Page 23: of Maritime Logistics Professional Magazine (Sep/Oct 2019)

22 24

C i s n e r o

Think cybersecurity doesn’t apply to the s maritime industry? Think again.

tries, cybersecurity in the maritime industry has not been taken ple, threat identifcation should seriously enough, and it has been within the scope of regulators include activists, disgruntled and industry stakeholders for several years. employees, or cyber criminals,

On June 16, 2017, the International Maritime Organization deliberately seeking to cause damage to a company’s reputation, (IMO) adopted Resolution MSC.428 (98). This instrument en- or disrupting its operations, by publishing (or threatening to pub- courages governments to ensure that ships trading under their lish) sensitive information to obtain the attention of media; or fags address cyber risks in their Safety Management Systems launching a Denial of Service (DoS) type of attack fooding its (ISM Code), no later than the frst annual verifcation of the com- networks with bogus data.

pany’s Document of Compliance after January 1, 2021. It should Also, an important relationship is between the ship owner or be recalled that ISM Code already prescribed a formal require- ship manager and the ship agent. The agent is the party interact- ment (mandatory since 2010) for companies to assess the risks to ing continuously with the ship’s crew, ship owners and opera- ships, personnel and the environment arising from their shipboard tors, terminals, port services, vendors, authorities, independent operations, with cybersecurity now considered one of these risks. inspectors, etc. Agents exchange sensitive information between

In 2002, long before the risk assessment tool was made man- these parties to coordinate their efforts. For this reason, the ship datory for the safety management systems of ship owners and agent may become a target of cyber criminals who exploit their operators, IMO had amended the SOLAS convention to incorpo- weaknesses and ultimately use them as an external access point, rate the International Ship and Port Facility Security (ISPS) code, in order to breach the company’s or ship’s systems. compulsory from July 2004. The ISPS Code requires that a ship Last but not least, it is necessary to bear in mind that cyber risk security assessment (SSA) be performed and include identifca- is different from any other safety or security risk, in that detection tion and evaluation of key shipboard operations and the associat- and evidence of a cyber-attack may go unnoticed for months, or ed potential threats. Furthermore, Part B.8.3.5 of the Code recom- even years. Therefore, little information is available for a prompt mends that the SSA should address radio and telecommunication response to a cyber incident, or to evaluating areas of opportunity systems, including computer systems and networks. for continual improvement of cybersecurity until damage is done.

Yet, in 2017, one of the world’s largest shipping companies In conclusion, cybersecurity in the maritime industry is a com- (A.P. Møller-Maersk) reported a huge loss due to business inter- plex and changing topic, requiring expert advice, specialized ruption caused by the NotPetya virus attack. measures and dedicated resources to effectively mitigate the

A number of international shipping organizations and compa- negative consequences of an ever more interconnected world. nies have developed the Guidelines on Cyber Security Onboard Despite all the challenges posed by cyber risk, ship owners and

Ships, which can be voluntarily implemented by the shipping operators can now take action and, assisted by cybersecurity and companies and operators. These guidelines help to cope with the risk professionals, prevent the disruption of the supply chain and increasingly integrated systems and processes that rely on automa- the benefts it brings to society.

tion, as well as information and operational technologies (ECDIS,

AIS, GPS, email, electronic shipping documents, to name a few), that are more interconnected as a network and to the internet.

The guidelines propose a Risk Management Approach consist-

David Cisneros

The Author ing of six steps, namely: • Threat identifcation joined MatthewsDaniel in 2015 with extensive marine and offshore experience. His seagoing career started in 1989 as a naval mechanical • Identifcation of Vulnerabilities engineer on different types of offshore support vessels, then moving • Risk exposure assessment onshore as port engineer and head of maintenance for Mexican and • Developing protection and detection measures

Chilean companies. He was also senior marine surveyor, ISM/ISPS auditor • Establishing contingency plans and MLC inspector for a major classifcation society, leading numerous • Response and recovery from cyber security incidents projects and performing safety inspections and security audits on behalf of Flag Administrations. David is an accredited CMID inspector, bi-lingual

Some of the cybersecurity challenges facing the maritime in-

Spanish and English and a member of the Society of Naval Architects and

Marine Engineers and the National Fire Protection Association.

dustry have to do with one or more of these steps. As an exam- www.maritimelogisticsprofessional.com 23

I