Maritime industry publishes updated guidelines for cyber security on ships

Maritime industry publishes updated guidelines for cyber security on ships

Maritime industry publishes updated guidelines for cyber security on ships

With cyber threats  constantly evolving, cyber related processes on board ships need to successfully provide protection against cyber attacks. For this reason, BIMCO along with several maritime industry organisations published the third version of the ‘Guidelines on Cyber Security onboard Ships’.

Cyber Security | 10/12/18

Cyber safety incidents can occur as the result of:

  • A cyber security incident, which affects the availability and integrity of OT, for example corruption of chart data held in an Electronic Chart Display and Information System (ECDIS);
  • A failure happening during software maintenance and patching;
  • Loss of or manipulation of external sensor data, critical for the operation of a ship. This includes but is not limited to Global Navigation Satellite Systems (GNSS).

To mitigate these dangers, the new guidelines are focusing on three new areas: Safety Management System, OT risks and supply chain dangers. Namely, they provide guidance to shipowners and operators on how to assess their operations and establish procedures to enhance cyber resilience on board their vessels.

Safety Management System

This new edition provides more information to assist shipping companies conduct proper risk assessments and include measures in their safety management systems to protect ships from cyber-incidents.

Specifically, a new dedicated annex provides measures that all companies should consider implementing to address cyber risk management in an approved SMS.

According to the guidelines, a proper cyber risk management should:

  • Identify the roles and responsibilities of users, key personnel, and management both ashore and on board
  • Identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the ship’s operations and safety
  • Implement technical and procedural measures to protect against a cyber incident and ensure continuity of operations
  • Implement activities to prepare for and respond to cyber incidents.

However, the report notes that this is not so easy, as criminals are getting more inventive as the time passes.

OT risks

A key expansion in the guidelines regards operational technology. Ships have more and more Operational technology (OT) which includes Information technology (IT) and which can be connected to the internet. However, the risks associated with OT are different from IT systems.


But what are the differences between IT and OT systems. Generally, OT systems control the physical world and IT systems manage data. Traditionally OT and IT were different, but with the internet, OT and IT are coming closer. Disruption of the operation of OT systems may affect onboard personnel, cargo, damage to the marine environment, and impede the ship’s operation.

Namely, malfunctioning IT may lead to significant delay of a ship’s unloading or clearance, but with malfunctioning or inoperative OT there can be a real risk of harm to people, the ship or the marine environment.

On a ship, the job may be less focused on protecting data while protecting operational systems working in the real world has direct safety implications. If the ECDIS system or software controlling an engine are hit with malware, or if it breaks down due to lack of compatibility after an update of software, it can lead to dangerous situations

Dirk Fry, chair of BIMCO’s cyber security working group and Director of Columbia Ship Management Ltd, explains.

The guidelines also provide examples of actual incidents to present some real-world situations that shipowners and operators have faced.

On the upside, a Cyber Security Survey by BIMCO, Fairplay and ABS Advanced Solutions, the joint Industry Guidelines on Cyber Security Onboard Ships, indicated that the industry is more aware of the issue and has increased cyber risk management training. Nevertheless, improvements have to made.

Supply chain dangers

Another focus area is the risk of malware infecting the ship’s systems through the many parties associated with the operation of a ship and its systems.

Guides include evaluating the security of service providers, providing a minimum set of requirements to manage supply chain or third-party risks and ensuring that agreements on cyber risks are formal and written.

The guidelines also emphasize the need for ships to be able to disconnect quickly and effectively from shore-based networks, where required.

Protection and detection measures

As BIMCO notes, it is important to protect critical systems and data with multiple layers of protection measures, which take into account the role of personnel, procedures and technology.

In order to establish a decent protective wall, connected OT systems on board should require more than one technical and/or procedural protection measure. Perimeter defences, such as firewalls, are also vital for preventing unwelcomed entry into the systems, but this may not be enough. A combined defence is needed, which consists of the following:

  • Physical security of the ship in accordance with the ship security plan (SSP);
  • Protection of networks, including effective segmentation;
  • Intrusion detection;
  • Periodic vulnerability scanning and testing;
  • Software whitelisting;
  • Access and user controls;
  • Appropriate procedures regarding the use of removable media and password policies;
  • Personnel’s awareness of the risk and familiarity with appropriate procedures.

The following infographic presents ideal ways to carry out a decent cyber risk management approach:

Credit: BIMCO

For further advice on how to prevent cyber attacks, click the PDF herebelow

Leave a Reply

SSCP   CAS-002   9L0-066   350-050   642-999   220-801   74-678   642-732   400-051   ICGB   c2010-652   70-413   101-400   220-902   350-080   210-260   70-246   1Z0-144   3002   AWS-SYSOPS   70-347   PEGACPBA71V1   220-901   70-534   LX0-104   070-461   HP0-S42   1Z0-061   000-105   70-486   70-177   N10-006   500-260   640-692   70-980   CISM   VCP550   70-532   200-101   000-080   PR000041   2V0-621   70-411   352-001   70-480   70-461   ICBB   000-089   70-410   350-029   1Z0-060   2V0-620   210-065   70-463   70-483   CRISC   MB6-703   1z0-808   220-802   ITILFND   1Z0-804   LX0-103   MB2-704   210-060   101   200-310   640-911   200-120   EX300   300-209   1Z0-803   350-001   400-201   9L0-012   70-488   JN0-102   640-916   70-270   100-101   MB5-705   JK0-022   350-060   300-320   1z0-434   350-018   400-101   350-030   000-106   ADM-201   300-135   300-208   EX200   PMP   NSE4   1Z0-051   c2010-657   C_TFIN52_66   300-115   70-417   9A0-385   70-243   300-075   70-487   NS0-157   MB2-707   70-533   CAP   OG0-093   M70-101   300-070   102-400   JN0-360   SY0-401   000-017   300-206   CCA-500   70-412   2V0-621D   70-178   810-403   70-462   OG0-091   1V0-601   200-355   000-104   700-501   70-346   CISSP   300-101   1Y0-201   200-125  , 200-125  , 100-105  , 100-105  , CISM   NS0-157   350-018  , NS0-157   ICBB  , N10-006 test  , 350-050   70-534   70-178   220-802   102-400   000-106   70-411  , 400-101   100-101  , NS0-157   1Z0-803   200-125  , 210-060   400-201   350-050   C_TFIN52_66  , JN0-102  , 200-355   JN0-360   70-411   350-018  , 70-412   350-030   640-916   000-105   100-105  , 70-270  , 70-462   300-070  , 300-070   642-999   101-400   PR000041   200-101  , 350-030   300-070  , 70-270  , 400-051   200-120   70-178   9L0-012   70-487   LX0-103   100-105  ,