Established safety methodologies key to implementing IMO cyber requirements onboard

BW Group stepped up cyber-security measures after a hacking attack in July. Credit: Shutterstock
BW Group stepped up cyber-security measures after a hacking attack in July. Credit: Shutterstock

Incorporating cyber security management into ship’s safety management systems (SMS) is not as complicated as the industry fears, using established safety methodologies are key to its implementation, discussed cyber security experts.

The deadline imposed by the International Maritime Organization (IMO), incorporating cyber security management into ships’ SMS by 1 January 2021, is fast approaching.

Jakob Larson, head of security BIMCO, speaking at a SAS webinar, supported by BIMCO, on 11 August, explained that for shipping companies to prepare for this deadline, they will need to develop proper cyber risk assessments (RA).

“We recommend companies use the same methodology as they would normally use in any other safety RA onboard or onshore. This is because the language, terminology, and methodology are clearly understood by senior management,” said Larson.

As such, it will make it easier for those responsible for implementing cyber risk management to be understood company-wide, and communicate in a “well-known language”, in a clear fashion to be granted the necessary resources to mitigate cyber risks.

Jarle Blomhoff, group leader cyber safety and security, DNV GL agreed, and said that cyber security needs to be put into the mindset of crew onboard or the “human firewall” (a network security system that monitor and controls incoming and outgoing digital traffic).

“Ships carry out emergency drills for grounding exercises, why not do similar for a cyber security incident? It will give great insight into the vulnerabilities,” said Blomhoff. “Get procedures up and running, it is required by the IMO but a document nobody reads makes no sense, give crew something to work with and on”.

Following a high-profile explosion on an offshore platform Piper Alfa, on 6 July 1988, which resulted in the deaths of 167 crew, Cris DeWitt, senior advisor, Cyber Mariner, stated that risk assessments and the building of safety cases are now part of the onboard safety culture. De Witt advised that these areas are key to incorporating cyber security awareness and assess cyber risk. “Job safety analysis is an easy place to incorporate awareness, for example during a shift change, there can be a safety and a cyber security moment”.

“Cyber security goes hand in hand with safety and we need to integrate that culture onboard. The IMO guidance does just that as a minimum set of requirements, and there are also a lot of cultural points that can be implemented to increase the cyber security of a vessel,” concluded  DeWitt.

To listen to the full webinar on demand click here.

Safety at Sea will be publishing a full report on the SAS and BIMCO 2020 Maritime Cyber Security survey this autumn. For updates sign up to the SAS newsletter.