As BIMCO pointed out when launching its ‘Guidelines on cyber security onboard ships’ in January, the cyber threat never stands still; it is changing all the time. Add to that a sense that shipping is only now realising the extent of the problem, and it’s easy to see why the guidelines have been warmly received.
“Cyber is pretty complex to be honest,” says BIMCO deputy secretary general Lars Robert Pedersen. “It has relevance in relation to equipment manufacturers and how they design computer-based equipment, which is what we are finding on ships. This includes how the software is designed and how owners and operators maintain the software.”
And that’s just one part of the framework. The guidelines, developed in a round table with other industry bodies including the International Chamber of Shipping (ICS), Intercargo and Intertank, and the Cruise Lines International Association, focus on security onboard ships, including the ship itself and its safe operation.
A key point of the document is to develop understanding and awareness. This is broken down into six sections: identifying threats, understanding vulnerabilities, assessing exposure to risks, developing protection and detection practices, establishing contingency plans and responding to incidents. It is not there to audit or vet individual approaches but rather, like the name suggests, act as a guide.
“You need to appreciate there is no such thing as a 100% secure system,” says Pedersen, adding that if it is connected to the internet, it is vulnerable. It is a matter of how secure the industry wants to be, he points out.
“People need to understand that. We think the guidelines are a first when it comes to dedicated advice for ship owners. It is meant to be a living document, as unfortunately cyber security is a very dynamic area.”
Creating a cyber-savvy industry: changing behaviour
Understanding the threat is widely acknowledged as perhaps the greatest barrier to bringing shipping in line in with other industries such as the financial sector in terms of the robustness of security.
Peter Cook, chief executive officer of the Security Association for Maritime Industry (SAMI), hails the guidelines as a big step in the right direction, while accepting that, as people have different tolerance levels towards technology, capturing everyone in one document is difficult.
What Cook does argue strongly for is a change in culture. “Anecdotally, I have heard of companies who, when confronted to talk about this, have said, ‘oh well that’s what IT do’ and have dismissed it,” he says. “But of course, this is a culture that has to be embraced at board level in order for it to move down.”
Inspiration can be taken from the development of health and safety laws, he adds. “We haven’t got there yet with cyber, which isn’t surprising. It won’t happen overnight, but that is where we need to be.”
The guidelines can be viewed as playing an integral part in this, as very often threats can emerge from the misuse of equipment and devices onboard. “What this is really about is – and what is embedded throughout the document – is that a lot is related to human behaviour,” adds Pedersen. “That is true in any aspect of society; that human behaviour is probably the biggest risk when it comes to cyber security.”
As ships become more connected, with e-navigation now high on the agenda, this threat is only going to increase, meaning it is essential for crews to adapt sooner rather than later.
Matthew Williams, a senior marine adviser at the ICS, says that helping to change behaviour is part of why the release of the guidelines represents a seminal moment in the cyber battle.
“We very much think that they are guidelines for the industry, by the industry, that will be able to respond much more effectively than regulation could,” he explains. “In order to support appropriate behaviour in response to cyber risks, this is where the education and awareness comes in. We need to make sure it is evidenced based and balanced so that cyber is integrated or inherent as part of [people’s] approach to safety and security.”
Awareness is vital: reaching all corners
For a change to occur, however, an all-encompassing dissemination of the guidelines is needed, to ensure they reach every corner of such as a vast and diverse industry. As expected, this involves industry bodies and the maritime media, but also senior crew members, who should be passing the message down from top to bottom.
“What we are trying to do is to have the IMO propagate them to all their member states, for them to then disseminate to all their ship owners,” says Pedersen. “It is something that will take time. There needs to be greater awareness and people need to understand what they need to do.”
Williams is optimistic that the message is being heard – and attributes this to the work undertaken by shipping associations to distribute the guidelines to their respective member. “The coverage is quite broad,” he says, explaining that he and his colleagues know the “guidelines are getting down to company security officers, so the dissemination is quite effective”.
“We’ve also had the coverage of the development of the guidelines and their publication in the maritime press and at conferences dealing with the development of maritime technology and security,” he adds.
It will take a combination of these efforts and much hard work to truly communicate the threats that could befall any ship, whether it is at port or on the open seas. Cook is adamant that engagement from the top level is fundamental. “This is an issue that is not going to go away,” he warns. “We can’t stick our heads in the sand; it is here and here to stay. We have to learn how to do it.”
One obstacle to overcome is the vast amount of complex information relating to cyber security. It can be overwhelming at times, and for those who are not particularly well versed in technology, the task of understanding it can be daunting.
The way forward therefore, says Cook, is to reduce it down to bite-size chunks and make the guidance as easy to follow as it can be without diluting the core message. That, as a starting point, should help the industry towards greater awareness and a more secure future.