BIMCO's position on "cyber security" has been approved by the BIMCO Board of Directors.
Suitable high level framework regulations implicitly covering cyber security have already been adopted by the IMO via the International Safety Management code (ISM), which entered into force on 1 July 1998, and the International Ship and Port Security code (ISPS) in 2004.
Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, electronic sea charts, navigational equipment, administration, etc. Their use has traditionally been assumed safe and secure whilst not interconnected on board and also not linked digitally to ashore. Digitalisation of communication, integration and networking of shipboard equipment has, however, exposed ships to cyber risks and cyber attacks.
BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO have published the Guidelines on Cyber Security onboard Ships, which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships.
Cyber security threats are dynamic in nature and protection against threats is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process renders the result somewhat outdated when adopted.
Additional regulatory actions are not required because the ISPS and ISM codes are suitable regulatory frameworks for cyber security.
Software maintenance has a cyber security aspect. Standards for software maintenance onboard to protect shipboard networks and equipment should be implemented.
Users pose cyber risks and awareness needs to be raised in the industry. Training and education are essential as mitigating measures.
BIMCO supports IMO’s work to develop voluntary cyber security guidelines.
Software for OT systems should be designed to facilitate patching of vulnerabilities. Cyber security starts with manufacturing of onboard equipment and new ships should be built with due consideration to cyber resilience. The IACS Cyber Systems Panel is expected to support and lend resources to build cyber resilient ships in the future.