BIMCO's position on "cyber risk management" has been approved by the BIMCO Board of Directors.
Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. The increased integration of systems and the greater use of digital ship-to-shore communication and data links now exposes ships to cyber risks and cyber attacks.
Cyber security threats are dynamic in nature and protection against cyber attacks is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process renders the result somewhat outdated when adopted.
BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, IUMI and OCIMF have published version 2.0 of the Guidelines on Cyber Security onboard Ships (commonly referred to as the BIMCO Guidelines), which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships. It is a “living” document that will be updated to reflect the development of cyber security threats and new technical and procedural mitigation measures.
Cyber risks should be appropriately addressed in safety management systems no later than the first annual verification of the company's International Safety Management (ISM) code’s Document of Compliance after 1 January 2021.
- Continuous development of the BIMCO industry guidelines, their implementation on all ships are essential to address cyber security risks.
- New ships should be built with cyber secure systems and components.
- Software maintenance has a cyber security aspect. The industry Standard on Software Maintenance of Shipboard Equipment should be implemented to protect shipboard networks and equipment.
- Training and education are essential as mitigating measures. Users and external groups pose cyber security risks and awareness needs to be raised in the industry.
- Consider what amendments should be made to clauses/charter parties to manage cyber risks.