In order to advance ports and shipping, and make it more competitive, states and maritime organisations have relayed greatly on communication technology and digitalization of maritime operations. However, the risk of cyber attacks has been identified by International Maritime Organization (IMO) as the one of the key non traditional threat to the safe and secure maritime domain in contemporary era. According to the IMO, maritime cyber risk refers to “a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.”
It is believed that maritime transportation is operationally resilient to cyber risks, therefore IMO has issued a series of regulations and guidelines for cyber risk management in maritime domain. The very first guidelines on maritime cyber risk management referred as MSC.1/Circ. 1526 were issues by IMO on 1st June 2016. Maritime Safety Committee of IMO approved, during the 96th session, the “Interim guidelines on maritime cyber risk management” in referred circular. Later, on 2&3 June 2017, during the 98th session of the Maritime Safety Committee, it was emphasised that all organisations should focus on cyber risk management for ships operations in accordance with the objectives and functional requirements of the ISM Code. In this regard, in July 2017, on recommendations of Facilitation Committee and the Maritime Safety Committee, IMO approved non-compulsory “Guidelines on Maritime Cyber Risk Management”, though an official circular MSC-FAL.1/Circ.3. It was particularly referred to ship owners/ shipping companies and superseded the interim guidelines contained in MSC.1/Circ.1526.
Aim of these initiatives is to promote safe and secure shipping and port operations. It is pertinent to highlight that realising the growing trend of digitalization in maritime transportation, some other global maritime agencies have also responded to this emerging challenge through issuing notifications and guidelines. BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO and World Shipping Council have also contributed on cyber security in maritime domain through comprehensive briefs. These guidelines also provide awareness about dealing with cyber risks, including recommendations to safeguard shipping from current and emerging cyber related threats and vulnerabilities.
The Maritime Safety Committee, at its 98th session in June 2017, also adopted resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages all shipping companies to assess the cyber risks and devise appropriate measures to address to cyber threats in existing Safety Management Systems (as defined in the ISM Code) by 1st January 2021.
The timeframe between 2020-21 is considered crucial for compliance of these guidelines. In order to prevent the cyber attacks on maritime domain, the experts have devised cyclic practice module that needs to be adapted for cyber risk management. According to which:
- Assess: Organisations must perform cyber security capability assessment for their systems
- Plan: Must develop a cyber incident response plan.
- Train: Capacity building on cyber risks through tabletop exercises.
- Integrate Plans: Organisations must integrate work on Data Loss Prevention (DLP), Disaster Recovery (DR) and Business Continuity Plans (BCP) to avoid intense loses.
Cyber preparedness is needed not only to meet IMO safety requirements, but it has become a crucial requirement due to intense interconnectedness of shipping logistics around the globe. Any disruption can not only cause the financial implications for global shipping but can also be used by any nuisance elements for creating security issues. One very pertinent example in this regard is that of Somali pirates attack on ships of a Greek company in 2010-11. It was surfaced after research that 8 out of 11 attacks on ships of that particular company was an upshot of hacking of company’s data by hired hackers.
One very important factor that hampers the preparedness of shipping community for cyber risks is under reporting of cyber attacks in maritime domain. Usually shipping companies do not consider significant the cyber related issues, or they are often being shadowed with the issues of workers capacity and knowledge about technology. It is therefore that culture of developing an appropriate SMS framework does not exist in maritime sector. Hopefully, IMO les initiatives will be followed in true letter and spirit and by year 2021 the shipping will be made safer against digital and cyber threats.