The IMO January 2021 deadline for shipping interests to incorporate cyber risk management into their existing Safety Management Systems is fast approaching. It is critical that stakeholders understand their vulnerabilities. The IMO has issued MSC-FAL.1/Circ.3 guidelines on maritime cyber risk management that does a good job of outlining the many vulnerable systems within marine operations, including:
2. Cargo handling and management systems;
3.Propulsion and machinery management and power control systems;
4. Access control systems;
5.Passenger servicing and management systems;
6.Passenger facing public networks;
7.Administrative and crew welfare systems; and
The IMO Guidelines also raise an important point on understanding the distinction between information technology (IT) and operational technology system (OT). In short, IT focuses on the use of data as information while OT focuses on the use of data to control or monitor physical processes.
These distinctions become important when it comes time to conduct a risk assessment of your operations.
Risk assessments should be the first step when examining your company, terminal or vessel’s cyber exposure. All parts of your business that are controlled or supported by computer systems need to be identified, and there are likely more than you realize.
The United States Coast Guard has very good guidance on how to start understanding and identifying your cybersecurity exposure (https://homeport.uscg.mil).
This guidance includes information from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICSCERT), which provides a wide range of information, tools, and services that can help companies assess their security, identify recommended practices, and improve their cyber security. (http://ics-cert.us-cert.gov/)
This brings up a very important point regarding cyber and the maritime environment. Often we are faced with unique risks in the maritime field, and while the cyber threat at sea does have some unique characteristics, most threats are the same as those faced by shore-side enterprises. The cyber threat does not care if you are in port or at sea. As long as you are connected to the internet, you are at risk. The Department on Homeland Security has numerous cyber tips and resources to help you educate your crews and shore-side support staff. This includes the Stop. Think. Connect. Campaign. Simple information such as this should be included as a regular part of onboard crew training.
A more comprehensive program has been developed by the National Cybersecurity and Communications Integration Center Industrial Control Systems (NCCIC). Its industrial controls system (ICS) team has developed guidance to assist owners in preparing their business, and networks, to handle and analyze a cyber incident. (https://ics-cert.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_Cyber_Incident_Analysis_S508C.pdf ) Guidance such as this should be incorporated in the Cyber Risk Management sections of Safety Management Systems as required by the IMO.
Preparations to prevent or minimize a cyber incident are your first line of defense, however, companies still need to have a response plan in place that outlines how to respond when a cyber incident occurs. An important part of this plan is to working with your Insurance Broker and Underwriters to understand how to properly manage your risk with adequate insurance coverage.
The key here is to identify what is and is not presently covered. The big unknowns are so-called “silent” cyber exposures in most traditional insurance policies, which were designed when cyber was not yet a major risk and do not explicitly consider it. This can create uncertainty for businesses, brokers and insurers about which loss scenarios are covered. Group-wide, Allianz is reviewing cyber risks in property and casualty (P/C) policies in its commercial, corporate and specialty insurance segments and has developed a new underwriting strategy to address “silent” cyber exposures, ensuring that all P/C policies will be updated and clarified in regard to cyber risks. We want to remove the uncertainty of coverage for our business customers.
I often tell my clients that cyber security is a race without a finish. The IMO has given the maritime industry a deadline to get their cyber risk practices in order by January 2021. It is clear that the work will not end there. Cyber threats will continue to evolve in frequency and severity as we become more reliant on the technology. The Technology will be a positive for both increasing vessel safety and reducing risk, however, it requires staying vigilant for new and emerging threats. This vigilance is essential for the future of the industry because complacency is not an option.
About the Author: Captain Andrew Kinsey, Senior Marine Risk Consultant, Allianz Global Corporate & Specialty