Cybersecurity requirements through IMO 2021, are now coming into force. These requirements affect vessels along with the marine businesses that service vessels. Over the past few weeks, I have read several news articles and columns from experts that say cyber security attacks against the global maritime industry has gone up over 900% during the past three years (this includes both business and vessels). A day does not go by that we do not hear about some type of cyber attack against a vessel or a marine business.
The primary driving force for the updated cybersecurity requirements is coming from the IMO (International Maritime Organization). The IMO has put forth (Resolution MSC.428(98) which specifically addresses cyber security requirements for vessels. This resolution was put forward back in 2017 for a January 1, 2021 compliance date. This guidance is now being put forward in regulatory form by the various IMO constituent countries. These regulations require vessels to assess their cybersecurity infrastructure and put a plan in place to deal with cybersecurity related issues as part of their ISM (International Safety Management) plan. The regulations are similar across various countries, however there are some specific nuances. These regulations also affect maritime businesses that provide hardware and software to vessels along with shore side facilities that provide access to the internet.
The Safety Management System (SMS) is part of the ISM plan which falls under SOLAS (Safety of Life at Sea). The SMS is an organized system and plan to ensure the safety of the ship and the marine environment. The shipboard ISM plan provides details of how the vessel and their management deals with various issues, including cybersecurity. Various aspects of the ISM plan also involve compliance by the suppliers used for different equipment onboard. For example, there are certain IMO standards and certifications that must be met for a company to supply ECDIS (Electronic Chart Display and Information System) hardware and software to a vessel. Vessels and their owners/manager should also be requiring cybersecurity compliance and mitigation plans from the businesses that supply them with critical IT/OT hardware and software along with internet access whether that is through satellite, cellular or a marina/port facility.
These maritime businesses that provide connected IT/OT hardware and software along with internet access should have a basic vulnerability assessment of their networks and systems along with a plan to deal with cyber security related issues that could affect their operations and the clients they serve. Attacks inside and outside the maritime sector have come from unprotected third-party vendors. Many of the largest issues and cyber security vulnerabilities have recently come from vendors like the recent Solar Winds attack.
There is a simple framework that has been put in place by NIST (National Institute of Standards and Technology) in the United States (the NIST Framework). This standard is the basis for putting together a good plan to help mitigate cybersecurity related issues for a vessel and should be followed by the third-party vendors that provide vessels with connected IT/OT services. The standard framework has five parts that are easy to apply to a cyber security related plan. They include identify, protect, detect, respond, and recover.
There is always a lot to consider when it comes to cybersecurity and protecting vessels that move all over the world. If a potential attacker perceives any type of difficulty in attempting to attack your system, they will most likely move onto another target (unless they are specifically targeting your vessel or owner). The maritime industry has a number of vulnerabilities and threats along with some very unique challenges, however, don’t let an unprepared or unprotected vendor be the attack vector used against your vessel.
Watch our latest VLOG on a great maritime resource for crews