A cyber security implementation guide published today gives shipping companies a framework to incorporate cyber security risk management into their existing safety management systems (SMS) ahead of the International Maritime Organization’s (IMO) 1 January 2021 deadline.
The non-profit organisation Digital Container Shipping Association (DCSA) has produced the guide titled, DCSA Implementation Guide for Cyber Security on Vessels to support vessel preparedness in response to the IMO’s resolution MSC.428(98). The resolution imposes the implementation of Maritime Cyber Risk Management in ship’s SMS, which will be required by the first annual verification of the company’s Document of Compliance after 1 January 2021.
The guide aligns with existing BIMCO and US National Institute of Standards and Technology cyber risk management frameworks, providing shipowners with the tools needed to help designated technical crew members mitigate the risk of cyber-attacks, contain the damage, and recover in the event of an attack.
The guide is extremely detailed in setting up the governance and establishing what the roles and responsibilities of crew and those working ashore should be.
Speaking directly to SAS, Thomas Bagge, CEO of DCSA, said that the guide defines the cyber security responsibilities of crew and who should have further cyber knowledge and in-depth cyber security training. Bagge said the guide even proposes that the position of a cyber security officer ashore be created, that would over-see the implementation of the cyber security measures.
“Crews go through all sorts of safety related training on a regular basis and I see cyber security being treated with equal importance and become part of that training,” Bagge told SAS.
When asked why it has taken so long for the shipping industry, compared to others, to come up with and implement a proper cyber security organisational framework, Bagge suggested that one reason could be due to the conservative nature of the shipping industry. He also noted that in spite of increasing interest, there is still a general lack of willingness to take on costly new initiatives, such as cyber, meaning it has taken the back foot, as carriers are more focused on filling their vessels, reducing costs and innovating their vessels and containers. However, since certain high profile attacks, the need for adequate cyber preparations is being realized.
The 2018 IHS Markit Maritime Cyber Security Survey revealed that nearly two thirds of respondents (59%) had budgeted less than USD10,000 for responding to a cyber incident, and less than half (46%) said their annual spend on cyber security was below USD10,000.
“Shipping companies and the industry as a whole need to view cyber security and treat it just like any other safety incident that happens on board, be that fires, engine failures, and man overboard situations,” said Bagge. “The crew over time need to be brought to a level of understanding of how to prevent, detect and react to cyber-attacks.”
This will become increasingly relevant as vessels become more autonomous, Bagge maintained. As autonomous technology becomes more advanced, there will be a heightened degree of connectivity and digitalisation and in turn the cyber security threats will become more developed at sea. Having a crew onboard trained for cyber attacks, and able to identify and respond to a hacking attack or over-ride a blackout, for example, is absolutely essential, stressed Bagge.
The full implementation guide can be found on the company website here.
To take this year’s Safety at Sea Maritime Cyber Security survey, in partnership with BIMCO, click here.