The maritime sector is a vital part of the global economy, whether it is carrying cargo, passengers or vehicles. Ships are becoming increasingly complex and dependent on the extensive use of digital and communications technologies throughout their operational life. Poor security could lead to significant loss of customer and/or industry confidence, reputational damage, potentially severe financial losses or penalties, and litigation affecting the companies involved. The compromise of ship systems may also lead to unwanted outcomes, for example:
- physical harm to the system or the shipboard personnel or cargo – in the worst case scenario this could lead to a risk to life and/or the loss of the ship;
- disruptions caused by the ship no longer functioning or sailing as intended;
- loss of sensitive information, including commercially sensitive or personal data; and
- permitting criminal activity, including kidnap, piracy, fraud, theft of cargo, imposition of ransomware.
The above scenarios may occur at an individual ship level or at fleet level; the latter is likely to be much worse and could severely disrupt fleet operations. Cyber security is not just about preventing hackers gaining access to systems and information, potentially resulting in loss of confidentiality and/or control. It also addresses the maintenance of integrity and availability of information and systems, ensuring business continuity and the continuing utility of digital assets and systems.
To achieve this, consideration needs to be given to not only protecting ship systems from physical attack, force majeure events, etc., but also to ensuring the design of the systems and supporting processes is resilient and that appropriate reversionary modes are available in the event of compromise. Personnel security aspects are also important. The insider threat from shore-based or shipboard individuals who decide to behave in a malicious or non-malicious manner cannot be ignored.
Ship owners and operators need to understand cyber security and promote awareness of this subject to their stakeholders, including their shipboard personnel. This Code of Practice explains why it is essential that cyber security be considered as part of a holistic approach throughout a ship’s lifecycle, as well as setting out the potential impact if threats are ignored.
The Code of Practice is intended to be used as an integral part of a company’s or ship’s overall risk management system and subsequent business planning, so as to ensure that the cyber security of the ship, or fleet, is managed cost effectively as part of mainstream business.