BIMCO launches new Cyber Security Guidelines
On 5 January 2016, BIMCO, in association with CLIA, ICS, INTERCARGO and INTERTANKO, launched its first ever set of guidelines aimed at preventing cyber security breaches on board ships that could have major commercial and safety repercussions for operators within the global shipping industry.
The aim of these Guidelines is to promote knowledge within the industry of the cyber security risks to enable operators to put measures in place to guard against such attacks.
The operation of ships is growing increasingly reliant on their connectivity to shore-side networks for the provision of necessary services. Cargo management systems, digital navigation systems, propulsion and machinery management systems and communication systems are just a few of the necessary on-board systems that operate via an internet connection with a shore-side provider. Such systems are coming under increasing risk from disruption, not just as a result of technical failure but from cyber-attacks from those looking to profit or gain satisfaction from the severe consequences such an attack may cause to a company’s operations. Operators should ensure they are fully aware of just how shipboard systems may be connected to exposed networks and what the operational effect would be should those networks become disrupted.
The Guidelines come after the European Parliament and the Luxembourg Presidency of the EU Council of Ministers reached agreement in December 2015 on the text of the first ever EU Directive on cyber security, the Network and Information Security Directive (“the Directive”). The Directive is aimed at improving national cyber security capabilities to prevent incidents of cyber disruption and, where that is not possible, improving co-operation amongst states and businesses in order to minimise the consequences of a technology breach. The Directive places an obligation on all operators of “essential services” (i.e. those businesses deemed to play an important role for society and the economy) to take appropriate security measures to minimise risk of network and information security (“NIS”) disruptions and, when they do occur, to report incidents to the national authorities. The transport sector (air, rail, water and road) falls within the Directive’s definition of “essential services”.
The Guidelines focus on the unique issues facing the shipping industry on board ships. As a first step, they detail the cyber threats currently faced by the industry and the potential consequences for companies and the ships operated. It is only once these threats are understood that companies can take the necessary steps to assess their vulnerability to a potential attack and to minimise their exposure accordingly.
Assessing the risk
The Guidelines make clear that responsibility for cyber security should rest with the senior management of the company and not be delegated to the Ship Security Officer or IT Department. The level of exposure to cyber risks will depend on the operations of an individual company: where and how it operates, the IT systems used and the means by which data is stored. Any assessment as to the risks posed by cyber threats is integral to the standard business practices of a company and so a senior level, strategic review is required to evaluate the risks versus the potential implications on business operations. Once the risks are identified, the company should then perform an audit of the current systems and procedures on board the ship in order to assess their ability to respond to the level of threat identified. If necessary, a third party risk assessment may be appropriate to identify potential risks not identified during the self-assessment phase. Recommendations on how to conduct the assessment and document the findings are set out in the Guidelines.
In addition to assessing the risk to on-board systems, ship-owners would be well advised to also assess the cyber security defences of third party service suppliers to ensure that they do not introduce a weak link into the ship’s on-board systems.
A further area to consider is whether insurance coverage is sufficient. Many policies expressly exclude cover for physical damage/harm caused by malicious cyber events and as data is intangible, this may not be covered by certain definitions of property.
Reducing the risk
Reducing the identified cyber risk should be the main aim of a company’s cyber security review and the strategy to do so should be determined by senior management. The Guidelines advocate systems to be put in place to manage cyber security on-board and for responsibility for ensuring on-going security to be delegated to the master, IT officers and the security officers. Technical cyber defences may be required, with the focus on the design of on-board systems to be resilient to attack. Procedural defences may also be required in the form of company policies, safety management and security procedures. Whether technical or procedural, all defences should be compatible with the company’s obligations regarding data protection and the Guidelines detail best practice in relation to both. The Guidelines recognise that implementing technical defences may be more straightforward for newly built ships. For existing ships, consideration need only be given to implementing technical controls that are practical and cost-effective.
Developing contingency plans
Each company should develop effective plans for responding to a cyber incident. All ships and personnel should have access to these plans in hard copy. In complex and severe incidences, such plans should provide for obtaining external expertise to mitigate the consequences. Contingency plans should be routinely tested and all relevant personnel trained in their application. An effective response plan will determine the chain of command in the event of an incident and dictate the procedures for handling cyber incidents and recovery of the affected systems, data and connectivity.
The Guidelines detail the minimum requirements that any contingency plan should include in order to effectively respond to a cyber incident, including consideration as to whether any shore-side assistance will be required and, if so, how this should be obtained. The Guidelines also advocate that a full investigation is undertaken following a cyber incident in order to better understand the risks faced and how to reduce the company’s vulnerability to such attacks in the future.
Those operating in the shipping sector should take careful note of the progress of the increasing risk of disruption following cyber-attacks. Where comprehensive policies are not already in place, steps should be taken to ensure that compliance with the rules and Guidelines is swiftly achieved. Cyber threats are changing all the time. It is the intention that the Guidelines will be updated by BIMCO regularly to ensure shipping companies have the most up to date information to assist them in protecting against risk.
Cyber disruption and hostile attacks are immediate, unforeseen and, given the nature of the internet and the shipping industry, have potentially global consequences. To try and stem a technological breach once it has occurred may prove to be a herculean task and will leave a company exposed, not only to the risk of operational downtime but also to scrutiny by the authorities as to the adequacy of its compliance procedures. This is particularly the case where the breach results in the loss or misuse of data subject to data protection laws, as such a breach could lead to fines or even imprisonment.
Article authors: Ted Graham, Su Yin Anand