Publications

5 Jul 2017:-

Joint industry launches latest industry guidelines on cyber security

The second edition of The Guidelines on Cyber Security Onboard Ships has been released. The latest practical advice has been compiled by the joint industry group, with members of BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Union of Maritime Insurance (IUMI) and Oil Companies International Marine Forum (OCIMF).

The Guidelines on Cyber Security Onboard Ships is available for download here.

The second edition includes information on insurance issues and how to effectively segregate networks, as well as new practical advice on managing the ship to shore interface, and how to handle cyber security during port calls and when communicating with the shore side.

The chapters on ‘contingency planning’ and ‘responding to and recovering from cyber incidents’ have been rewritten to reflect the fact that the guidelines are aimed specifically at ships and the remote conditions prevailing if a ship’s defences have been breached.

The Guidelines on Cyber Security Onboard Ships have also been aligned with the recommendations given in the International Maritime Organization’s (IMO) Guidelines on cyber risk management which were adopted in June 2017.

A new subchapter on insurance has been added, looking at coverage after a cyber incident as this is an important part of the risk assessment which shipowners should now take into consideration. Finally, the Annex, which explains about networks, has been rewritten based on real experience of shipowners segregating networks on their ships.

Contact This email address is being protected from spambots. You need JavaScript enabled to view it. if additional information is needed.

 

3 Feb 2017:-

1. Overall

Although many individual organisations are developing guidance and material on cyber security, there are three global platforms studying and analysing cyber security issues:
• Two Committees at IMO, Marine Safety Committee (MSC) and Facilitation Committee (FAL);
• A joint working group (JWG/CS) led by IACS with members of INTERCARGO and other shipping industry associations and insurance (IUMI); and
• A shipping industry working group (IWG) with members including INTERCARGO, and IUMI.

2. Development with the platforms

2.1 IMO’s MSC 96 approved, in May 2016, a circular on MSC.1-Circ.1526 - Interim Guidelines on Maritime Cyber Risk Management. It is more relevant to the Administrations.

2.2 JWG/CS had its 1st meeting on 11 Nov 2016 and is planning its 2nd meeting in the next few weeks. The outcome of the 1st meeting included general agreement to a list of the 12 Recommendations as basis of initial deliverables that the JWG/CS will work on. The 12 Recommendations are:

1): Procedure for Software Updates
2): Manual Backup
3): Contingency Post Failure
4): Network Architecture
5): Data Assurance
6): Physical Security
7): Network Security
8): Vessels’ System Design
9): Programmable System Equipment Inventory
10): Integration
11): Remote Update / Access
12): Communications and Interfaces

Topics related risk assessment process will be discussed likely in a JWG/CS meeting in Mar 2017.

2.3 IWG developed a set of industry Guidelines on cybersecurity on board ships and submitted it by MSC 96/4/1 to IMO’s MSC 96 for reference on 4 Feb 2016 (click here to download).

3. Draft revision to the industry “Guidelines on cybersecurity on board ships”
After a few meetings since Nov 2016, the IWG produced a draft revision 1.14 to the version 1.0 of “Guidelines on cybersecurity on board ships”, which was circulated earlier today (3 Feb 2017) for comments by 17 Feb 2017. Members are invited to contact INTERCARGO via This email address is being protected from spambots. You need JavaScript enabled to view it. for a copy of the draft revision 1.14 to review and provide your comments by 17 Feb 2017.

20 Jun 2016: -

In the past, many people took cyber risks more related to tankers and container ships with obvious reasons – cargo related financial losses and potential security issues have caught sufficient attention of shipping people. Now cyber risks become a common concern. An increased regulatory burden may not be far away and shipowners should start reviewing their cyber security now.

Development at IMO

A set of Interim Guidelines on Maritime Cyber Risk Management was approved during MSC 96 in May 2016 and published as a circular MSC.1/Circ.1526 on 1 Jun 2016 (click here to download). It provides;
• high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyberthreats and vulnerabilities.
• functional elements that support effective cyber risk management.

It is expected that the guidance in the circular be supplemented by further guidance from Flag Administrations, national and international standards organizations and industry associations. The industry Associations of BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO has published “The Guidelines on Cyber Safety and Security Onboard Ships” in Jan 2016 and can be downloaded from http://www.intercargo.org/en/component/attachments/download/195.html.

Marine Insurance Clause

Many colleagues may have noted that there is an “Institute Cyber Attack Exclusion Clause Cl. 380”. When I read the presentation “Cyber Risks and Considerations for the Marine Insurance, American Marine Insurance Forum, Feb 26, 2015” by Wiggin and Dana (click here to download), I found it quite complicated for understanding. But it is clear to me that it cyber rise has become an important issue of insurance industry.

The insurance market for cyber insurance is maturing at a rapid pace with an increasing number of insurers entering the standalone market. More sophisticated threats have widened the focus from purely data breach to include property and business interruption. For current market trends, the webpage at http://www.miller-insurance.com/Independent/Reinsurance-cyber/Reinsurance-cyber.aspx shows

• One of the most common cyber exclusions is the Institute Cyber Attack Exclusion Clause CL380. The CL380 is well-established and widely adopted, although its application is inconsistent despite the increase in demand for cyber cover.
• The exclusion has attracted the most attention in the energy market, where awareness of the potential for large first party property damage resulting from a cyber attack has been growing.
• The wide use of CL380 across a broad range of marine, energy and industrial property insurance policies means insureds are without cover for physical loss or damage stemming from cyber-related incidents.
• There has been evidence to suggest that the exclusion trend is abating however. In 2013, Lloyd’s Kiln syndicate began offering SCADA insurance while in early 2014 AIG launched a new policy that covers property damage and bodily injury exposures. Other insurers are now developing similar covers.

Development of P&I industry

On 9 Jun 2016, it is pleased to note that the North P&I Club published 7-page briefing on Cyber risks in shipping (http://www.nepia.com/media/435561/LP-Briefing-Ships-Cyber-Risks-in-Shipping-June-2016.PDF). While the briefing focuses on raising awareness of the cyber threats of unauthorised access and malicious attack, it is helpful to read the discussion in the section Cyber Risk and P&I Cover.
P&I policies cover liabilities arising from cyber risks in the same way as those arising from traditional risks, subject to P&I club rules. The rules generally require shipowners to show they have taken all reasonable measures to prevent losses and liabilities arising. Given the increasing use of technology on board and the potential impact of cyber risks on vessel operations, a proper cyber security policy should now be a key feature of an owner’s risk management programme.

IACS and its members

I joined a DNV GL Webinar presentation with appreciation and learnt that: some IACS members such as ABS and LR published cyber security guidelines and DNV GL is developing its own. It was interested to know the following result of a poll during presentation: - Training/awareness and lack of standards turned to be priority issues.

ABS Guidance at http://ww2.eagle.org/en/rules-and-resources/rules-and-guides.html#/content/dam/eagle/rules-and-guides/current/other/221_Guidance_Notes_Cyber_Safety_Principles_Maritime_Operations
LR Guidance at http://www.lr.org/en/news/news/cyber-shipping-LR-issues-technical-guidance-for-ship-design-in-a-digital-age.aspx

Comments and views
Comments and views from members are welcome and appreciated.

 

6 Jan 2016:-

The cyber guidelines launched on 4th January 2016 are a first for the shipping industry, developed by international shipping associations, comprising BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO -
and with support from a wide range of stakeholders. The aim is to provide the shipping industry with clear and comprehensive information on cyber security risks to ships enabling shipowners to take measures to protect against attacks and to deal with the eventuality of cyber incidents onboard a ship.

Cyber threats are changing all the time – the industry associations including INTERCARGO will regularly update the cyber guidelines to ensure shipping companies have the latest information available.

The copy of the Guidelines on Cyber Security Onboard Ships is free to download here.

Attachments:
FileDescriptionFile sizeCreated
Download this file (Guidelines on Cyber Security Onboard Ships, version 2 - June 2017.pdf)Guidelines on Cyber Security Onboard Ships, version 2 - June 2017.pdf 3234 kB04-Jul-2017