BIMCO's position on "cyber risk management" has been approved by the BIMCO Board of Directors.
Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. The increased integration of systems and the greater use of digital ship-to-shore communication and data links now exposes ships to cyber risks and cyber attacks.
Cyber security threats are dynamic in nature and protection against cyber attacks is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process renders the result somewhat outdated when adopted.
BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, IUMI and OCIMF have published version 2.0 of the Guidelines on Cyber Security onboard Ships (commonly referred to as the BIMCO Guidelines), which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships. It is a “living” document that will be updated to reflect the development of cyber security threats and new technical and procedural mitigation measures.
IMO encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's International Safety Management (ISM) code’s Document of Compliance after 1 January 2021.
- Continuous development of the BICMO industry guidelines, their implementation on all ships and construction of cyber resilient ships and OT systems are essential to address cyber security risks.
- Support and engage in the development of international standards on cyber risk assessments and in making OT software resilient against cyber attacks in the future.
- Software maintenance has a cyber security aspect. Standards for software maintenance onboard to protect shipboard networks and equipment should be implemented.
- Training and education are essential as mitigating measures. Users and external groups pose cyber security risks and awareness needs to be raised in the industry.