Reflecting the new age of electronic marauding, a cyber-risk management plan must now be included in a vessel’s safety management system (SMS) under international law. Related inspections will focus on critical navigation components and cybersecurity “hygiene,” including frequently changing default passwords for onboard devices.
The changes under the International Safety Management (ISM) Code were adopted by the International Maritime Organization’s Maritime Safety Committee in June 2017 and implemented on Jan. 1. Each vessel’s cyber-risk plan will be evaluated along with the rest of the SMS no later than the first annual verification of the document of compliance after Jan. 1.
The goal is to protect operational technology as well as a ship’s integrated technology that connects systems to the internet. Individual vessels are subject to cyberattack, as well as vessel owners and operators. According to Naval Dome, an Israel-based maritime security specialist, cyberattacks on the industry have increased 900 percent since 2017, with operators as large as Maersk and COSCO being affected.
The U.S. Coast Guard’s inspections will focus on systems critical to safe operation and navigation. Stand-alone computers and other systems that are not essential to operations or navigation will not be examined.
The inspectors will determine if a vessel has had a third-party assessment and complies with basic cybersecurity hygiene like changing default passwords and not having passwords taped to devices. The inspectors also will observe if the crew or officers complain about computer problems that impact shipboard systems, or if spoofed emails from the master or crew are being sent to shoreside recipients within the company. Depending on the initial findings, inspectors may conduct a more detailed review and issue deficiencies based on any portion of the management plan that was not implemented.
For compliance under Coast Guard auspices, marine inspectors and port state control officers will conduct the cyber-risk assessments for all U.S.-flag vessels and foreign-flag ships that call on U.S. ports. Some security experts, however, question whether port inspection agencies have the technical skills for the job.
“I don’t think the enforcement agencies around the world have the expertise to be able to get on a boat and be able to really determine what the cybervulnerabilities are,” said Corey Ranslem, CEO of International Maritime Security Associates in Miami Lakes, Fla.
If a ship’s cyber-risk management is not in compliance, it is subject to enforcement action similar to any other SMS violation. If the vessel failed to implement a management plan, the inspector may issue an operation deficiency and an ISM deficiency. The deficiencies must be corrected before the vessel is allowed to depart, and the vessel must conduct an internal audit.
Vessel owners should have a third-party consultant conduct a risk analysis of the shipboard network and devices, Ranslem said. A vulnerability scan, which can be done remotely, will identify shortcomings like a weak firewall. Then the vessel’s crew or an information technology consultant can correct the problem before an inspection.
Ranslem has inspected a vessel on which a hardware firewall had been installed, but nothing was connected to it because shipboard personnel couldn’t get it to work. “You can’t always blame the crews,” he said. “They need help to manage these systems.”
According to the Coast Guard, approximately 1,170 U.S.-flag vessels maintain SMS certification, including 600 that do so on a voluntary basis. Non-commercial, recreational and fishing vessels are not subject to the requirements, nor are those that operate exclusively on the Great Lakes and connecting waters.
Because the cybersecurity standards don’t require specific technology, the cost of compliance may be relatively low depending on the vessel’s age and current equipment. A third-party assessment can identify risks and help develop a plan to address them.
“I tell vessel owners, you’re going to pay a little bit for cybersecurity now, or you’re going to pay 100 times more when there’s a breach,” Ranslem said.