Cyber security, a continuous “catching-up” task

10th June 2017

Cyber risk management is one of the shipping industry’s main challenges, as technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, electronic sea charts, navigational equipment, administration, etc. Not only does it ensure the security and the safety of vessels, but it also protects the marine environment. Their use has traditionally been assumed safe and secure whilst not interconnected on board and also not linked digitally to ashore. Digitalisation of communication, integration and networking of shipboard equipment has, however, exposed ships to cyber risks and cyber attacks.

That’s why the vulnerabilities arising from the connectivity of such systems create cyber risks which need to be addressed.  Not only the risk of malicious attacks to ships but also risks occurring from seafarers having access to the systems on board ship, for example by introducing malware via removable media. With the evolution to unmanned vessels the importance of suitable protection is bound to increase. Indeed, the ecological, commercial and security consequences of a cyber incident would be incalculable.

To help shipping industry players develop resilient approaches to cyber security, IMO approved guidelines on maritime cyber risk management. These ‘high level’ recommendations do not enumerate all possible cyber risks, but they do state that proper cyber risk management takes into account all risks, with the awareness that such risks are forever changing. In short, to achieve an effective cyber risk management, corporate culture should include an awareness of cyber risks at all levels. Cyber policy and risk management procedures are organisation-specific and they need permanent evaluation and evolution. Cyber security threats are dynamic in nature and protection against threats is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process renders the result somewhat outdated when adopted. That is the reason why there is no value in developing specific regulations to address this issue. However, international legislation at IMO level is to be preferred over local legislation.