Cyber Security IMO Regulations

Ignorance is bliss? Not when it comes to Cyber Security.

Technology plays a critical role in our daily lives. Technological advancements are blisteringly fast compared to previous years, which is why it has become an urgent topic of discussion. In this digital era of ubiquitous computing, organizations without Cyber Security are at risk. Land, air, water and cyber; it’s recognised as the fourth ground for nation-states.

As the drive towards digital transformation continues to ceaselessly gather momentum, industries need to reassess their security strategies. By not properly protecting the attack surface, private and public sectors leave themselves exposed to possible breaches.

What is Cyber Security Management and why is it so important?

In short, all connected digital systems are prone to cyber-attacks. Expanding networking capabilities to all corners of our lives can make us more efficient, but more susceptible. 2020 catapulted industries online, with cyber security becoming a top priority for businesses. The pandemic has effectively become a catalyst for cyber security threats to rise exponentially, with all sectors being vulnerable. Connecting to the internet also means connecting to potential cyber threats. Attackers are always on the prowl to compromise systems. Generally, hackers are motivated by financial gain via corporate espionage or by acquiring personal data. Not having “top secret type government information” or “lifestyles of the rich and famous” does not make one untouchable.

Maritime Cyber Security Risk

While the threat is very real, the yachting industry has been quite lackadaisical until recently. Reality is – the fancier the yacht, the greater the risk. Adding complexities to ensure an immersive, bespoke experience, has resulted in modern superyachts closely resembling an enterprise-grade network. Vessels are more connected than ever before. Despite the cutting-edge technologies to allow for reliability, efficiency, and safety, cyber security seems to have fallen by the wayside. A breach is troubling in any business; however, consequences could be far more serious in the maritime environment. Don’t assume to know what hackers want. Money may not be the only motive, terrorism is a scary reality. “A successful breach of a vessel’s control systems can potential grant the assailant the ability to take control of bridge systems and control the vessel’s operational functions from anywhere in the world, in real time”, Super Yacht News

IMO Cyber Security Regulations

“When we talk about cyber security, it is not a matter of if you will be attacked but when. In order to deal with that, you should have a risk management approach on it and this what the IMO is introducing.” Mr. Chronis Kapalidis, Cyber Expert, HudsonAnalytix

Because of the ever-rising threat of an inevitable attack, the IMO has put cyber security regulations in place for compliance by 2021. The MSC-FAL.1/Circ.3 guidelines enforce a mechanism for dealing with risk rather than listing controls that should be implemented. Not reinventing the wheel, the IMO decided to build off established international frameworks for cyber risk management, adopting five functions that represent a holistic approach to cyber risk management: Identify, Protect, Detect, Respond, Recover. By taking this functional approach, captains and security officials have the flexibility to use their discretion to tailor a program that effectively meets the requirements of their vessel without becoming excessively onerous.

NIST Cyber Security Framework

Not industry or size specific, the NIST Cybersecurity Framework (“CSF”) is a useful benchmark which the maritime industry can refer to when developing internal regulations and standards.

The CSF features five core functions,

Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
Detect: Develop and implement activities necessary to detect a cyber event in a timely manner.
Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

Is your vessel ready for IMO’s Cyber Security compliance?

“It’s been decided that no later than the annual verification of each company’s Document of Compliance, the 1st of January 2021, all shipping companies will be mandated to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code)”, Pelion Consulting

With a strong background in the yachting sector, Virtual Pursers recommend Pelion Consulting to ensure Safety Management Systems are updated and ready for audit after the deadline date.

Virtual Pursers are not a yacht management company; we are an extension of your crew and act as a landbased bridge to your shoreside counterparts. As trusted yachting professionals with 20 years combined industry experience, we are here to help as well as to keep you informed on relevant industry related news and updates! For more information contact info@virtualpursers.com or call +44 203 514 0413.

What is ISM?

The History of ISM

Otherwise known as International Safety Management, the ISM code has been integral to the SOLAS convention since 1994. The regulation came about due to investigations into accidents revealing errors on the part of management. It all started in 1987 when the Maritime Safety Committee developed guidelines concerning shore-based management to ensure the safe operation of ro-ro passenger ferries.

From July 1998, compliance became mandatory to all commercially operated vessels of 500 GT and above, including commercial yachts.

The Purpose of ISM

Safety of personnel and protecting the ocean remain the marine industries top concerns. The purpose of ISM is to ensure and maintain an international standard of safety for seafarers and prevention of pollution. Providing universal guidelines for the safe management and operation of ships at sea, the ISM is a common platform across all nationalities. This safety protocol eliminates discrepancies ensuring all vessels adhere to global mandatory regulations.

Safety Management System (SMS) & the Designated Person Ashore (DPA)

To effectively implement safety policies as set out by the ISM, “the Company” must establish a SMS for the vessel. Of which, a copy of the SMS must be readily available on-board. Detailing all the important policies, practices, and procedures, the SMS ensures compliance with the mandatory safety regulations recommended by the IMO and concerned maritime organizations. Yacht management companies should develop, implement and maintain a Safety Management System (SMS). Every company is expected “to designate a person or persons ashore having direct access to the highest level of management” in order to provide a link between “the Company” and those on board.

ISM Code particularly requires that the SMS incorporate the following

A safety and environmental protection policy;

Instructions and procedures to ensure safe operation of ships and protection of the environment in compliance with relevant international and flag state legislation;

Defined levels of authority and lines of communication between and among shore and shipboard personnel;

Procedures for reporting accidents and non-conformity with the provisions of the Code;

Procedures to prepare for and respond to emergency situations; and

Procedures for internal audits and management reviews.

Document of Compliance (DOC)

When the Company is verified for complying with the ISM Code, they will receive a Document of Compliance (DOC). Valid for a period of five years, the DOC is subject to annual verification within three months before or after the anniversary date confirming the approved SMS.

Safety Management Certificate (SMC)

For a DOC, the company’s ships must first receive their SMC. A SMC verifies that the Company and its shipboard management are operating in accordance with the approved SMS. The certificate issued to an individual ship has a validity period of five years.

An internal and external audit determines the issue of both the DOC and SMC. The company and ships carry out the internal audits, whereas, every 2-3 years, the ships flag state performs the external audit. To qualify, a manual consisting of information, records, reports or statements, indicating implementation of SMS by the company and the ship is required. This manual serves as proof of evidence based on observations, measurements or tests made during the audit. Failure to uphold the requirements of the ISM code will result in non-conformity, posing as a serious threat and requiring immediate corrective action.

To find out more about the ISM Code check out the International Maritime Organization

Some think the ISM code is a best practice, but it’s a minimum standard. Although super yachts have been engineered to be highly safe boats. The most critical safety element is the crew! Working alongside yacht management companies, well trained crew are paramount to the safety of the boat and its occupants.