Why maritime cyber security regulations are vital for protecting physical safety

22 December 2020

by Stephen Delgado Cyber Security Senior Associate, PwC United Kingdom

Email +44 (0)7483 400661

by James Hunt Senior Manager, PwC United Kingdom

Email +44 (0)7701 296796

by James Rashleigh Cyber Security Partner, PwC United Kingdom

Email +44 (0)7808 028337

The maritime sector is increasingly under attack from cyber threat actors. Criminals are targeting ship operators and the ships themselves to access valuable information regarding the ship’s manifest or location, and to cause disruption to entire nations’ supply chains.

As operational technology systems become increasingly connected, a well-equipped criminal has more opportunity to disrupt critical safety systems onboard ships (such as navigation and propulsion systems). This poses not only financial risks to the ship operator associated with loss of operations or cargo, but can also pose risks to the lives of crew members and passengers on board.

The impact that cyber security has on a ship’s physical safety has been recognised by the International Maritime Organisation (IMO). The Safety of Life at Sea (SOLAS) treaty has been updated with resolution MSC.428(98), requiring all ship owners and operators to appropriately manage cyber security risks within their safety management systems. The penalties for non-compliance may vary between flag administrations, but may extend to heavy fines, the inability to insure a ship, and in extreme cases, seizure of the vessel. The message to ship owners and operators is clear – the cyber security of ship IT and operational technology (OT) systems is critical to the safety of crew and passengers on board.

How the maritime sector can achieve compliance with new cyber security regulations

As the deadline for compliance draws closer, research suggests a gap between shipping organisations’ awareness of cyber security risk and actions taken to mitigate it. A 2018 Jones Walker survey found the majority of US maritime sector companies thought the industry was prepared for a cyber security incident, but only 36% believed their own organisation was prepared to prevent a data breach. A 2019 survey by the Baltic and International Maritime Council (BIMCO) found that just 42% of its members protected their vessels from threats targeting OT systems.

Many organisations already have Information Security Management Systems (ISMS) in their enterprise IT environments, but this may not achieve compliance to IMO SOLAS where vessels also have OT systems on board. The guidelines emphasise the importance of a holistic approach to cyber security, in which both operational and information technology risks are managed as part of a harmonised ISMS/cyber security management system (CSMS) landscape.

Maritime sector needs to go full steam ahead to comply with new cyber security regulations

As ships become more connected, the cyber security risks posed by external actors will continue to increase. In response, it is likely that governments and international organisations will continue to develop and enforce regulations to ensure adequate security of their supply chains. Vessel owners and operators that have a foundation of cyber security built on a clear understanding of their risks will be well placed to deliver safe and secure services to customers in a rapidly changing technology environment.

If you would like to know more about how other maritime organisations are ensuring compliance with IMO SOLAS and other cyber security regulations, and how we may be able to support you on your cyber security maturity journey, don’t hesitate to get in touch.

by Stephen Delgado Cyber Security Senior Associate, PwC United Kingdom

Email +44 (0)7483 400661

by James Hunt Senior Manager, PwC United Kingdom

Email +44 (0)7701 296796

by James Rashleigh Cyber Security Partner, PwC United Kingdom

Email +44 (0)7808 028337