A ship owner’s guide to achieving cyber security

The maritime world is increasingly connected, with the majority of newbuilds and in-service vessels being fitted with digital systems. While this represents a technological leap forward, and has numerous benefits for data collection and ship monitoring, it also leaves vessels vulnerable to cyber threats. Ships have already been the target of ransomware and malware attacks that have cost vessel owners time, money and credibility. And as more onboard and onshore networks and systems come online, the threats of hacking and ship takeover are increasing.

In response to these changes, the maritime industry moved to develop a comprehensive solution for improving cyber security and safety for all vessels. In June 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) for Maritime Cyber Risk Management in Safety Management Systems. This resolution aims to protect vessels from cyber attacks by requiring ships to account for cyber risk management in their safety management system, in compliance with the ISM code.

On January 1, 2021, IMO Resolution MSC.428(98) officially came into force. For owners of both newbuilds and in-service vessels, this represents an opportunity to gain a full understanding of their connected systems, and thoroughly protect their ships.

Vincent

Lagny

Head of Cyber Safety and Security

Bureau Veritas Marine & Offshore

The IMO’s new regulation is a positive development for the industry, as it ensures that the entire maritime industry will work together to minimize and overcome cyber threats. There is strength in numbers, and by building an end-to-end cyber ecosystem, we marine stakeholders can be more than the sum of our parts.

What ship owners need to know

The impact of the IMO resolution is simple: to keep sailing, ships must integrate cyber security into their vessels’ safety management systems. To do this, ship owners and managers can undertake a series of actions, methodically developing, implementing and maintaining a cyber security management program compliant with IMO requirements. These include:

Map information technology (IT) and operational technology (OT) systems
Identify areas vulnerable to external and internal cyber security threats
Undertake a risk assessment including all IT and OT systems
Establish plans and procedures to respond to cyber incidents
Incorporate cyber security measures into existing safety risk management systems

A variety of resources are available to help ship owners undergo these steps. IMO has published general guidelines based on the NIST framework that help ships owners identify and detect risks, protect their assets and respond to attacks. Several maritime coalitions and classification societies have also developed more in-depth guidance, offering ship owners step-by-step programs for developing the necessary procedures and documentation. This enables owners to comply with IMO’s regulations, the International Safety Management (ISM) Code, the International Ship and Port Facility Security (ISPS) Code and flag requirements.

Meeting flag administration requirements

Flag authorities worldwide are now scrutinizing vessels for compliance with cyber regulations. While the approach may vary from country to country, certain requirements feature on every nation’s list. This includes the creation of a policy detailing the basic measures used to achieve the ship owner’s cyber security objectives. Owners should also have monitoring and reporting systems in place to chart both incidents and any corrective and preventive actions implemented. Most flags also require audits and specify the need for a clear division of responsibilities among onboard and onshore personnel.

Among flag administrations taking a particularly rigorous approach to cyber security enforcement are the US Coast Guard and the French administration. The US Coast Guard has published detailed expectations for ships traveling to American ports. The document sets out requirements for “cyber hygiene,” explains how to assess onboard cyber security, and specifies how to deal with safety deficiencies. Meanwhile, the French flag is also putting owners to the test, as demonstrated by a recent audit of a Brittany Ferries ship.

A comprehensive ISM audit for cyber security ISM

In 2020, the French Department for Marine Affairs (Direction des Affaires Maritimes – DAM) issued guidelines for cyber security for ships. This detailed document now serves as a basis for checks being carried out by the French flag authority. Their rigor and attention to detail was apparent during a recent audit performed on a Brittany Ferries ship.

During the two-day audit, French DAM inspectors devoted an hour and half to verifying cyber security measures and policies, asking very specific and in-depth questions. Operators were able to respond satisfactorily, thanks to the detailed cyber policy and procedures verified by Bureau Veritas prior to the delivery of a CYBER MANAGED notation.

Buoyed by a complete cyber security ecosystem

An assortment of maritime stakeholders supports ship owners in their efforts to protect their vessels, each working to develop a complete ecosystem for cyber safety:

Marine equipment manufacturers provide securely designed equipment to be installed onboard ships (e.g., hardened software components)
Cyber solutions providers offer proactive services to help operators limit cyber risks (e.g., monitoring solutions, incidence response services, training)
Cyber service providers develop security solutions for connected assets (e.g., cleaning stations, endpoint monitoring, encryption and IT/OT secured infrastructure)
Shipyards deliver compliant newbuilds and ensure the secure onboard integration of connected equipment
Marine insurers determine the level of onboard cyber risk for inclusion in cyber security insurance policies
Classification societies can act on a flag state’s behalf, verifying that cyber security measures have been implemented and are being maintained, and offer voluntary notations to help ships prove compliance with regulations

The entire marine value chain is working together and in tandem with ship owners to present a united front and ensure the cyber security of both in-service vessels and new builds.

How Bureau Veritas support ship owners

At Bureau Veritas, we draw on our comprehensive knowledge of the cyber security ecosystem to help ship owners overcome cyber threats and comply with flag authority and IMO regulations. Our goal is to enable ship owners to protect their assets, define expectations for shipyards and equipment manufacturers, and comply with IMO regulations.

To this end, Bureau Veritas has developed two notations for cyber security that cover a wide range of organizational and technical measures.

CYBER MANAGED confirms that ship owners and contractors have developed a complete map of IT and OT systems, undertaken a risk assessment, implemented mitigation measures, incorporated high-level management principles and developed detailed on-board procedures.
Our CYBER SECURE notation adds a “secure by design” layer to the vessel, including requirements for the selection and hardening of onboard equipment.

To boost our cyber expertise even further, in January 2021, Bureau Veritas acquired Secura, an independent service company providing security testing, audits, training and certification services. By integrating Secura’s knowledge of cyber security for networks, systems, applications and data with Bureau Veritas classification expertise, we can offer clients value-added cyber services worldwide.