A standard-setting consortium of nine container lines on Tuesday laid out a framework for vessel operators to comply with a January 2021 International Maritime Organization (IMO) cyber security mandate, the latest in a series of guidelines the liner group has delivered over the past six months.
The Digital Container Shipping Association (DCSA) said the cyber security guidelines “provide all shipping companies with a common language and a manageable, task-based approach for meeting the IMO’s January 2021 implementation timeframe” for MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems, a resolution that requires ship operators to include cyber security preparedness as part of their International Safety Management (ISM) code obligations. The resolution was agreed upon by IMO member states in 2017.
The DCSA framework uses a structure provided by existing guidelines developed by the shipowner association BIMCO and the US National Institute of Standards and Technology (NIST), DCSA said in a statement.
The need for vessel operators to pay attention to cyber security has only increased since the 2017 notPetya attack on Maersk Line, which crippled the world’s largest container carrier for weeks and rippled out to forwarders, shippers, and other container lines.
More than steel
“Today, most shipowners are still fairly old-fashioned,” DCSA CEO Thomas Bagge told JOC.com. “They tend to care about the assets, the steel itself, and many still think that cyber won’t affect me. Things have moved on since Maersk was attacked, but we are in an industry where there’s a huge cascading effect.”
DCSA’s guidelines urge shipping lines to treat cyber security as systemically as they would other ship operations risks, such as fires or piracy. As Bagge put it, shipowners need to treat cyber risk as “something the crew needs to prepare for, with someone designated to take the lead.” The cyber security guide, DCSA Implementation Guide for Cyber Security on Vessels, can be downloaded for free on the DCSA website.
Technology has shorter life cycles than physical supply chain assets such as vessels and landside infrastructure, Bagge noted.
“Ships have life spans as long as 30 years,” Bagge said. “The fact that it’s safe today doesn’t mean it’s safe tomorrow. There are a lot of assets on the water today that aren’t safe — where a 15-year-old vessel still runs an old operating system and servers where patching is not taking place — and are prone to attacks. Or with Wi-Fi on board, when people bring their own devices, there’s a risk of transmitting things from the local device to the vessel.”
The cyber security implementation guide breaks down BIMCO’s cybersecurity framework into themes and correlates those themes to the controls around which NIST recommends organizations build cyber reliance, namely that vessel operators need to be able to identify, respond to, and recover from current threats as well as protect from future threats. As with other DCSA recommendations, such as the organization’s container shipment processes blueprint released in September and a track-and-trace standard released in January, the goal is to get container lines aligned around a particular set of foundations to make deployment of software across the industry more effective.
DCSA said it plans to hold webinars this month to provide an overview of the implementation guide and collect feedback from the industry.
Members of the non-profit DCSA, founded in April 2019, are Maersk Line, CMA CGM, Hapag-Lloyd, Mediterranean Shipping Co., Ocean Network Express (ONE), Evergreen Line, HMM, Yang Ming, and Zim Integrated Shipping Services.