Page 31: of Marine News Magazine (November 2021)

30 32

The Colonial Pipeline ransomware attack provides im- portant lessons for critical infrastructure providers in the maritime industry on being prepared for cyber-attacks. It still remains a mystery how the attacker, DarkSide, ? rst broke into Colonial Pipeline’s business network, but recent reports speculate that the pipeline was taken of? ine be- cause there was no separation between data management and the pipeline’s actual operational technology. “Other pipeline operators in the United States deploy advanced ? rewalls between their data and their operations that only allow data to ? ow one direction, out of the pipeline, and would prevent a ransomware attack from spreading in.” In this case, the attacker did not aim to take hold of the pipe- line, but held the data for ransom. The ransomware attack on Colonial Pipeline illustrates the need for separate, of- ? ine backup systems and cyber incident response plans.

Similar to the Colonial Pipeline attack and other recent cyber incidents, a targeted cyber-attack upon a sizeable ocean carrier or its supply-chain network could cripple signi? cant segments of the world’s transportation capacity to deliver essential goods. We have seen during the CO-

VID-19 pandemic the effects of hindered supply chains, scarce products on store shelves, and long lead times for integral components. To help address the need for in- creased action against cyber-attacks, the International

Maritime Organization (IMO) Maritime Safety Commit- tee, at its 98th session in June 2017, adopted Resolution

MSC.428(98) - Maritime Cyber Risk Management in

Safety Management Systems. The Resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as de- ? ned in the ISM Code) no later than the ? rst annual veri- ? cation of the company’s Document of Compliance after

January 1, 2021. Additionally, the IMO has issued MSC-

FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Man- agement. The Guidelines provide high-level recommen- dations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vul- nerabilities and include functional elements that support effective cyber-risk management. The Baltic and Interna- tional Maritime Council (BIMCO) has also published its own Guidelines on Cyber Security Onboard Ships to aid shipowners and ship managers meet the IMO requirement to implement cyber-risk management in their safety man- agement systems. The maritime community should review