4 minute read
Cyber compliance
North brings humanity to cyber compliance
Colin Gillespie, Director (Loss Prevention), North P&I Club argues that implementing the systematic cyber resilience needed to meet the demands of the IMO 2021 guidelines, demands a behavioural shift at the human level.
There are generally two types of responses that shipowners and operators can make to cyber threats: Technical responses that deal with equipment and systems and procedural responses that focus on how systems are used and how humans interact with them.
Technical steps can deliver quick wins. Corporate policies on cyber security can be consistent, clear and thoroughly rehearsed, but they can also be undermined by failing to address behavioural change.
Implementing new procedural controls involves changes in practices and attitudes and raised awareness and training. All of these take time and, to a certain extent, rely on willingness to change.
CYBER RISK These recommendations IMO resolution (MSC.428(98)), effectively serve as a roadmap for requires safety management systems the organisation to implement and to include cyber risk management. sustain a cyber security program The new provisions will apply no later that aligns with the management than a ship’s first annual Document of change disciplines inherent in a of Compliance verification after 1 ‘‘Implementing new member’s SMS. January 2021. Naturally, the strengths and
To comply shipowners and ships procedural controls involves changes weakness that individual North need to have their IT, operating P&I Club Members establish when technology systems, and crew riskin practices and attitudes and raised their cyber risk management assessed to demonstrate preparedness comes under scrutiny remain against cyberattacks, and the actions awareness and training. All of these confidential. What can be to be taken should systems be disclosed is that almost 40 North compromised. take time and, to a certain extent, Members have completed ‘Level
That guidelines are still being 1’ HACyberLogix cyber risk tweaked in the run up to ‘IMO 2021’ rely on willingness management assessment. demonstrates that cyber security A series of webinars have is an issue that is best dealt with to change.’’ generated positive comments on continuously and ‘in the round’. the virtual nature of the platform,
BIMCO will soon publish amended Colin Gillespie, its accessibility on demand and its ‘Guidelines on Cyber Security North P&I Club ability to handle multiple users. As onboard Ship’, for example, with the HACyberLogix methodology updates on topics as disparate as crew covers all aspects of a member’s training, risk assessment procedures organization, and thus drives in the SMS, essential cyber risks to be included in any cross-functional collaboration, it serves as a catalyst for ship security plan, and satellite systems vulnerabilities. driving cultural change at the human level. 2021 is only a few short months away and the proactive Completing Level 1 puts users at a point where they ship owner or manager can be usefully getting on with understand their cyber resilience and can progress to their cyber compliance self-assessment. include cyber risk management in their SMS. Levels 2 SELF-ASSESSMENT STANDARD and thorough assessments. Early this year, in a joint initiative with HudsonCyber, It is an approach that chimes with SCORA (Safety North invited Members to access the HACyberLogix Culture Organisational Assessment), a tool for senior cyber risk management platform free of charge on a officers and shore-based managers developed by time limited basis. The system aligns with many indusNorth’s loss prevention team and Green-Jakobsen and try guidelines, including IMO’s own cybersecurity launched to some acclaim in 2019. SCORA reports guidelines for 2021 compliance, as given in MSC-FAL.1/ on an organisation’s ‘safety capacity’ by scoring Circ.3.It also supports virtualised collaboration in safety leadership, health and well-being, learning and supporting an enterprise cybersecurity program (perfect development, reporting culture and risk management. for operating in a pandemic environment). and 3 of the Cyberlogix package cater for more detailed
The HACyberLogix assessment tool is a three-tier CYBER CULTURAL SHIFT cyber risk management tool, consisting of 12 selfNorth’s view is that employing the ‘right crew’ is central assessment domains. These assess how the company to cyber resilience. The Club sees awareness campaigns gathers information on cyber security capabilities in allied with regular testing on cyber security basics as a order to identify and manage vulnerabilities. Each way to kick-start behavioural change . domain is designed to cover a different aspect of the Clearly, in the face of ever-developing threats, organisation’s cyber security effectiveness. instilling vigilance is critical if cyber resilience is to be
The model analyses and benchmarks the results implemented ashore and at sea. Here, the right tools to determine an organisation’s ‘cyber capability’ can make cyber security best practice part of everyday in a confidential report that includes prioritised business awareness. recommendations that are designed to improve cyber Putting people at the heart of cyber security resilience risk management. is key to protecting your company.
