[[{“value”:”
IT safety is evolving from a box-ticking exercise to an essential business tool, required by regulators and stakeholders, writes Nicolas Furge, president, Marlink Cyber.
Cyber risk is a growing concern across the shipping industry, from vessel operators and charterers to ports and the broader supply chain. While the number of technology solutions are proliferating, the burgeoning weight of regulation will ask new questions about the process of compliance.
These rules will increasingly move beyond deploying software, to a regular, detailed inspection process that requires collaboration between shipyards, owners, classification, OEMs, IT and network operators. Perhaps just as important for shipowners is the potential costs involved to achieve and maintain compliance – costs that will be recurring rather than one-time expenses.
Regulators including the IMO and European Union, the US Coast Guard and other Flag States have previously introduced guidance or are planning to update regulation in response to growing cyber threats. Industry standards published by BIMCO, SIRE and TMSA are now being supplemented with regulations developed by the International Association of Classification Societies (IACS).
IACS Unified Requirement E26 aims to provide a minimum set of requirements for cyber resilience of ships, intended for the design, construction, commissioning and operational life of the vessel.
Its related requirement, UR E27 provides the minimum security capabilities for systems and equipment to be considered cyber resilient and is intended for third party equipment suppliers.
UR E26 is based on the NIST Cybersecurity Framework, which comprises five key areas of governance: Identify, Protect, Detect, Respond and Recover.
Despite UR E26 being required only for newbuildings, Marlink believes that shipowners will increasingly seek to apply its principles and standards to existing ships, providing risk mitigation for highly valuable assets and cargoes.
Conversations with shipowners indicate that they will progressively apply the regulation to their fleets, using UR26 as the baseline for cyber security on floating assets.
The IACS URs will be applied by all member class societies who will act as auditor, with only minor differences in how each applies their methodology and definitions within the documentation. As a starting point for compliance with the incoming IACS UR26 regulations, Marlink has assembled five key aspects that owners should already have considered on how to proceed.
Documentation
UR 26 requires a much higher level of documentation than previously, including an detailed plan of onboard network setup, configuration and data flows. Inspectors will expect documentation on network protection measures including a test plan to verify the implemented controls.
Inventory of onboard assets
Owners will need to assemble and maintain an inventory of onboard assets and produce it on demand. The inventory includes the applicable hardware and software of computer-based systems (CBSs) and of the networks connecting such systems to each other and to other CBSs onboard or ashore.
Procedures
The regulation calls for creation of new procedures to defend against cyber attacks and increase risk mitigation. For example, owners need to understand how to create procedures and define roles and responsibilities for topics such as remote monitoring, control and maintenance on ships’ equipment. Developing these procedures is a process that needs to happen with a close relationship to training programmes and awareness raising.
Training and Awareness
Shipowners are very likely to require cyber security training for crews and follow this up with regular awareness training for all personal including crew, contractors and maintenance third parties. Training topics include how to identify risks, procedures for the recovery of a failed system, how to get external assistance and support from ashore and how to test and monitor onboard networks.
From Reactive to Proactive
Common cyber solutions can provide a line of reactive protection against attacks but they tell you little to nothing about vulnerability at a higher level. In future, cyber security will require not just asset and network protection but vulnerability assessments, penetration testing and other proactive tools that can provide insights into likely and probable threats – and how these change over time.
Conclusion
UR26 is a significant change for the maritime industry, not just as the first requirement to apply equally all newbuilding vessels. The extra administrative burden it creates will be considerable but even so, it is likely that similar standards will be extended to the existing fleet before long.
However, UR26 only represents an agreed baseline for performance. Future regulations are likely to be much more demanding and Marlink believes that shipowners must take additional measures to protect themselves from cyber threats. The demands of charterers, insurers, class and other stakeholders will likely increase over time.
Costs will come in administration of record-keeping necessary for compliance, monthly service costs and potentially hundreds of hours of consultancy work to create procedures and set-ups. It is likely that budgets spent by shipowners on IT will need to increase to take advantage of the possibilities offered by digital technology and to increase cyber defence.
To achieve an improved level of compliance, the industry needs a new, high-level perspective on the steps required to remain safe at sea that goes beyond baseline defence.
Our experience with the largest single share of the maritime merchant fleet tells us that compliance with UR E26 and other regulations is not enough by itself. Owners need to consider what further improvement needs to be made to ensure their fleets can continue to operate safely.
The post Cyber security and the five key elements in UR E26 regulatory compliance appeared first on Energy News Beat.
“}]]
Energy News Beat