In the Maritime STAR EAM System, Cyber Risk Management is an integral part of your safety management solution, which enables and supports you to comply with IMO 2021 requirements.
Cybersecurity is a fundamental operational imperative in the maritime sector. In recent years, the industry has been subjected to several significant incidents of various cyber-attacks which have had a severe financial impact on the affected companies. Cybersecurity is an arms race between the attackers and the defenders, where the attacker has the luxury of the first choice of weapon. Because we know such incidents will most likely occur at some point, cyber risk management is priceless. We must have the necessary preventive actions in place and ensuring the capability of a quick recovery.
The ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system, until the first Document of Compliance after 1 January 2021. (DNV-GL)
In terms of IMO 2021, you must demonstrate that appropriate measures for handling cyber risk are an integral part of your safety management system no later than the next annual DOC verification after 01.01.2021.
IMO strongly advice that cyber risk management should be integrated into existing management systems under the ISM Code and ISPS Code. With STAR EAM as the main management system onboard, you have a strong position in meeting the requirements and at the same time have a more robust ICT solution And best of all, the crew who are actively using the equipment will be more involved with cybersecurity and thus take more ownership to the procedures.
We recommend implementing and utilizing the STAR software functionality, as described below.
Utilizing the STAR System
The IMO Maritime cyber risk requirements are all covered by the NIST Cybersecurity Framework.
Applying the NIST Framework to ensure IMO compliance:
The first step is to identify cybersecurity objects relevant to the safe operation of the vessel. In Star IPS you do that by identifying the Technical Accounts representing the relevant equipment and systems onboard. These should both be tagged as CSM objects and be given properties for their risk and protection. See example screenshot below.
Technical Account with Data sheet
To be able to protect these objects you need to identify the equipment and systems onboard used for protection against cyberattacks, similar these should be tagged in the Technical Account structure. Besides, you should have written Procedures uploaded into Star IPS with connection to the relevant Technical Accounts and preventive Maintenance Jobs for inspections. Your Audit plans should include checklists for all CSM related equipment, software, procedures, and crew competence. Star IPS have modules and functionality for all this.
If a cyberattack has occurred or detected as attempted, you may report this as an Incident or as a Near miss report. More important is to raise a Flash Alert about the undesired event to warn the crew onboard all vessels and implement necessary preventive Actions in the fleet.
In a situation where a cyberattack is a fact, you should have a response plan to minimize the damage. In Star IPS this should be included in the procedures, the damage and consequences described for the incident with the implemented corrective and further preventive Actions.
To be able to recover after the cyberattack, procedures should be in place describing the recovery Actions, including pre-defined corrective Actions and pre-defined corrective Maintenance instructions.
As an integral part of your safety management solution, the STAR EAM System enables and supports you in handling cyber risks.
The implications of non-compliance
The consequences of this are potentially huge. One aspect is the disruption of business continuity or interruption of operation due to cyberattacks and loss of data, all of which are more likely to happen at some point.
More severe the vessel may be found to be unseaworthy if an owner of a vessel cannot show that it has performed appropriate due diligence in managing its cyber risks in line with the new guidelines. Also, many financing agreements require compliance with all elements of the ISM Code. It is, therefore, possible that a breach of the Code could put a borrower in default on his loan contracts.