Thoughts on ISM cyber security matters

Malcolm Latarche

Malcolm Latarche · 09 January 2020


Current industry concerns may revolve around a number of things with the 2020 fuel situation topping practical concerns while the US/China trade dispute and the latest events in Iran fuelling concerns over effect on demand for shipping, but the cyber security issue remains a threat that needs attention.

Throughout this year, ship operators need to put cyber security high up the agenda because of changes to the ISM Code due to come into effect on 1 January 2021. After that date every annual verification of the company’s DoC requires that the issue of cyber risks have been appropriately addressed in the safety management system. The resolution requiring this MSC.428(98) was adopted back in June 2017 since when numerous high profile attacks have occurred within sectors of the shipping industry.

In the period since, digitalisation has become another hot topic and while there are benefits to be had from that, very often those benefits may be overstated and if proper attention is not given to potential problems may even end up making the process a retrograde step.

Any system, whether it be analogue, manual, digital or automatic will have weak points and these need to be fully researched and appropriate mitigation measures put in place should a failure occur. It would seem to be much easier to do this in an analogue manual system than it would be in a digitalised one.

Although not shipping related, the cyber attack experienced by the currency exchange service Travelex at the beginning of this month clearly highlights the problems that can be faced. Travelex has been hit by a ransomware attack with the perpetrators apparently demanding $4.6m to stop company computer systems from being deleted and customers data being sold on to other criminals.

In response to the cyber attack, which was first discovered on New Year's Eve, Travelex took all computer systems offline, affecting thousands of sites in dozens of countries. Cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on high streets but orders online have been affected. In many cases, customers who have ordered foreign currencies and paid for them through online banking cannot get either the currency or money refunded because of the computer shutdown. As well as affecting thousands of individuals, the problem has also impacted business partners within the banking and travel industries which obtain their foreign currencies through Travelex.

One fact which has emerged from the reporting of the Travelex incident is that companies which cannot secure customer data can under the EU General Data Protection Regulations face a maximum fine of 4% of global turnover. Two major cases are presently progressing in the UK Marriott at £99.2m and British Airways £183.4m. Both actions began in July 2019 but are not expected to be finalised until March this year.

It is not difficult to imagine that a similar breach of GDPR rules could easily occur if a major cruise or liner shipping company were to be involved given the number of customers that such operations usually have.

On a more mundane level, what problems might a ship face if all port and customs formalities are switched from paper to digital systems? Could a ship prove to PSC officials that its safety documentation was in order if the whole process is digitalised as the latest FAL Convention changes require?

There is much discussion and even action being taken within shipping for maintenance and advice to be outsourced to organisations offering remote assistance and intervention. It need not be a deliberate malicious attack to cause problems for ships making use of those services. Last November, the Estonian government’s online services were brought down by rats damaging an underground cable. Until repairs were carried out several services were made impossible including obtaining prescriptions for medicines by sick people.

It remains to be seen how flag states will address the new IMO ISM requirements when renewing safety management certificates but it is clear that every ship operator will need to have plans in place for all manner of disruptions to digital and communication services. To ensure that the system can still function in the event of a prolonged outage, shipping companies may need to not only test the alternative arrangements when formulating them but also to incorporate them into ongoing training requirements. A back up system is only of use if it is known about and those involved know how to operate it.

Nor is the need for backup systems confined to ship operators although they are the only ones required under ISM rules to have contingencies. Ports and terminals as well as port service providers will need to have an alternative to the maritime single window in which so much faith is being put.

The Journal

Published every February the journal is now recognised as the highest quality publication that covers all aspects of maritime technology and regulation and a must read for the industry.

More Details