Taking charge of cyber security for connected assets

The vast majority of today’s ships and offshore units are connected, with digitally integrated and remotely accessible onboard and onshore systems. While increased digitalization offers ship owners and operators key benefits for asset operations, management and monitoring, interconnected systems are also attractive targets for cybercrime.

Data theft and operations sabotage are the primary risks for connected and interconnected assets. Common attacks include hacking, ransomware and malware attacks, phishing and denial-of-service.

Critical navigation and maintenance systems, such as GPS, AIS, EDCIS, DP and PMS, can be hijacked, disrupting vessel activity, damaging assets and endangering personnel. Hackers can also access and expose sensitive data, and exploit system and software flaws to compromise asset safety and functionality.

Beyond operational disruptions, recovery from cyber attacks can cost owners and operators dearly, both financially and in terms of lost trust from charterers and clients. As the maritime industry has seen on several occasions, the need to protect onboard and onshore systems for all types of assets is increasingly non-negotiable.
 

Moving toward industry-wide regulation

In June 2017, IMO adopted Resolution MSC.428 to ensure asset owners are properly addressing cyber risks. The resolution states that safety management systems (SMS) must include cyber risk management in accordance with the ISM Code. Ship owners and managers have until January 1, 2021 to integrate cyber risk into their SMS, developing key onboard procedures and providing relevant crew training.

To achieve compliance, owners need to identify at-risk cyber systems, implement comprehensive and asset-specific security procedures, detect and respond to non-compliance, and recover from irregularities. However, while IMO offers high-level recommendations for maritime cyber risk management, it does not provide a detailed methodology or practical template for owners to follow.

What compliance means for asset owners

Many asset owners still have a long way to go to meet IMO’s cyber security standards, and the path to compliance is uncertain. Several major questions are on owners’ minds as they begin preparing their assets for the 2021 deadline.
 

1. How to identify the right level of cyber protection?
   
   A common misconception is that because IMO regulations apply to all assets, all ships and offshore units require the same level of cyber protection. This seems like a daunting and expensive task, particularly for owners with multiple assets or asset types.
   
   While IMO regulations do apply to all connected assets, there is no one-size-fits-all approach to cyber protection. Determining an asset-specific cyber management strategy is key to limiting costs and defining the right safety measures for each vessel or offshore unit.
   
   With the help of a class society’s experts, owners can define the high-level structure of their cyber security policy and develop a complete inventory of at-risk systems before undergoing a critical risk assessment. Experts can then determine relevant risk mitigation measures on a per-vessel basis, developing comprehensive, asset-specific procedures for OT and IT systems, operational concerns and personnel training.
    
2. How to achieve compliance without specific cyber or IT teams?
   
   Cyber security is still a new subject for many owners, who may not have dedicated in-house cyber or IT resources. With just over half a year to prepare for IMO’s deadline, many asset managers are unsure of how to train personnel, and who should be trained, retrained or hired.
   
   By working with class societies to define a cyber management strategy, owners can develop a comprehensive risk overview and guidelines for achieving cyber protection. In-house personnel can use this information to learn the risks to assets’ connected systems, then undergo training for managing mitigation measures and onboard procedures.
    
3. How to ensure a common understanding of cyber security among all marine stakeholders?
   
   Beyond the traditional maritime actors, cyber security introduces a new set of stakeholders into the ship management ecosystem. Cyber solutions providers, IT consultants, equipment providers and others may have access to connected systems and data, which must be secured in accordance with IMO regulations.
   
   As part of their cyber management strategy, owners should carefully define the responsibilities of all actors, ensuring that individual stakeholders understand their role. Third party verification can then be used to keep stakeholders accountable, improving the safety of data, connected equipment and systems.

The future of cyber safety and security

Cyber resilience concerns stakeholders throughout the maritime industry: asset owners, operators, managers, shipyards, charterers, insurers, classification societies, consultants and more. From design and construction to operation, stakeholders at every phase of the asset lifecycle are implicated in cyber security and safety.

Protecting connected assets to the greatest possible extent will require the development of a complete ecosystem of maritime actors. Moving forward, our ability to limit cyber risk will depend on the clear division of responsibilities, adherence to consistently applied guidelines and strong cooperation among maritime actors.