“Cyber attacks in shipping have been steadily on the rise of late, and safety in shipping today depends heavily on cyber systems with potential consequences towards both finance and safety,” Wu Shengwei, head of section for shipping and technical advisory, maritime advisory SEAOI Region, for DNV GL told delegates of the Inmex SMM Virtual Expo, last Friday.
“There are threats in the field of information technology, like IT networks, e-mail, electronic manuals and certificates, planned maintenance, permits to work, spares management and requisitioning, administration, accounts, crew lists, etc, where mainly finance and reputation are at risk.
“Much worse are threats to operation technology like ECDIS and GPS, dynamic positioning, engine and cargo, etc, where there is danger to life, property and the environment, plus all the risks that are associated with IT.”
Wu said that the IMO Resolution MSC 428 (98) affirmed that the safety management system should take into account cyber risk management in accordance with the ISM Code. The verification deadline is the first annual document audit after 1 January 2021.
“The MSC-FAL.1/Circ.3 promotes a defence-in-depth concept,” he said. “The steps to be taken are: identify, protect, detect, respond and recover. It is essential to define personnel roles and responsibilities for cyber risk management, and identify the systems, assets, data and capabilities that, when disrupted, pose risk to ship operations.
“You must then implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations. You then need to develop and implement activities necessary to detect a cyber-event in a timely manner.”
At the ‘respond’ stage, it is essential to develop and implement activities and plans to provide resilience, and to restore systems necessary for shipping operations or services impaired due to a cyber-event. And finally, identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
“There are certain steps that need to be taken systematically in case of a cyber attack,” said Wu. “First and foremost, it must be determined whether an event was actually a cybersecurity incident or a false alarm. If it is established that it was a cybersecurity incident, then escalation to the Incident Response Team is required.
“One needs to find out which information, network or system has been impacted. Also, there is need to ascertain what the impact is in terms of confidentiality, integrity and availability (CIA), and assign priority for respond activities based on the severity CIA impact. Thereafter, one needs to identify and notify all stakeholders, and then put in place a system recovery plan.”