You’ve probably heard of a vessel, management company or large maritime organization that has been the victim of a cyber security attack. It happens within this industry on almost a daily basis. Many cyber experts believe the maritime industry has seen an increase of over 900% when it comes to attacks against critical infrastructure within the past year. During the past few weeks, major shipping companies along with the IMO have suffered some type of attack. These attacks are going to continue to increase against maritime assets including vessels, management companies, and shore side facilities. Will the proposed cyber security regulations actually help you secure your networks and infrastructure? Most likely not.
IMO Cyber Regulations
What are the International Maritime Organization and the respective world governments planning to push forward when it comes to cybersecurity laws and regulations for the maritime industry? Very little. Industry organizations seem to be taking the lead when it comes to guidance and industry-specific best practices. Unfortunately, regulatory compliance does not always align with industry-best practices. Those best practices sometimes vary by industry and location. What is good for a large cruise ship might not always work well within the large yacht industry or the international cargo industry. Protection schemes need to reflect the vessel, their operations and infrastructure. There is no one solution that covers the entire industry.
Currently the IMO has issued Guidelines on Cyber Risk Management (MSC-FAL.1/Circ.3), and the Maritime Safety Committee, in their 98th session last year (June 2017), adopted Maritime Cyber Risk Management in Safety Management Systems (Resolution MSC.428(98)). This resolution encourages flag administrations to ensure that cyber risks are “appropriately addressed” as part of existing safety management systems (ISM code). This is set to take place by the first annual verification of the company’s Document of Compliance after Jan. 1, 2020.
I attended a conference with IMO officials. Several participants asked about changes to the ISPS codes to incorporate cybersecurity. The IMO said there are no such plans. They felt the existing code, in broad terms, provides the framework to address several threats, including cybersecurity.
Flag State Cyber Regulations
Flag states and some class societies have put forward some guidance documents regarding cybersecurity. The U.S. Coast Guard published cybersecurity guidelines in 2017 for MTSA-regulated facilities as part of an overall critical infrastructure cybersecurity plan. Nothing within this strategy mentions vessels. The MCA published “Cyber Security for Ships, Code of Practice,” a 73-page document with some good guidelines. However, there are no major regulations proposed regarding cybersecurity specifically for the maritime industry. Both the U.S. Coast Guard and MCA will need to develop guidelines based on the IMO 2021 mandate. Governments have been slow to develop cyber security guidelines, because they typically don’t have the expertise to understand cyber security requirements and there isn’t a single solution or regulation that can be put in place to provide for protect for all types of vessels.
Governments have put forward laws and regulations regarding cyber security, but they are more specific to handling data, not cybersecurity in general. I believe maritime industry regulations are not being proposed because of potential problems with enforcement of those regulations, along with several potential jurisdictional issues.
Industry Cyber Recommendations
There are several maritime industry-related organizations (within the cargo and cruise industry) that have provided guidance to their respective industries on cybersecurity. These documents mirror a document on cybersecurity put together in the U.S. by the National Institute of Standards and Technology. Published initially in February 2014 and revised in April, this 55-page document is not specific to any industry or organization, but critical infrastructure in general. Many of the principles, in theory, can be adapted to the maritime industry.
Insurance companies aren’t moving at lighting speed in producing cybersecurity coverage for the maritime industry and, specifically, vessel operations. There are several cyber-related products for companies and critical infrastructure, but at this point, most large insurers haven’t worked through the risk model for cyber attacks against large yachts, cargo vessels or cruise lines. Cyber-risk insurance for ships will start in the cargo industry, then move to cruise lines and large yachts. Insurance companies still need to collect data to determine how to best price that risk.
Cyber Security for your Vessel
Cyber security solutions don’t need to be expensive or highly complicated to be effective. Hackers won’t spend much time trying to penetrate your vessel or shore side networks if you have some effective measures in place. It is like burglars looking for the right house. If they see the burglar alarm sign in your front yard they will go to the next target. Hackers are very similar. Unless they are specifically targeting your vessel or company, they will move on to another target if they perceive any types of problems gaining access to you networks. I always recommend you work with a reputable maritime based cyber security company as there are a number of constraints in the maritime industry that are not present within land based organization. If your cyber security company doesn’t understand the maritime industry, they could put solutions in place that will cost you more, reduce your network throughput or cause additional problems. I haven’t seen many vessels – whether large yachts, cargo lines or cruise lines – with cybersecurity standards even close to that of the healthcare and financial industries. As an industry, we have a long way to go.