Time to heed own cyber advice

Malcolm Latarche
Malcolm Latarche

06 May 2016


Next week the IMO’s MSC committee will open its 96th meeting that is scheduled to run from 11-20 May. There is a busy agenda with passenger ship safety featuring strongly and also a final opportunity to discuss and debate the impending regulation on container weighing that seems to have stirred up anxiety and indignation among cargo interests. While many of the outcomes will be issuance of new guidance on matters such as passenger vessel evacuation analysis, cyber security – there is also an agenda item to discuss guidelines on measures to reduce the transport of alien species inside containers – there will also be some amendments to existing SOLAS regulations and other IMO documents. The question of cybersecurity is an interesting one and several of the documents submitted for discussion at the meeting highlight the very real risks that ship operators need to take into account when devising a cyber security strategy. While it is all very well and laudable for the IMO and other bodies to issue advice and guidelines, there is perhaps also a need to take a step back and take more heed of their own advice. When it comes to protecting commercial information and even commercial assets, the onus is clearly upon the shipowner to establish needs and put appropriate measures in place. However, when it is security of ports, nations and safety of navigation that is threatened something more – or perhaps less – is needed. The concept of e-navigation and the inevitable increase of electronics and software/firmware in systems and instruments pose risks that need to be addressed now before they have the potential to become the cause of a disaster. If a virus or malware can be introduced into a ship’s navigation systems with the result that alarms are not sounded when appropriate or if in a worst case scenario, control of the ship is hijacked by someone on shore it is no use relying on the ship operator having put in place appropriate safeguards. More to the point, ships which are unaffected by a cyber-attack may be put at risk by another that is. While there is the possibility of such problems occurring even if responsible operators have attempted to put in place all safeguards, then perhaps mandatory reliance on and use of such systems should be rethought. The analogue ship may fail due to human error but it now appears that attempting to eliminate the human element could inadvertently be multiplying the risk. The last FAL meeting made mandatory the future submission of electronic information to port and other authorities. A virus in a ship’s network could thus be transmitted to the port’s IT system and render that useless. Not something that ever happened with the paper form submitted by the ship’s agent. There will be many who argue that we all make use of and rely on electronic data submission in matters such as banking and travel and to a point that is true. But there are many who have become the victims of cybercrime and malicious meddling and the situation is getting worse. Shipping, which is less integrated than many other sectors, might be best advised to consider a long pause before making the leap.