycle of the vessel.
The second, UR E27, deals with cyber resilience for equipment. It contains a list of requirements to ensure equipment on board these cyber secure by design vessels will meet recognized cybersecurity standards (mostly derived from IEC 62443-3-3). This means equipment will be hardened and cyber protected from design as well.
Head of Cyber Security Section
Bureau Veritas Marine & Offshore
The rise of smart shipping and increased connectivity presents asset owners with both distinct advantages and challenges. Combating cyber risk will involve the entire industry, from regulatory bodies and classification societies, to asset owners and operators, to equipment manufacturers and cyber-solution providers.
What compliance means for asset owners
Many asset owners still have a long way to go to meet the IMO’s and IACS cyber security standards, and the path to compliance is uncertain. Several major questions are on owners’ minds as they decide to consider their vessels’ cybersecurity.
1. How to identify the right level of cyber protection?
A common misconception is that because IMO regulations apply to all assets, all ships and offshore units require the same level of cyber protection. This seems like a daunting and expensive task, particularly for owners with multiple assets or asset types.
While IMO regulations do apply to all connected assets, there is no one-size-fits-all approach to cyber protection. Determining an asset-specific cyber management strategy is key to limiting costs and defining the right safety measures for each vessel or offshore unit.
With the help of a class society’s experts, owners can define the high-level structure of their cyber security policy and develop a complete inventory of at-risk systems before undergoing a critical risk assessment. Experts can then determine relevant risk mitigation measures on a per-vessel basis, developing comprehensive, asset-specific procedures for OT and IT systems, operational concerns and personnel training and awareness.
2. How to achieve compliance without specific cyber or IT teams?
Cyber security is still a new subject for many owners, who may not have dedicated in-house cyber or IT resources. Many asset managers are unsure of how to train personnel, and who should be trained, retrained or hired.
By working with class societies to define a cyber management strategy, owners can develop a comprehensive risk overview and guidelines for achieving cyber protection. In-house personnel can use this information to learn the risks to assets’ connected systems, then undergo training for managing mitigation measures and onboard procedures.
3. How to ensure a common understanding of cyber security among all marine stakeholders?
Beyond the traditional maritime actors, cyber security introduces a new set of stakeholders into the ship management ecosystem. Cyber solutions providers, IT consultants, equipment providers and others may have access to connected systems and data, which must be secured in accordance with IMO and IACS regulations.
As part of their cyber management strategy, owners should carefully define the responsibilities of all actors, ensuring that individual stakeholders understand their role. Third party verification can then be used to keep stakeholders accountable, improving the safety of data, connected equipment and systems.
The future of cyber safety and security
Cyber resilience concerns stakeholders throughout the maritime industry: asset owners, operators, managers, shipyards, charterers, insurers, classification societies, consultants and more. From design and construction to operation, stakeholders at every phase of the asset lifecycle are implicated in cyber security and safety.
Protecting connected assets to the greatest possible extent will require the development of a complete ecosystem of maritime actors. Moving forward, our ability to limit cyber risk will depend on the clear division of responsibilities, adherence to consistently applied guidelines and strong cooperation among maritime actors.