Joint industry cyber security guidelines updated

Guidelines on Cyber Security Onboard Ships tackles cyber risks to a ship’s safety management system

A group of the world’s largest international shipping associations, including BIMCO, Intertanko, Intercargo, OCIMF, and the World Shipping Council, has published an update to their cyber-security guidelines.

The third edition of Guidelines on Cyber Security Onboard Ships has tackled how to add cyber risks to a ship’s safety management system – something that will soon be a requirement for companies by 1 January 2021.

“A new dedicated annex provides measures that all companies should consider implementing to address cyber risk management in an approved SMS,” said Dirk Fry, chair of BIMCO’s cyber security working group and director of Columbia Ship Management.

“This is much easier said than done,” he added, noting that the criminals trying to exploit companies or breach their security are getting more inventive. This is the third year that the guidelines have been updated to stay abreast of the evolving cyber threats the maritime industry is facing. In the latest version notable updates include guidance on risk assessments for operational technology (OT).

Shipowners association BIMCO said this was due to the increase of OT on board vessels that is integrated with information technology (IT) and can be connected to the internet, opening up vessels to greater cyber risk.

“On a ship, the job may be less focused on protecting data while protecting operational systems working in the real world has direct safety implications. If the ECDIS system or software controlling an engine are hit with malware, or if it breaks down due to lack of compatibility after an update of software, it can lead to dangerous situations,” Fry said.

The IHS Markit/BIMCO 2018 Maritime Cyber Security survey, supported by ABS, found that OT risks may be under estimated. Despite more than half of the 350 respondents working in ship operations, the majority (93%) said IT systems are the most affected by cyber incidents, with OT only seen as risk by 7%.

The third edition of the guidelines also includes guidance and steps on evaluating threats arising from the external supply chain.