'Cyber Security Workbook for On Board Ship Use' is referenced in ISGOTT Sixth Edition as a source of practical guidance for Masters and ship’s crew (ref: ISGOTT 6, section 6.4, para.3).

In recent years, the shipping industry has undergone a digital revolution: internet connectivity on board has become common and ship’s systems are increasingly digitised and integrated. With this growing level of connection, comes greater risk. Ships are now a common target for hackers and it has become crucial that the entire crew has an understanding of how and when cyber attacks can occur.

Using detailed, step by step checklists, Cyber Security Workbook for On Board Ship Use provides a ship’s Security Officer with the practical skills to identify cyber risks and to protect vulnerable onboard systems. It also gives guidance on how best to detect, respond and recover in the event of a cyber attack.

This workbook will help to ensure that cyber risks are appropriately addressed in the onboard SMS (as required by IMO Resolution MSC.428(98)). It will also benefit shipowners, ship managers, ports and their IT departments.

Cyber Security Risk Management – IMO Requirements and Guidelines

In 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems (SMS). This Resolution states that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It encourages administrations to ensure that cyber risks are appropriately addressed in the SMS no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Resolution MSC.428(98) identifies cyber risk as specific threats that companies should address in the same way as any other risk that may affect the safe operation of a ship, its crew and the protection of the environment.

Cyber risk management should be an inherent part of safety and security and should be considered at all levels of the company, including senior management ashore and onboard personnel. In the context of a ship’s operation, cyber incidents should be considered as having the potential to result in physical effects and potential safety and/or pollution incidents. Company plans and procedures for cyber risk management should, therefore, be incorporated into existing security and safety risk management requirements contained in the ISM Code and ISPS Code.

Supporting Regulatory Guidelines

Version 4 of 'The Guidelines on Cyber Security Onboard Ships', which was produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and the WSC, provides guidance on maritime cyber risk management. While primarily aimed at addressing the safety consequences of cyber incidents on board ship, the principles and protection measures in the Guidelines are equally applicable to all organisations in the maritime industry.

The Guidelines are aligned with IMO Resolution MSC.428(98) and the IMO’s guidelines. They provide practical recommendations on maritime cyber risk management and should be read in conjunction with this workbook.

Cyber Outlook for Shipping

While shore based advances in internet connectivity have been substantial over the last 20 years, shipboard access to the internet has not developed at the same rate. However, due to the increased availability of affordable VSAT communications this is improving and the world fleet is increasingly better connected. In the Futurenautics Crew Connectivity Survey in 2015, it was estimated that the average availability of internet access across all fleet sectors stood at 43%. According to a survey by ICS, by 2019, this figure had almost doubled to 82% and it continues to rise.

However, with the comparatively rapid increase in internet connected ships comes an increased risk of cyber incidents. Existing PCs on board are often dated and are networked with no added security protocols. On board, dedicated cyber security procedures and adequate crew training are often lacking.

The split of ship’s systems into IT (business computers, personal devices, etc) and OT systems (ECDIS, cargo control systems, etc) may mean a divide in how cyber security for these systems is approached: staff responsible for IT security may prioritise data protection and preventing network vulnerabilities, whereas OT staff may view safety and continued reliability of operations as paramount. However, this workbook highlights the interconnectedness of these systems on board and the holistic approach to cyber security that must be taken. It offers practical advice on security measures that can be used to protect the ship as a whole.

Purpose of this Workbook

This workbook has been designed as a practical, straightforward and easy to understand guide to support the Master and officers on board ship. It is designed to facilitate understanding and good collaboration between individual ships, onshore IT departments and equipment manufacturers. The workbook may also be useful to the wider maritime industry.

Checklists

Checklists have been provided to assist in day to day cyber risk management on board.

The checklists throughout this workbook are intended to be used on board ships by any officer. However, it is recommended that the role of inspecting cyber security, completing and verifying the appropriate checklists and identifying and reporting cyber security issues ashore is clearly defined in the SMS.

Along with the Master, the Ship Security Officer (SSO) has a responsibility to ensure adequate cyber security under the broad requirements of the ISPS Code. However, in practice, the responsibility for cyber security may also be delegated to an appropriately qualified officer. The officer should ensure they have a knowledge of the various cyber systems on board, including the satcom, all networks and all critical items of equipment.