BIMCO's position on "cyber security" has been approved by the BIMCO Board of Directors.
High level framework regulations that address cyber security are already provided by the International Safety Management code (ISM), which entered into force on 1 July 1998, and the International Ship and Port Security code (ISPS) in 2004.
Information Technology (IT) and Operating Technology (OT) systems onboard ships are used for a multitude of purposes, such as controlling engines and associated systems, cargo management, navigational systems, administration, etc. Until recent years, these systems were commonly isolated from each other and from any external shore-based systems. The increased integration of systems and the greater use of digital ship-to-shore communication and data links now exposes ships to cyber risks and cyber attacks.
BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO have published the Guidelines on Cyber Security onboard Ships, which offer guidance to shipowners and operators on how to assess their operations and develop the necessary procedures and actions to improve resilience and maintain integrity of cyber systems onboard their ships. It is a “living” document that will be updated to reflect the development of cyber security threats and new technical and procedural mitigation measures.
Cyber security threats are dynamic in nature and protection against threats is a continuous “catching-up” task. Regulations tend to be static and the nature of a regulatory process renders the result somewhat outdated when adopted.
- Additional regulatory actions are not required because the ISPS and ISM codes are suitable regulatory frameworks for cyber security.
- Development of industry guidelines, the implementation of guidelines on all ships and construction of cyber resilient ships and OT systems are essential to address cyber security risks.
- BIMCO supports IMO’s work to develop voluntary guidelines on maritime cyber risk management.
- Software maintenance has a cyber security aspect. Standards for software maintenance onboard to protect shipboard networks and equipment should be implemented.
- Users and external groups pose cyber risks and awareness needs to be raised in the industry. Training and education are essential as mitigating measures.