As cyber security becomes a growing issue for businesses globally, tanker owners will be a test bed for shipping thanks to new guidelines from major charterers.
And the ability of tankers to withstand new digital threats may be a factor in whether a ship is hired to load a cargo.
The Oil Companies International Marine Forum (OCIMF), an association that sets safety standards for petroleum transportation, issued a new version of its Tanker Management and Self Assessment (TMSA) with a chapter on cyber security. The new version of the key vetting document for shipowners and operators will replace one expiring at the beginning of 2018.
Along with piracy and smuggling issues, the new chapter requires owners to assess how to prevent viruses, hacks and malware from entering their ship’s onboard electronic systems.
The TMSA is not as big a requirement for chartering as OCIMF’s ship-inspection reports, says Intertanko marine director Phillip Belcher. But he also adds that an oil major “is very, very unlikely” to hire a ship if the owner does not have the latest TMSA in place.
Cyber security came into focus after the attack on AP Moller-Maersk earlier this year. The virus likely entered and mainly affected shoreside computer networks. But the world’s biggest shipping line saw marine operations halted as well.
The IMO is mandating that ships have cyber-security standards in place by 2021. Port state controls and classification societies may also be drafting cyber-security standards. But OCIMF and Intertanko, which helped draw up the standards, says cyber threats are growing such that something needs to be done quickly.
“By that time, it could be too late for the industry to address threats,” Belcher says. “We needed to get ahead of this issue.”
Since ships are mostly mechanical, Belcher says serious onboard cyber threats are still minimal.
“The idea that a hacker could take over all of a ship’s operations is remote in the extreme,” Belcher says.
But he adds that onboard systems have been breached accidentally. The introduction of electronic charting systems, which require frequent updates, is one area of vulnerability.
In one instance, Belcher says a deck officer used the USB port on the ship’s electronic charting system to charge his mobile phone. The phone then introduced a virus to the system.
As more components on a ship become electronic, Belcher says “the number of vectors for viruses will only increase”.
Jim Textor, a partner of Eversheds Sutherland, says the new TMSA encourages shipowners to have documentary evidence of how to handle cyber threats. Seafarers would be encouraged to lock unattended workstations, safeguard passwords, be wary of posting on social media and prevent misuse of memory sticks and flash drives.
Textor says the OCIMF’s cyber-security requirements will be another vetting stipulation prior to a ship being chartered or taking on a cargo.
He adds that if owners have not amended their safety management system to include cyber security, “there’s a likelihood, not a certainty, that the oil companies will not charter the ships”.
Textor says each oil company could have their own rules on how vessel owners should beef up cyber security.
But whether those guidelines result in broken charters may take a while to play out.
“I won’t know until mid to late January or February whether this will be a commercial problem,” Textor says.
Belcher, too, says it is unclear whether cyber-security standards will result in contract disputes or loss of charter deals. But owners will need to be on watch for the issue regardless.
“An onboard virus may become an issue for defining whether a ship is seaworthy,” Belcher says.
