Cyber security means more than compliance
IMO-mandated ship cyber security took effect from January 1 this year, but the key to ensuring true resilience in the supply chain is collaboration, according to ClassNK
THE International Maritime Organization’s 2021 Maritime Cyber Risk Management requirements for Safety Management Systems provides critical rigour for shipping to respond to rising cybercrime. The US Coast Guard, too, is focusing more this year on cyber risk management and, from October 1, will make assessments part of annual inspections for facilities falling under the 2002 Maritime Transportation Security Act.
Rather than planned, the timing of these implementations is largely coincidental, but entry into force highlights how collaborative thinking on cybersecurity could benefit all stakeholders.
Collaborative thinking on cybersecurity has long been advocated by ClassNK, whose early positioning on the issue culminated in the ClassNK Cyber Security Approach. The approach, involving layers of cybersecurity controls from which stakeholder obligations in each layer differ, remains the guiding principle driving the society’s position on cyber resilience.
Early 2019 saw the introduction of ClassNK’s Cyber Security Management System for Ships, prioritising safe navigation by protecting operational technology (OT) and information technology (IT) with physical, technical, and organisational measures. In the same period, ClassNK released Guidelines for Software Security, targeting parties rendering security attributes to software including developers, integrators, and operations on board, in a collaboration with testing, inspection and certification provider TÜV Rheinland.
The advanced position was demonstrated by the fact that, half a year before IMO 2021, ClassNK had already published the second edition of its Guidelines for Designing Cyber Security Onboard Ships, with full certification services and optional class notation offered based on the guidelines.
It is therefore no coincidence that ClassNK played a pivotal role as the sole classification society represented on the Reference Group behind the cross-industry The Guidelines on Cyber Security Onboard Ships, developed by BIMCO and others. These guidelines underpinned IMO’s ability to deliver the regime requiring every ship’s Safety Management System to be documented as cyber risk-assessed by its first annual Document of Compliance audit after January 1, 2021.
If depth of knowledge is helping ClassNK support owners in their transition through IMO’s new cyber security regime, the society remains convinced a proactive approach in pursuit of best practice will be needed to stay one step ahead of cyber criminals.
In a further recognition of collaboration as shipping’s best defensive strategy, ClassNK last year became the first non-US organisation to join the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) as a maritime community partner.
“By joining the MTS-ISAC, we increase visibility of current, real-world examples of cyber threats targeting maritime transportation system stakeholders,” says Hirofumi Takano, Executive Vice President, ClassNK. “This gives us an opportunity to reinforce how, and periodically update, ClassNK’s standards to provide the latest recommendations to protect assets from cyber threats.”
MTS-ISAC describes the ClassNK collaboration as a “sterling example of the path forward” for classification societies. “While many organisations still have challenges with teams remaining in separate silos, cybersecurity requires a multi-disciplinary team approach,” the Delaware-based organisation states. “By building a cross-sectional team of marine and security experts, ClassNK implemented a maritime cybersecurity best practice for collaboration between their experts to engage with their stakeholders.”
ClassNK emphasises that the benefits of the collaborative approach are cumulative and bring opportunities for frontrunners to work together in ways that help companies with aims beyond compliance, and which recognise that cyber threats are dynamic and evolving.
The relationship with MTS-ISAC, for example, provides ClassNK with community-sourced cyber intelligence. MTS-ISAC recently deepened its resources by teaming up with the cyber risk specialist HudsonCyber to tap into its pre-emptive, maritime-specific cyber threat intelligence.