TT Talk - Cyber lessons: goose & gander

Recent actions in the maritime sector in relation to containing cyber risks offer some useful lessons for the remainder of the intermodal supply chain. Embrace and apply the principles accordingly.

The International Maritime Organization's (IMO) Maritime Safety Committee held its 98th session (MSC98) in June 2017. Amongst many relevant and important matters was the continuation of earlier discussions concerning cyber security, with appropriate focus on the maritime mode and the vital ship/port interface.

As events have subsequently evolved, particularly in relation to the 'NotPetya' cyber event, such debate and the resultant actions are not a moment too soon - indeed, many in the industry may still be behind the pace in considering these risks. Maritime IT security specialist, CyberKeel, recently stated that 'vulnerability to cyber attack is common among the shipping industry, with 44% of carriers displaying low levels of cyber security'. Furthermore, Lars Jensen of SeaIntelligence revealed that one of the top 20 liner carriers allows the use of 'x' as a password on their eCommerce platform and another defines '12345' as a 'medium strength' password.

A general call to the industry is contained in TT Talk - Appreciating supply chain cyber risk to review the state of preparedness following the recent cyber events and implement more robust and resilient processes and systems. There is an inexorable drive throughout international trade towards digitisation, improved internal and stakeholder system integration, and the investigation of possibilities for automation. The opportunities in relation to safety and efficiency are immense; there are plenty of risks involved too

Maritime moves…

All such advances rely on further development of information and communication technologies (ICT) that inevitably increase the number and complexity of interfaces with a broad range of counterparties and stakeholders. The debate at MSC98 recognised such matters, albeit primarily associated with the risks involved to ships' systems and networks. Two relevant outputs from this meeting are significant.

Firstly, the Committee adopted Resolution MSC.428(98) concerning the implementation of cyber risk management. As a result, ship owners and operators will need to take account of such risks in their safety management systems (SMS) and ensure that cyber risks are appropriately addressed no later than the first annual verification after 1 January 2021.

Secondly, MSC98 approved 'Guidelines on maritime cyber risk management' and issued a joint circular (MSC-FAL.1/Circ.3) with the IMO Facilitation Committee (FAL). As the circular states, these guidelines respond to the urgent need to raise awareness on cyber risk threats and vulnerabilities: 'The Guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyberthreats and vulnerabilities. The Guidelines also include functional elements that support effective cyber risk management.'

… others should follow

Subsequently, version 2 of ‘The Guidelines on Cyber Security Onboard Ships’, produced by a collection of maritime stakeholders led by BIMCO. These latter guidelines are more extensive, providing valuable background and expansion on the risk management processes that may be considered. While again the aim of the document is to assist ship stakeholders, TT Club would recommend it as enabling any supply chain stakeholder to assess their operations and put in place appropriate procedures and actions that will maintain security. Inevitably, ports exist at the crucial interface with ships - and some national authorities may seek to apply these guidelines more specifically - but the straightforward approach is widely applicable.

As referenced by Resolution MSC.428(98), there are other information security frameworks, such as ISO 27001, that provide a holistic approach to information security through the effective use of technology, auditing and testing, policy and process and staff awareness. ISO 27001 uses a risk management approach to information security ensuring an organisation can respond to the latest threats and cyber security risks. Dealing with the auditability side, ISO 27001 takes the process a stage further.

The initiatives from the maritime sector are certainly to be welcomed, not least due to the plethora of commentary concerning cyber issues. There is little doubt that exposures to organisations (and their insurers) arising in relation to cyber evidence that technology has a propensity to advance more rapidly than the general structural readiness to assimilate and mitigate these risks effectively. The combination of this and the drivers for change means that all debate that increases awareness, assesses the risks, interrogates and (appropriately) publicises breaches, is to be welcomed.

“technology has a propensity to advance more rapidly than the general structural readiness to assimilate and mitigate these risks effectively”

For those involved throughout the supply chain, but particularly non-maritime stakeholders, attendance at the ICHCA 65th Conference in October could provide a valuable opportunity to strengthen the grasp of this crucial but ethereal topic.

We hope that you have found the above interesting. If you would like further information, or have any comments, please email us, or take this opportunity to forward to any colleagues who you may feel would be interested.

We look forward to hearing from you.

Peregrine Storrs-Fox

Risk Management Director, TT Club

Staff Author

TT Club

Date08/08/2017