How cyber risk fits into the ISM Code


Vessel operators have until 2021 to incorporate cyber risk management into their safety management systems. Assessing IT and OT infrastructure in a systematic fashion will break a seemingly mammoth undertaking into a series of smaller, more manageable tasks. 

Ship managers and owners have until 1 January 2021 to make sure cyber risk is firmly integrated into their safety management systems. IMO affirmed the inclusion of cyber risk in the ISM Code in a resolution adopted at the 98th meeting of its Maritime Safety Committee (MSC) in June 2017, sending out the strongest signal yet that inaction is not an option.

Indeed, for several flag states the global regulator's recommendation for vessel owners and operators to assess the vulnerability of digital systems "in accordance with the objectives and functional requirements of ISM" amounts to making it a mandatory requirement.

Shipping companies are now as reliant on digital, automated and network-based systems in their day-to-day activities as they are in any other kind of business. Furthermore, the scope of these systems has expanded from basic information management to actually controlling machinery and other on-board equipment.

The deepening integration of operational and information systems adds complexity. In addition to a loss of availability resulting from a system breaking down, whether due to a programming error, a component malfunction or the actions of a virtual intruder, the integrity and confidentiality of business processes are also at risk. Intrusions affecting this latter category are potentially more serious as they are harder to detect: they generally won't trigger alarms and the immediate impact will be less obvious.

Framework for cyber risk management

The ISM Code is an established framework for driving continuous improvement in safe fleet operation. Rather than attempting to tackle each and every safety issue individually, it provides a structure that can flexibly accommodate almost any possible need (see box). This focus on process allows it to manage the risks from IT and OT systems in an almost identical way to minimizing physical risks such as fire.

Incorporating cyber risk into a ship management system (SMS) will typically entail several months preparation, depending on the complexity of technological systems on the vessels involved, but in all cases must be completed ahead of the first inspection by ISM auditors after 1 January 2021. Svante Einarsson, Senior Cyber Security Advisor at DNV GL says: "Carrying out a rigorous assessment - particularly for the first time - is a taxing and sometimes overwhelming exercise. The whole purpose is to reveal previously unnoticed weaknesses and unconsidered vulnerabilities."

For some items, the solutions are relatively straightforward, maybe altering a systems configuration or introducing new rules on usage, but others may require more work, necessitating software upgrades or hardware replacements. To meet the 2021 deadline, employing a combination of technical mitigations, revised (or new) procedures and staff/crew training offer a more practical and cost-effective route than attempting to find and implement wholly technical solutions to every risk.

Because of the inherent unpredictability in the scale of the task that lies ahead, Einarsson urges shipping companies to give themselves plenty of time: "It is better to start early with a limited scope and then gradually expand and add more detail over time as further requirements become apparent."

Cyber security task management

Assessing the dangers and pinpointing where remedial action is needed in a systematic fashion will split a singular daunting undertaking into a series of smaller tasks that are easier to manage and carry out. Although ISM concentrates, of course, on the safety implications of cyber risk, Einarsson suggests preparing for 2021 provides an opportunity to consider the commercial and ethical reasons for losing the control of a vessel's IT and OT infrastructure.

Risk is a product of the repercussions of a particular event occurring and the likelihood that it will happen. This means a frequent but low impact problem is comparable to a major incident that may only happen once in the lifetime of a vessel. Having defined criteria to measure total risk avoids the vagueness that surrounds arbitrary high, medium and low labels.

In some cases, insurance may prove a more sensible choice than attempting to implement a complicated technical fix. This route would be appropriate for scenarios that are deemed highly improbable and require countermeasures that would be excessively costly and introduce additional complexity into a system or working practices.

By the end of the process, the vessel owner should have a catalogue of safeguards aligned with each vulnerability identified during the assessment, together with notes explaining any residual risk. It is critical that safeguards are described in sufficient detail in the supporting documentation - both for compliance purposes and for facilitating changes at a later date. New cyber threats to industrial systems of the sort used on commercial ships are coming to light at an increasing rate. ISM does not prescribe a calendar schedule for assessing new risks but says that they should be accommodated as soon as possible. Or as Einarsson puts it: "The SMS should be a living document - it should be regularly updated and improved in response to a continually evolving risk environment."

Cyber awareness and behavioural change

Risk assessment and technical solutions are just one part of ISM. Like physical safety, cyber security hinges on the actions and behaviour of everyone involved in vessel operation - both at sea and onshore. A vessel's master, second officer, chief engineer and superintendent are among those that need a robust understanding of cyber risk and the possible consequences on vessel safety, as do its owner and senior managers, who, in addition to directing operations at fleet level, also have the final say on what systems are used on board.

It is just as important, however, that all crew - regardless of rank - and shore-based staff are taught about cyber awareness and are incentivized to abide by rules regarding cyber hygiene, such as respecting the difference between on-board networks for operational use and recreational use and to apply due diligence when interacting with systems, for example, questioning the providence of suspect emails.

Read the full article: