The third edition of the industry cyber risk management guidelines, Guidelines on Cyber Security Onboard Ships, now addresses the need to incorporate cyber risks in the ship’s safety management system (SMS). It also reflects a deeper experience with risk assessments of operational technology (OT) and provides more guidance for dealing with the cyber risks to the ship arising from parties in the supply chain.
The new guidelines are the third edition in as many years, which reflects the constantly evolving nature of the risks and challenges and were put together through collaboration with industry bodies, including INTERTANKO.
OT risks differ
A second key expansion in the guidelines is around operational technology. Ships have more and more OT which is integrated with IT and which can be connected to the internet, but the risks associated with OT are different from IT systems.
For example, malfunctioning IT may cause significant delay of a ship’s unloading or clearance, but with malfunctioning or inoperative OT there can be a real risk of harm to people, the ship or the marine environment.
Another new element in the guidelines is a number of examples of actual incidents to demonstrate the real-world situations shipowners and operators face. The examples have been anonymised.
According to surveys, the joint Industry Guidelines on Cyber Security Onboard Ships, are widely used across the industry and the surveys show that industry is more aware of the issue and has increased cyber risk management training, but there remains room for improvement.
Supply chain risks
A third new focus area is the risk of malware infecting the ship’s systems via the many parties associated with the operation of a ship and its systems.
Advice includes evaluating the security of service providers, defining a minimum set of requirements to manage supply chain or third-party risks and making sure that agreements on cyber risks are formal and written.
The guidelines also underline the need for ships to be able to disconnect quickly and effectively from shore-based networks, where required.