SAFETY

In July 2004, the International Ship and Port Facility Code (ISPS) was implemented following the tragedy of September 11, 2001. Immediately stated in the foreword is the objective to “detect/assess security threats and take preventative measures against security incidents affecting ships or port facilities.” The emphasis throughout the ISPS Code is physical security; ultimately, keep the bad players out. The instances where computer systems and networks are mentioned in the code is to consider them a system that needed physical protection. Nearly 17 years later, the code is still relevant regarding physical security, however, in the age of digitalization, the maritime industry’s growing awareness of cybersecurity is bringing new security challenges to the forefront.

Today, the maritime industry is learning the importance of the connection between cybersecurity and vessel operators. Actual and de facto regulatory entities, such as the International Maritime Organization (IMO), flag states, port state control, insurance companies, and classification societies have distributed varying levels of guidelines regarding cybersecurity but there is no industry standard.

In 2017, IMO released its Guidelines to Maritime Cyber Risk management, providing recommendations and best practices for industry, however these are not mandatory provisions.

In the United States, the Coast Guard released a “Navigation and Inspection Circular” stating that it is the port facility’s responsibility to conduct a cyber assessment and to provide feedback to the local Captain of the Port about actions taken to mitigate their risks. While rules and regulations may provide the performance standard industry-wide, vessel operators must understand the need to mitigate the cyber risk to overcome vulnerabilities from external threats, even without a regulatory basis.

While conducting port state control examinations, I observed vessel operators who went above and beyond the various regulations, rules, and standards had safer and more secure vessels. Vessel operators and the mariners onboard, who understood the relationship of having a vessel run safe and efficiently to avoid any port state control deficiencies, or potentially detentions, were able to maintain their aggressive sailing schedule.

Vessel operators implemented the required rules and regulations combined with best practices from years of experience. Ownership of safety was passed down from the vessel operator to the mariner. A vessel’s crew was able to keep the aggressive sailing schedule by not compromising the safety of the vessel and the crew.

With increased digitalization and automation, vessel operators must take into consideration cybersecurity to mitigate the risk to operational and informational technology systems. The security threats have evolved to more than a suspicious individual attempting to gain access to the vessel or the port facility. Vessel operators are now faced with the challenge of now securing the same technology that was intended to improve the efficiency of shipping.

While informational and operational technologies have historically been treated separately, vessel operators need to recognize that although they perform different jobs, they ultimately work together for the vessel operator.

For vessel operators, protection of information technology is vital due to the importance of company data that is being stored and used, such as cargo manifest, crew data, sail plans, etc. Protecting and securing the systems with this information has been a long-standing practice and continues to evolve as new types of threats emerge.

Operational technology, which at one time operated in a closed system, can also be the target of an attack if appropriate cybersecurity safeguards are not implemented. While most attacks have targeted IT systems, an attack targeting OT systems leading to a company losing control of its vessels, cause major loss of equipment and life and significant environmental damage.

Going forward vessel operators will realize that physical and cybersecurity are both equally important to maintain safe operations of ships and keeping its crew safe. Security measures will continue to evolve as technology improves and adapts to the maritime world.

Vessel operators will navigate how to protect and improve their cybersecurity by using in-house personnel, hire third party vendors to assist with the risk mitigation, and use cyber software to continually monitor systems. Additionally, technical and procedural best practices will need to be developed and implemented to safeguard vessel operators, mariners, and the systems they work on.

Taking a proactive stance regarding cybersecurity as part of the vessel operations is highly imperative in today’s digital society.

BARBARA WILK Marine Safety Officer U.S. Coast Guard