As the dust begins to settle on IMO 2020, the shipping industry must start gearing up for the global rules on auditing cyber security aboard vessels — being tagged as IMO 2021.

Marking the compliance certification of the Songa Hawk earlier this month. Gathered (from left) are master Kyaw Myint, Songa Shipmanagement electrical superintendent Mijo Banicek, and Jeoung-kyu Lim and Sang-hoon Choi from the Korean Register cyber-certification team. Photo: Korea Register

The mandatory switch to low-sulphur marine fuels seems to have gone more smoothly than many expected but it was still a rushed affair, involving price spikes and shortages of equipment earlier this year — and technical problems from using the new bunkers may still emerge.

Being prepared

One lesson learned was that many smaller ship operators left their planning until late in the day, and so struggled more as a result. The need to prepare for ensuring operational cyber security on ships could be yet another headache for smaller operators that lack large IT departments.

In the past few weeks, there has been a flurry of activity — with two claims of first certification being made on consecutive days. Engineering group ABB and classification society DNV GL claimed to have made maritime history by awarding a large cruiseship — under construction at a European shipyard — cyber-security verification.

The next day, the Korean Register said its cyber survey of a chemical tanker meant the 13,265-dwt Songa Hawk (built 2009) was the first ship to achieve full compliance certification in all areas.

Vessels are increasingly being fitted with integrated automation systems that are connected to the outside world via satellite links to the internet and other digital networks. This interconnection presents a whole new raft of cyber-security threats for shipping.

A year ago, the discussion was all about scrubbers and low-sulphur fuels. I think that debate is done. Now, I find [shipowners] much more interested and cautious about compliance with IMO 2021

Tore Morten Olsen, president of Marlink Maritime

“It is vital that the maritime industry focuses on cyber security as an essential part of both design and operation,” Johann Melsted, DNV GL's area manager for Benelux and France who oversees cyber certification, said.

ABB Marine & Ports managing director Juha Koskela said: “As vessels become more electric, digital and connected than ever before, it is of vital importance that we equip and empower seafarers with reliable solutions that are cyber secure.”

Park Kae-myoung, head of the Korean Register's cyber-certification team, added: “As the shipping industry becomes more and more digitalised, so cyber-attacks on shipping companies and ships have increased. An effective response and comprehensive cyber-security preparedness is now essential.”

In 2015, a cyber-attack allowed a hacker to override the controls of a remotely operated vehicle and sink it. The salvage operation cost $500,000.

But the biggest malware assault on the shipping industry saw AP Moller-Maersk paralysed in 2017, at a cost of $300m.

The IMO’s guidelines on cyber-risk management enter into force on 1 January, with the aim that companies and crews be ready and able to protect vulnerable vessel operating systems. These include those on the bridge, those for cargo handling and management, propulsion machinery and power control, as well as communication, passenger and crew systems.

The Korean Register said the Songa Hawk passed an inspection of 81 items in 18 categories, including risk and asset management, technical security and incident response and recovery. It meant the vessel satisfied the international cyber-security requirements outlined by the IMO — the Tanker Management and Self-Assessment initiative and the Ship Inspection Report Programme.

Under the IMO directions, companies need to implement policies to protect against cyber-attacks. One of the biggest weaknesses is human practice, so education and codes of behaviour are vital. Class NK Consulting Service has just launched a cyber-security training service via e-learning, developed with Japanese telecommunications group KDDI and its digital security arm.

Coronavirus and connectivity

Marlink Maritime generally installs broadband on about 120 to 150 vessels per month, but president Tore Morten Olsen said it is seeing more than the usual number of installations being postponed as ships' trading patterns are disrupted by knock-on effects of the coronavirus pandemic.

Olsen said that with the virus impacting cruise bookings, he expects demand from the sector for internet services to reduce, but that remote connectivity could become even more important for other ship types and industry executives obliged to meet and travel less often.

Marlink Maritime president Tore Morten Olsen says cyber communication is becoming increasingly important amid the coronavirus pandemic. Photo: Marlink
ABB Marine & Ports managing director Juha Koskela. Photo: ABB

Managing risk

On the technical side, ship operators, particularly smaller ones, may also find the easiest way forward is to buy digital protection from the satellite communications providers that manage the networks.

Maritime communications companies have been working to improve cyber security for some years, but only one claims to be able to deliver protection to any ship operator regardless of which network supplier is used.

Marlink Maritime president Tore Morten Olsen told TradeWinds: “Being connectivity agnostic, [the protection] will be able to secure cyber across all the services that we bring to market, which includes all the Inmarsat products and all the satellites that we use from players like Intelsat and SAS.”

Olsen said Marlink can remotely manage security updates through its IT links and monitor traffic to detect abnormalities if a cyber-attack happens. There are many levels of package from filtering emails up to providing a full cyber-operations centre that can repair problems.

In the past, the satellite communications industry has tended to advise vessel operators to avoid using automatic software updates and patches, as it consumes a lot of data and would be very expensive.

But, he added, prices are lower today and about half of all deepsea shipping is connected to some type of very small aperture terminal (VSAT) that removes constraints on data usage. However, that openness also increases the threat.

“I meet a lot of shipowners and a year ago the discussion was all about scrubbers and low-sulphur fuels," Olsen said. "I think that debate is done, and people have made their choices. Now, I find them much more interested and cautious about IT security on board and compliance with IMO 2021. I think it is going to have an impact on them in the same way as IMO 2020 did.”