New recommendations on building cyber resilient ships

The International Association of Classification Societies (IACS) has published its Recommendation on Cyber Resilience (No. 166). The recommendation consolidates IACS’s previous 12 Recommendations related to cyber resilience (Nos. 153 to 164).

It also applies to the use of computer-based systems which provide control, alarm, monitoring, safety or internal communication functions which are subject to the requirements of a Classification society.

Part of the objective in consolidating the 12 Recommendations was to define responsibilities, harmonizing and simplifying the language used therein.

IACS Chairman Arun Sharma said that “the publication of this important Recommendation marks a significant milestone in IACS’ work to support the maritime industry in the delivery of cyber resilient ships. I am pleased to note the significant cross-industry cooperation that led to its development and we look forward to maintaining that dialogue as we assess its practical implementation and effectiveness’.

This new recommendation is applicable to a vessel’s network systems using digital communication to interconnect systems within the ship and ship systems which can be accessed by equipment or networks off the ship. Robert Ashdown, IACS Secretary General, added ‘The network design forms the basis for a reliable and robust network. Issues such as compatibility of various devices, communication between devices, communication from various systems and sub systems, need due consideration during design phase. This Recommendation is an important step in addressing cyber resilience from the earliest stages of a vessel’s life.’

Operational aspects that were included in the superseded 12 Recommendations have been identified and grouped under a separate annexure. Following the publication of this consolidated Recommendation the earlier 12 Recommendations have been officially deleted by IACS.

IACS will continue to work with its industry partners and look for their feedback regarding its practical implementation and effectiveness. Based on the experience gained from the practical implementation of this Recommendation IACS will assess the suitability of using it as the basis for a Unified Requirement on Cyber Resilience.

As technology has been increasingly incorporated into the shipping industry, in an attempt to reduce human error in the management and navigation of vessels, there have been nefarious attempts (some successful) to discover and exploit cracks in these computerised systems. Cyber-attacks have become an expanding and real threat to vessels which have shifted the risk from internal vulnerabilities to external ones.

In efforts to ensure that the technology incorporated into vessels is as robust and capable of meeting these new types of threats, the International Association of Classification Societies (IACS) has publicized a new recommendation on how to build cyber resilient ships. This is an attempt to ensure a set of standardised criteria can be met to combat deficiencies and weaknesses in systems incorporated into new buildings. It applies to the use of technical systems that provide important functions on board such as control, alarm, monitor, safety and internal communication.

According to the publication, it is to provide technical requirements to stakeholders which would lead to delivery of cyber resilient ships, whose resilience can be maintained throughout their service life.

It is meant to provide crew and ships the capabilities to effectively cope with cyber incidents occurring on computer-based systems onboard which contribute to operate and maintain the ship in a safe condition  – in a context of prevention rather than cure.

The recommendation has been written with recognized elements of effective cyber risk management in mind – Identify, Protect, Detect, Respond and Recover. These are also used in the IMO and the industry guidelines.

The recommendation can be found on the IACS website.