In 2021, the International Maritime Organization (IMO) is demanding that shipowners and managers incorporate cyber risk management into ship safety. And the IMO is serious: the requirement is backed by threat of fines and the detention of ships.
Decision-makers are paying attention. But they are also wallowing in a sea of myths about what the IMO 2021 rules mean and how to comply with them. Speedcast maritime cybersecurity experts outlined the magical beliefs that could send vessels and their owners into dangerous waters.
Myth #1: Cybersecurity is a new risk for vessels
Cybersecurity aboard ship? Who ever heard of such a thing? Well, as it turns out, everyone should have. Vessel management systems have been in place for years. Look under the hood and you will find a computer. Cybersecurity risk isn’t new on board – what’s new is the realization of how much risk there is to shipboard systems, for which IMO deserves thanks.
Myth #2: Cybersecurity is only about compliance
That’s like saying that knowing how to operate a car is only about winning a driver’s license. It turns out that it’s actually helpful to know how to drive. Cybersecurity threats have real-world impacts: unlawful discharges, engine problems, ransomware attacks that shut down the systems the vessel depends on. Dealing with them is not principally about technology. It is about management culture. Everyone from crewing agencies to the folks on board need to make identifying and managing cyber risk as much a part of operations as the master’s review and regular safety meetings. They must know the difference between good and risky practice and be able to spot a potential risk while it is happening. Compliance matters, but it is the end result of keeping your vessels and company networks safe in a data-driven world.
Myth #3: Purchasing a manual makes the organization compliant
Purchasing a manual may be a good place to start. It gives you the roadmap for understanding requirements, evaluating how safe you already are, identifying problems and planning action. But it is no substitute for implementation. That means a comprehensive audit of all the cyber-safety factors, determination of where you fall short, and a mix of training and technology to raise your game.
Myth #4: No internet means no risk
If your systems aren’t connected to the internet, why worry? Because the internet is just one way for IT problems to come aboard.
On a port call, a service technician plugs a USB into one of your computers to update software. Presto, a virus picked up from another system downloads into yours and the trouble starts. It may not even be an outsider. It may be an officer or crew member who is unaware of the dangers. That’s why national security organizations plug up the USB ports on their computers with super glue. Because people make mistakes.
Or maybe the problem is with the software update itself. It’s not uncommon for a patch to one system to not play well with another system. A patch for a ship’s oily water system can dump oil over the side and create an environmental incident. An update to a vessel management system can unexpectedly generate engine problems. These are just as much cyber risks needing management attention as the dirty deeds of greedy hackers.
Scraping Off the Barnacles
One of the IMO’s recommendations is to conduct a comprehensive assessment of your current “cybersecurity posture” in comparison to best practice. It will reveal the gaps and inform an effective plan to address them. Speedcast is ready to help with its CyberInsights service, an assessment based on the industry-leading standards, frameworks and practices that are now part of the IMO’s international safety management code.
Our webinar is available on-demand. The time you spend with it will help steer you through the sea of myths to find safe harbor on the other side.
Want to know what is IMO 2021? Check out our “Need to Know” video interview on Protecting Your Data Networks – Compliance with IMO 2021.