The perception of cyber security in shipping is evolving. What was once an afterthought is now an early-stage influence on projects from software development through to ship design and system integration. Requirements to consider cyber security in the ISM code are coming into force this year, known as IMO 2021, will reinforce that shift.
Under IMO Resolution MSC 428(98), shipping companies operating vessels over 5,000 gross tonnes will have to take all cyber risks into consideration as an extension of the International Safety Management (ISM) Code. This non-transferable legal requirement on the holder of the vessel’s Document of Compliance takes effect from the first renewal of the document after 1 January 2021.
The new requirement is not based on specific technical standards, which would need to be updated constantly. Instead, a thorough assessment of the risks and their management is needed. Ship owners will have to understand risks on individual vessels and document them in the ship safety management system, along with a plan for addressing those risks.
For anyone who follows the news or has seen Hollywood movies in the past few years, the risks of cyber attack are all too vivid. There are many assets on a ship that are potentially vulnerable and need to be considered in a risk assessment, navigation, propulsion, satellite, radar and communications systems are but some of the many examples. However, even seemingly minor breaches of digital systems can represent significant risks, says Paul Ward, Director of Cyber Security, Wärtsilä.
“Imagine staying in a hotel and telling the chef that you are allergic to peanuts. That information goes onto a system that is later hacked and your allergy information is deleted. The next night at dinner you are served a meal complete with peanuts in the sauce. In a maritime context that system is a safety risk that will need to be assessed and managed.”
While the direct focus of IMO 2021 is on how ship owners manage risk, the indirect consequence will be to raise the cyber security bar among suppliers and integrators of digital technologies.
Ward explains: “There are no requirements on suppliers from IMO 2021. But recommendations in many of the supporting documents suggest that one of the best ways of managing your cyber security risks is to pass some of those requirements to technology providers.”
It seems the approach is already taking root. As early as 2019 a survey by ship owner association BIMCO found that 83% of respondents would cancel a contract with a supplier if poor cyber security was evident, or if a product or service was found to be the cause of a cyber incident. In 2020, that sentiment began to translate into cyber security clauses in contracts with ship owners for the first time.
We're starting to see contractual requirements where if we have an incident or if we're aware of a vulnerability in a product or service, we should inform the ship owner and have certain policies and procedures in place.
- Paul Ward, Director of Cyber Security, Wärtsilä
One assessment is that this is stemming from IMO 2021 considerations, adds Ward.
Although the requirements do not demand that ship owners purchase more robust systems and software – they simply need to account for all risks – one way to simplify risk management is by using high-quality, secure products. Wärtsilä Voyage has been conducting a thorough review of cyber security related both to its products and its ways of working with industry partners.
One critical element to product cyber security is including security via secure development lifecycle activities into software development. Päivi Brunou, Head of Cyber Security, Wärtsilä Voyage, explains the concept: “Often the first thought to cyber security is after something bad has happened. But where you should start is in when you are designing the product. You move from understanding the potential threats to setting the capabilities and requirements, making the code resilient, testing it and releasing it securely. We bring everybody to the table - test engineers, developers and product managers - to build products more securely. This is one of the key elements of cyber security resilience and we want it to be a backbone for everything we do with the product.”
Wärtsilä Voyage has been strengthening this approach in preparation for IMO 2021, concentrating first on the systems that are critical for vessel operations and those that have remote connections. Beyond the product design arena, the impending change has also been an opportunity to engage closely with the wider shipping ecosystem, says Brunou.
Our strategy is to embed cyber security into everyday activities. Lately we have been working even more closely with internal and external stakeholders like sales, field service, owners, yards, classification societies and many others to make sense of what is needed.
- Päivi Brunou, Head of Cyber Security, Wärtsilä Voyage
"Approaches can vary because companies have different operating environments and risk appetites – for example if you are primarily carrying passengers or cargo you are likely to have very different risk profiles.”
This collaborative element, going beyond the contractual relationship of providing technologies, could turn out to be the biggest gamechanger in the new cyber security regime. One prime example is the gap in overseeing vessel systems across the lifecycle.
“It’s a timing issue,” says Brunou. “The yard and the owner are experienced in collaborating to design and deliver a ship fit for purpose at the time of delivery, and for major asset upgrades in the future. However, what we as an industry are increasingly implementing the processes to ensure similar considerations for cyber security related maintenance and upgrades throughout the ship lifecycle also made.”
Product level resilience is one thing, but ships are complex. When multiple vendors provide different systems in one vessel the result is what Brunou calls a ‘system of systems’ that is often entirely unique – as systems become more complex and connected the capability to identify and manage risks arising from integration will need to mature. There are ongoing initiatives within the market to ensure that our entire ecosystem matures at a pace required to meet the challenges presented from the integration of multiple complex and interdependent systems, says Brunou.
There are a lot of opportunities to improve cyber resilience, but it has to be done together.
- Päivi Brunou, Head of Cyber Security, Wärtsilä Voyage
"It is long accepted best practice that the improving cyber security is best achieved by talking with your peers, proactively exchanging information and experiences."
Cyber Security maturity within the maritime sector will certainly improve because of IMO 2021, however there is no magic switch to immediately deliver these results... As Brunou says poetically, no-one can take the moon from the sky straight away; for ship owners the initial focus will be on what is feasible. As their approach to cyber security matures, they will eventually look to even bigger gains. And it will be a similar story with the national authorities charged with enforcing the legislation, Ward explains.
“Lots of governments are starting to realise that the potential weak points in their national infrastructure includes those big ships out on the sea and the infrastructure that supports and powers them. Countries with strong maritime authorities and those that consider cyber security risk to be more important will implement IMO 2021 more robustly. But this is just an early step in a long journey.”