More crew cyber training is needed as the International Maritime Organization (IMO) 2021 deadline to incorporate cyber security into companies safety management systems looms, experts agree. How much training is required or whether a designated person aboard shall be assigned as a cyber expert on board is still up for discussion
“As in any kind of traditional industry, everyone is going through some kind of cyber security training,” said Rachael Bardoe, cyber security director, Digital Container Shipping Association, at a SAS hosted webinar, on 11 August. “It is fundamental that people are cyber aware from the board level right down to the crew onboard as you need to embed it into the culture”.
Bardoe maintained that as people become more trained and familiar with good cyber behaviour, it will in turn minimize the risk. Cris DeWitt, senior advisor, Cyber Mariner, agreed and stressed that everybody needs cyber awareness training onboard, including third parties that board the vessel.
Shipping organisations appear to be preparing for the IMO 1 January 2021 deadline, with 63% of respondents to the 2020 SAS cyber security survey saying they have received cyber security training. The majority of respondents (67%) described the quality of the training as good, and 22% high quality.
However, the need to designate a specific person onboard to deal with cyber incidents, should they arise, was discussed by the cyber experts on the SAS webinar. “There’s always somebody onboard, though they may not be an electro-technical officer specifically that will have a grasp of this, and they are always the one the captain calls when the email doesn’t work,” explained DeWitt. He then said it is that person who the company should invest their time in, and an estimated 16 hours of training would be sufficient, as long as it is backed up with trained support staff onshore.
Jarle Blomhoff, group leader cyber safety and security, DNV GL, suggested that the chief engineer should be the one onboard that shipping companies should endow with extra cyber expertise. “If you look at the chief engineer onboard, they have to be a software scientist, mechanical, electrical, and automation engineer. They have to be a jack of all trades, it’s a difficult task but still but if I had ownership of the problem that is where I would invest my money,” said Blomhoff.
Ship staff are usually people on contract who change every few months, and do not necessarily have all the technical knowledge needed to deal with a cyber incident onboard, Tanya Blake, editor SAS, put forward. However, DeWitt spoke of amendments being made to the Standards of Training Certification and Watchkeeping to incorporate cyber security training into normal training programmes for crew. This may resolve certain issues of training and awareness of crew in the future.