It has never been more important to have effective cyber security and crisis management plans in place, as highlighted by the recent NotPetya ransomware incident which affected Maersk.
Fortunately, all of Maersk Group’s ships – including its offshore support vessels, drilling rigs, floating production storage and offloading vessels and production platforms – remained operational and unaffected by the cyber attack, but offshore ships are at risk from cyber attacks like any other type of vessel, so it pays to take note of every available source of information and guidance on the issue.
The latest was published this September by the UK’s Department for Transport (DfT). Its Code of Practice for Cyber Security for Ships was developed by the Institute of Engineering and Technology with the support of the Defence Science and Technology Laboratory. It doesn’t set out specific technical or construction standards for ship systems but provides a useful management framework that can be used to reduce the risk of cyber incidents.
As David Beattie, a solicitor at BLM and Gemma Pearce, a partner at the law firm noted recently, in the wake of a number of high profile cyber incidents in the marine sector it came as no surprise that the DfT has released the code (which is available here). As they said, it should be considered by board members, insurers, senior officers and those responsible for day-to-day operation of vessels.
As they also noted, the DfT emphasises that the code should be used as part of an overall risk management scheme. It therefore supplements the existing requirements under the international ship and port facility security code. In particular, the provision of a company security officer and company security assessment are elaborated on, with a view to achieving enhanced cyber security.
At over 70 pages the code is comprehensive, but to summarise, the predominant points are that shipowners and companies should:
- Assess their current cyber security arrangements and identify risks.
- Prepare a written cyber security plan (CSP).
- Plan for continuing assessment and monitoring of the cyber security plan.
- Implement the CSP and manage cyber security by appointing a cyber security officer and create a security operations centre.
- Effectively handle the release of information to third parties.
- Monitor and handle any cyber security breaches.
It is also highlighted throughout the code that for security arrangements to be effective, the responsibility for security policies, processes and procedures should flow down through contracts, and supply chains.
As partners at another law firm, HFW noted, cyber attacks can harm crew, vessels and cargo and cause business disruption, loss of sensitive information and damage to a company’s image. In the offshore oil and gas sector the risks are, if anything, even greater than other parts of the shipping industry.
IT systems have become increasingly interconnected, as has the shipping industry, a process that is set to accelerate in future as the industry looks to autonomous and semi-autonomous vessels that will require propulsion and machinery system management from shore, creating new opportunities for exploitation.
The motivation for cyber attacks can be wide ranging, from low level cyber vandalism and hacktivism to espionage, terrorism and warfare, but whatever the motivation, the shipping industry must be ready to deal with this broad range of threats – and so should offshore shipowners.