BIMCO's position on "cyber risk management" has been approved by the BIMCO Board of Directors.
Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. The increased integration of systems and the greater use of digital ship-to-shore communication and data links now exposes ships to cyber security risks.
Cyber security threats are dynamic in nature and protection against cyber incidents is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process often renders them ineffective by the time they are adopted.
BIMCO, CLIA, ICS, INTERCARGO, InterManager, INTERTANKO, IUMI, OCIMF and WSC have published version 3.0 of the Guidelines on Cyber Security onboard Ships (commonly referred to as the BIMCO Guidelines), which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships.
BIMCO has published a Cyber Security Clause requiring the contractual parties to implement cyber security procedures and systems to help reduce the risk of an incident and respond efficiently if such an incident should occur.
Cyber risks should be appropriately addressed in safety management systems no later than the first annual verification of the company's International Safety Management (ISM) code’s Document of Compliance after 1 January 2021.
- Continuous development of the guidelines on cyber security, their implementation on all ships are recommended to address cyber security risks.
- New ships should be built with cyber secure systems and components in accordance with future IACS unified requirements.
- Software maintenance has a cyber security aspect. An ISO Standard that sets a framework for maintaining software and the requirements for a software maintenance logging system should be developed.
- Training is a key risk mitigating measure. Users and external parties pose cyber security threats, and awareness needs to be raised in the industry. In the case training requirements are formalised, pragmatic solutions should be included to take into account the rapidly changing cyber threat.