Bild: Logo Bundesministerium für Verkehr und digitale Infrastruktur

Cyber risk management is more and more important

Cyber-attacks are a large threat for safe and smooth shipping. Aside from the dangers it poses to the ship, its crew and the environment, the financial damage is oftentimes also significant. The comprehensively revised IMO guidelines provide shipping companies and crews with assistance to harden the ships defences against computer attacks aimed at their digital infrastructure with an effective cyber risk management.

Effective cyber security depends, for one, on the ship's type, trading area and how digital it is as well as the interfaces leading outside. But there are also some fundamental aspects that should be observed – and this is where the IMO guidelines come in and provide valuable advice about how the issue of cyber security on board a ship can be approached and what should be considered in any case. Don't forget: The individual cyber risk management on board has to be specified in the ship's safety management system (SMS).

The IMO has revised their guidelines and published them as circular MSC-FAL.1/Circ.3/Rev.3. The guidelines now define key terms for this increasingly important security issue and focus on which systems need to be considered: from integrated bridge systems over cargo handling and general security systems to administration and crew management software.

For an effective protection against cyber-attacks of any kind, the guidelines identify 6 functional elements that should be part of the cyber risk management of any ship:

  1. Clearly define who is responsible for the cyber risk management both in the shipping company and on board,
  2. Identify all digital systems – especially those that could be particularly vulnerable to cyber-attacks,
  3. Advice about the available options of cyber protection: from password and firewall to incidence response plans,
  4. Detection of attacks,
  5. Short- and long-term response and reaction to an attack,
  6. Transition back to normal operation after an attack.

functional elements. Only if ship management and crew are aware of the threats posed by a cyber-attack and what impact it would have, they will take the necessary (personal) cyber hygiene seriously and, thereby, be able to ward off attacks successfully as well as react correctly in case of an emergency.

The IMO guidelines also contain tips on further references on the topic, which have now been supplemented with requirements (procedures and technical standards) of the International Association of Classification Societies (IACS).

We as German Flag offer additional support for you with our Guidance "Ism Cyber Security" developed together with the Federal Office for Information Security (BSI) that contains practical tips on planning cyber risk management in the safety management system (SMS) in accordance with MSC.428(98).

More information about the topic can be found in the ISM Circulars 04/2017 and 01/2020 as well as here on this website under Cyber Risk Management.