BIMCO’s Cybersecurity Guidelines: Shipowners’ and Operators’ Risk, Exposure, and Liability

Mainbrace | March 2016 (No. 2)

Kate B. Belmont

Introduction

On January 4, 2016, the maritime industry changed forever. With the release of “The Guidelines on Cyber Security Onboard Ships” created by BIMCO, CLIA, ICS, Intercargo, and Intertanko, the maritime industry acknowledged and recognized that cyber-threats are grave and cyber-attacks are happening. The maritime industry responded to the call for greater education on cybersecurity and greater protections, and created a set of guidelines for shipowners and operators to defend against such attacks. Accordingly, as the BIMCO Cybersecurity Guidelines make clear, shipowners and operators must be proactive in protecting against such threats, and they must be responsive. While the maritime industry has been hesitant to address cybersecurity issues and embrace the new realities of operating in a world heavily reliant on ICT (information and communication technology), with the release and publication of the BIMCO Cybersecurity Guidelines, the maritime industry no longer has its head in the sand. These guidelines have become the new standard against which shipowners and operators will be judged when addressing issues related to cybersecurity onboard ships.

The BIMCO Cybersecurity Guidelines provide instructions to shipowners and operators on how to assess their opera- tions and put in place the necessary procedures and actions to maintain the security of cyber-systems onboard their ships. Essentially, these guidelines serve as a “best practices” for shipowners and operators, on how to protect the cyber-systems onboard their vessels.

Cybersecurity Awareness

The first step in addressing cyber-risks, is understanding the cyber-threat. The BIMCO Cybersecurity Guidelines outline various types of cyber-threats and cyber-attacks, those who perpetrate such attacks, ranging from activists to criminals and terrorists, and examine their motivations and objectives, including reputational damage, financial gain, and commercial espionage. Shipowners and operators must be aware of a range of attacks, from a targeted attack, where a company or ship’s systems and data is being targeted, to an untargeted attack where a company or ship’s systems and data are one of many targeted. An example of a targeted attack would be spear-phishing, where an individual is specifically targeted with personal e-mails containing malicious software or links that automatically download malicious software. Another example of a targeted attack would be subverting the supply chain, whereby a company or ship is attacked by compromising equipment or software being delivered to the company or ship. It is also important to understand that attackers may attempt to access a company or ship systems and data within the company or ship, or remotely through connectivity with the Internet. Depending on the extent of the breach, an attacker may be able to manipulate ECDIS or gain access to commercially sensitive data such as cargo manifests or crew lists. The BIMCO Cybersecurity Guidelines make clear that all shipowners and operators must be aware of the potential cybersecurity risks when using IT systems onboard ships.

Risk Assessment

The second step in protecting against cyber-attacks is assessing the risk. In addition to understanding the cyber-risks associated with using IT systems onboard ships, the BIMCO Cybersecurity Guidelines note that senior management must be involved in cybersecurity. This is not an issue delegated to the IT department. In order to best protect your company and your vessel, cybersecurity must be incorporated pro- cedurally and operationally into all levels of your company. Senior management must be responsible for incorporating cybersecurity policies and initiatives throughout the company, not just in the IT department. This includes business processes and crew training. It is also recommended that a shipping company initially perform an assessment of potential threats, and an assessment of the systems and pro- cedures on board. For example, cargo management systems often interface with a variety of systems ashore, through the Internet, which makes certain cargo management systems and data in cargo manifests vulnerable to cyber-attacks.

Reducing the Risk

The next issue to be addressed is reducing the risk. This step involves technical cybersecurity controls, and the BIMCO Cybersecurity Guidelines suggest the Centre for Internet Security (“CIS”) as a reference for measures that can be used to address cybersecurity vulnerabilities. It is noted that technical cyber- security controls may be more straightforward to implement on a new ship than on an existing ship. One of the issues to be considering in addressing technical controls is satellite and radio communication. The guidelines suggest that the cybersecurity of the radio and satellite connection should be considered in collaboration with the service provider. For example, when establishing an uplink connection for ships’ navigation and control systems to shore-based service providers, it should be considered how to prevent illegitimate connections gaining access to the onboard systems. Malware defenses must also be incorporated and onboard computers should be protected to the same level as office computers ashore. canning software that can automatically detect and address the presence of malware in systems onboard should be regularly updated.

In reducing the risks, the BIMCO Cybersecurity Guidelines also specifically note that an awareness program should be utilized for all seafarers. For example, seafarers must understand the risks related to e-mails and how to detect a phishing attack, the risks relating to Internet usage, and the risks relating to the use of personal devices. Personal devices often do not have the same level of security and may transfer risk to the environment to which they are connected.

Develop Response Plans

Lastly, shipowners and operators must develop contingency plans in order to effectively respond to a cyber-attack or incident. It is recommended that contingency plans or response plans be tested periodically. For example, shipowners and operators must know what to do and how to respond when electronic navigational equipment is disabled. There also must be procedures for handling ransomware incidents, and operational contingencies for ships in cases where land-based data is lost. When a cyber-breach or incident has been detected, it is crucial that all relevant personnel are aware of the exact procedure to follow and know how to respond. Recovery plans should be accessible to officers on board, and how and where to get assistance, for example by proceeding to a port, needs to be part of the recovery plan. Finally, investigating a cyber-incident is also important. Determining how systems were breached and what vulnerability was exploited can provide a better understanding as to how to better protect your systems in the future. External experts are often useful in conducting such investigations.

Increased Liability for Shipowners

The BIMCO Cybersecurity Guidelines make clear the responsibility of shipowners and operators in protecting against cyber-threats. While these guide- lines provide a great source of education and direction, these guidelines also make a clear standard against which shipowners and operators can be judged. Shipowners and operators are now on notice that cyber-attacks and cyber-incidents pose a significant risk for the maritime industry. These guidelines outline such risks and offer a series of steps to mitigate losses. Accordingly, failure to take heed will result in exposure to greater liability. “The Guidelines on Cyber Security Onboard Ships” is the new standard for the industry—a standard that will be reviewed and considered by the IMO this summer. Shipowners and operators should follow these guidelines dutifully, and disregard at their peril.