Cybersecurity is currently hot-topic in the Maritime industry due to the upcoming enforcement of the IMO cybersecurity risk resolution from the beginning of 2021. The IMO resolution Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems comes into effect from the 1 January 2021. After January 1 2021, Maritime operators have to demonstrate proper cyber risk management in their DOC-audit.
I recently sat down with Johanna Kull, Loss Prevention Executive at Alandia Marine Insurance company to discuss the state of cybersecurity in the maritime sector and what maritime operators need to be do in order to comply with the upcoming IMO resolution.
Listen to the Alandia Loss Prevention Podcast and check out their related blog post on the links below:
The maritime industry is becoming increasingly digitalised on many fronts: at sea, at port and on land. Vessels are undergoing digitalisation, with IT and OT equipment being installed to support new business demands. Bridges are being equipped with digitalised ECDIS systems, sensors are being deployed onboard to measure different aspects of vessel performance, and connectivity is enabled and boosted in order to support real-time monitoring and optimisation for the whole fleet. IT and OT systems are being connected to bridge the gap between the business and maritime operations in order to optimise operations, increase efficiency and create new opportunities and products.
With increased digitalisation comes new challenges. Cybersecurity is one of the new areas where shipping is facing new challenges. The maritime industry has been slow to adopt cybersecurity in their IT and maritime operations.
Some reasons for not prioritising cybersecurity are:
- Lack of understanding of cybersecurity in the whole organisation, from top management to crew
- Lack of regulatory requirements regarding cybersecurity
- Lack of support and budget for cybersecurity from management
- Lack of human resources in IT, OT and specifically cybersecurity
- Complex IT and OT environments on board vessels
Considering the reasons listed above, we recommend that the maritime industry and operators need to do the following:
- Get top management support for cybersecurity.
Top management support is essential for implementing an organisation-wide cybersecurity programme. Without the support and budget from top management, the chances of success are low.
- Identify and assess the cybersecurity risks in your environment
In order to know what needs to be done, the risks in the environment need to be identified and assessed so that a comprehensive action plan can be created.
- Based on the identified cybersecurity risks, create an action plan to mitigate those risks
The action plan, which is based on the identified risks, will be the top management-approved strategy for how the organisation will address and mitigate the identified risks.
- Create a cybersecurity management system to manage the governance of all cybersecurity efforts. Use familiar standards like ISO27001
Cybersecurity is a complex field, from top-level policies and processes down to technical details and the configuration of devices in the environment. There are existing frameworks and standards that can be used to build the cybersecurity programme so that you don’t have to do everything from scratch yourself. Use standards like ISO27001, NIST Cybersecurity Framework and ISO/IEC 62443 as a baseline for your cybersecurity programme so that you can rest assured that you have an industry-based standard to establish your work on that is also recognised by third parties, customers and regulators and is auditable.
- Train all employees in cybersecurity
Employee support and understanding are key to any successful project. Ensure that your employees, from top management to crew, know what cybersecurity means and what they can do to ensure that your environment is kept secure. This can be done by cybersecurity awareness efforts, training, courses and webinars, as well as internal communications from those responsible for cybersecurity in your organisation.
- Get external help from a knowledgeable partner in cybersecurity that can help with cybersecurity risk management and implementing cybersecurity in your environment
Cybersecurity is a complex endeavour that requires specialised knowledge that is hard to find. Your IT and OT teams are most likely already working hard with their regular tasks and projects, and it can be easier and cheaper to get help from knowledgeable third parties specialising in maritime cybersecurity instead of hiring hard-to-find experts in your organisation.
By taking these actions, cybersecurity will be better managed and aligned with the upcoming cybersecurity regulations that have been published by the IMO.
If you need advice and help with taking the necessary steps to comply with the IMO resolution then don’t hesitate to contact us so we can help you!