The Evolution of IT Safety in the Maritime Industry: From Compliance to Strategic Necessity
In recent years, IT safety has transitioned from a mere box-ticking exercise to an essential business tool within the maritime industry. This shift is driven by increasing regulatory demands and the need for stakeholders to ensure robust cyber risk management. As cyber threats loom larger over the shipping sector—impacting vessel operators, charterers, ports, and the entire supply chain—the importance of comprehensive IT safety measures has never been more critical.
The Growing Cyber Risk Landscape
Cyber risk is a pressing concern for the shipping industry, with incidents of cyberattacks on vessels and port operations on the rise. The proliferation of technology solutions has not kept pace with the evolving threat landscape, leading to a situation where compliance with regulations is becoming more complex. Regulators such as the International Maritime Organization (IMO), the European Union, and the U.S. Coast Guard are stepping up their efforts to address these threats, introducing new guidelines and updating existing regulations to enhance cyber resilience.
The Role of Regulatory Frameworks
The International Association of Classification Societies (IACS) has introduced Unified Requirement E26, which sets a minimum standard for the cyber resilience of ships throughout their lifecycle—from design and construction to commissioning and operational use. This requirement is complemented by UR E27, which outlines the minimum security capabilities for systems and equipment to be deemed cyber resilient, specifically targeting third-party equipment suppliers.
UR E26 is grounded in the NIST Cybersecurity Framework, which emphasizes five key areas: Identify, Protect, Detect, Respond, and Recover. While this regulation currently applies only to newbuild vessels, there is a growing recognition among shipowners of the need to apply its principles to existing fleets. This proactive approach not only mitigates risks but also protects valuable assets and cargo.
Compliance: A Collaborative Effort
Achieving compliance with UR E26 necessitates collaboration among various stakeholders, including shipyards, owners, classification societies, original equipment manufacturers (OEMs), and IT and network operators. The IACS URs will be implemented by all member class societies, which will act as auditors, ensuring that compliance is met with only minor variations in methodology and definitions.
To navigate this complex landscape, shipowners should focus on five key aspects to ensure compliance and enhance their cyber resilience:
1. Documentation
UR E26 mandates a higher level of documentation than previously required. Shipowners must prepare a detailed plan outlining the onboard network setup, configuration, and data flows. Inspectors will expect comprehensive documentation on network protection measures, including a test plan to verify the effectiveness of implemented controls.
2. Inventory of Onboard Assets
Maintaining an up-to-date inventory of onboard assets is crucial. This inventory should encompass all hardware and software related to computer-based systems (CBSs) and the networks connecting these systems, both onboard and ashore. Shipowners must be prepared to produce this inventory on demand.
3. Procedures
The regulation calls for the establishment of new procedures to defend against cyber threats and enhance risk mitigation. Shipowners need to define roles and responsibilities for remote monitoring, control, and maintenance of equipment. Developing these procedures should be closely aligned with training programs to ensure all personnel are well-informed and prepared.
4. Training and Awareness
Cybersecurity training for crew members is essential, along with regular awareness training for all personnel, including contractors and maintenance staff. Training should cover risk identification, recovery procedures for failed systems, and protocols for seeking external assistance. This ongoing education is vital for fostering a culture of cybersecurity awareness.
5. From Reactive to Proactive
While common cybersecurity solutions offer reactive protection against attacks, they often fall short in assessing vulnerabilities at a higher level. The future of cybersecurity in the maritime industry will require a shift towards proactive measures, including vulnerability assessments and penetration testing, to gain insights into potential threats and their evolution over time.
The Financial Implications of Compliance
The introduction of UR E26 represents a significant shift for the maritime industry, imposing an additional administrative burden that shipowners must navigate. Compliance will incur costs related to record-keeping, monthly service fees, and potentially extensive consultancy hours to develop necessary procedures and setups. As a result, shipowners may need to increase their IT budgets to leverage digital technologies while enhancing their cyber defenses.
Looking Ahead: Beyond Compliance
UR E26 establishes a baseline for performance, but it is likely that future regulations will demand even more stringent measures. The expectations of charterers, insurers, classification societies, and other stakeholders will continue to rise, compelling shipowners to adopt a more comprehensive approach to cybersecurity.
To achieve a higher level of compliance and safety at sea, the maritime industry must adopt a new perspective that transcends basic defense mechanisms. Compliance with UR E26 and similar regulations is only the beginning; shipowners must consider additional improvements to ensure their fleets operate safely in an increasingly complex cyber landscape.
In conclusion, the evolution of IT safety in the maritime industry underscores the necessity of proactive cyber risk management. By embracing regulatory frameworks and investing in comprehensive cybersecurity measures, shipowners can safeguard their operations and contribute to the overall resilience of the maritime supply chain.