The deadline to comply with the IMO’s sweeping cybersecurity mandate is more than eight months away, but the clock is ticking. While much of the maritime industry recognises the pressing need to protect ships and shore-based IT systems from cyber threats, many shipowners feel overwhelmed by the push to adopt expanded safeguards and ill-equipped to tackle IMO 2021 on their own.

A growing number of owners and operators are enlisting support. Classification society Bureau Veritas (BV) has been charting a clear path forward by way of a class notation to provide the support owners need. Advanced Services Director Jean-Baptiste Gillet describes the BV approach as a holistic, pragmatic approach to satisfying existing cybersecurity risk management requirements and the requirements of IMO 2021.

Follow the leader

Greek shipowners were early adopters of the ‘Cyber Managed ’ notation (NR659), which is now gaining traction in other regions too as the deadline to heed the IMO’s guidelines for maritime cyber-risk management draws closer.

Initially, interest in Cyber Managed was particularly strong amongst owners of technologically sophisticated tonnage like offshore support vessels and gas carriers, but quickly spread to the tanker and bulker sectors, among others.

The pursuit of regulatory compliance has, and will continue to be, a central driver of demand but the head of BV’s cyber division, Vincent Lagny, says the commercial benefits of a cybersecurity and safety notation are a motivator for many operators as well.

“The provision of a cybersecurity framework is becoming a prerequisite for a number of charterers, particularly in the tanker and LNG carrier segments,” he explains. “Our notation provides a clear indication that such a framework is in place. This may also be valuable when obtaining cyber insurance and, in some cases, to help secure financing.”

We are Bureau Veritas: Vincent Lagny
  • Head of Cyber, Bureau Veritas Marine & Offshore
  • 25 years of software development experience
  • Became an expert in cyber resilience during tours of the aerospace and naval industries
  • Developed BV’s Rules for Cybersecurity (NR659)
  • Chairman of the IACS Cyber panel
  • Sits on ENISA’s Transport Security Maritime Working Group and INSA’s Naval Ship Code Working Group

Lagny says the Cyber Managed notation, and all that it entails, also provides stakeholders with piece of mind when confronting a complex, unpredictable threat landscape. “Confidence in your ability to adapt, evolve and overcome all challenges makes it much easier to sleep at night,” he continues. “It’s what cyber resilience is all about.”

Countdown to compliance

The IMO’s guidelines for cyber-risk management enter into force on 1 January. Its aim is to ensure that companies and crews are ready and able to protect increasingly interconnected IT systems and operating technology (e.g. shore and ship-based software and hardware) from both targeted attacks and random threats.

While Cyber Managed offers a path to IMO 2021 compliance that can be completed in as few as three months, timelines vary and largely depend on the owner’s size, systems and cyber maturity. Gillet is confident that, with proper support, incorporating the IMO’s guidelines for cyber-risk management into existing safety management systems is a challenge that many owners can overcome with relative ease.

On the other hand, he cautions against leaving planning to the last minute. “We can draw important lessons from IMO 2020,” Gillet adds. “Though implementation went far more smoothly than many expected, owners that waited till late in the game struggled more so as a result. The bottom line for owners, regardless of size and cyber maturity, is that the time to act is now.”

We are Bureau Veritas: Jean-Baptiste Gillet
  • Director, Advanced Services, Bureau Veritas Marine & Offshore
  • Received an engineering degree from Ecole Polytechnique and an MS from Columbia University
  • Spent several years at Boston Consulting Group and time in the engine room of a French warship
  • For more than a decade he has been advising clients and stakeholders addressing complex and strategic challenges

As TradeWinds has reported, as the dust settles on IMO 2020, it’s widely believed the need to demonstrate cyber resilience will represent a considerable headache for smaller operators that lack large IT departments and those that fail to plan well in advance.

Reality check

This year, cyber threats topped Allianz’s annual list of global business risks for the first time ever. The ranking followed a survey of more than 2,700 corporate insurance clients, risk consultants and trade organizations from over 100 countries and territories. Seven years ago, cyber threats ranked 15 th.

“Awareness of the cyber threat has grown rapidly in recent years, driven by companies increasing reliance on data and IT systems and a number of high-profile incidents,” Allianz said.

In the insurer’s 2020 Risk Barometer it also warned that the involvement of nation states in cyber-attacks poses a growing risk for certain companies, which can be targeted for their intellectual property or by groups intent on causing disruption or physical damage to critical infrastructure.

“For example, growing tensions in the Middle East have seen international shipping targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns on the Risk Barometer,” Allianz wrote.

According to a report published by IBM X-Force (X-Force), the transportation sector was the third-most attacked in 2019. While frequency dropped from 13% to 10% year-on-year, it noted that this ranking underscores the growing appeal of data and infrastructure operated by transportation companies amongst hackers, which include cybercriminals and nation-states alike.

Cyberthreats to the transportation industry come with added risk compared to other sectors, given the potential kinetic effect an attack could have, putting human lives at risk, as well as the potential to cascade impact to other industries that rely on transportation services to carry out their operations

IBM X-Force

it said.

In 2019, X-Force claims the number of attacks aimed at operational technology (OT), which include systems that track real-time data and other pieces of critical hardware, was greater than the activity volume observed in the past three years. It noted many OT systems rely on legacy software and hardware that lack security patches against well-known vulnerabilities, which make them particularly susceptible to relatively simple exploitation techniques.

While this is well understood across much of the shipping industry, until recently, many owners felt that the risk was too low to justify the cost of upgrading digital infrastructure. Between lacklustre freight rates and increasingly costly regulatory requirements, it’s not hard to see why cybersecurity investments weren’t a top priority prior to the runup to IMO 2021.

The cost of non-compliance

Failure to comply with IMO 2021 could result in the denial of port access, or even ship detentions. For owners operating in the EU, the added benefit of adopting more robust cybersecurity measures is mitigating the risk of data breaches which, under the General Data Protection Regulation (GDPR), can lead to administrative fines of up to EUR 20m ($22m) or 4% of a company’s total worldwide annual turnover, whichever is higher. The damage that a cyber incident can cause to a company’s reputation is harder to quantity, but can also be substantial, observers say.

Whether you’re genuinely concerned about cybersecurity, or believe warnings from regulators and purveyors of cybersecurity products are overblown, the fact is that all owners and operators will have to address the requirements of IMO 2021 at some point in the months ahead. While the process may prove complicated, time-consuming and costly for some, it doesn’t have to be. Programmes such as Cyber Managed offer a clear, practical approach to compliance that won’t break the bank. If you want to learn more about this notation, or BV’s full suite of cybersecurity solutions, check this out. You can also connect with Jean-Baptiste Gillet and Vincent Lagny on LinkedIn.

Industry 4.0

Cyber Managed marks an important milestone in BV’s broader quest to help clients capitalise on digital efficiencies while protecting people, property and the environment. From remote surveys aided by drones, to digital twins and predictive maintenance, details about BVs’ commitment to shaping Industry 4.0 can be found in its Technology Report.