Bridging the gap: from compliance to cyber resilience

To improve cyber resilience, shipowners need to focus on assessing risks, training and awareness, addressing possible weaknesses and develop incident response plans

International Association of Classification Societies (IACS) has introduced unified requirements (URs) E26 and E27 as new benchmarks for shipping’s response to its growing exposure to cyber attacks.

These came into force 1 July 2024, and are another step towards strengthening the maritime industry’s resilience to the evolving cyber threats.

The URs establish minimum requirements for the cyber resilience of newbuild vessels and their connected systems, and were broadly welcomed by industry.

A panel of experts debated key aspects of UR E26 and E27 during Riviera and Inmarsat Maritime’s IACS URs E26 & E27: Bridging the gap between regulation and implementation webinar, held 19 June 2024.

According to a thought-provoking discussion during this webinar, shipping companies must still conduct comprehensive risk assessments and implement appropriate mitigation measures.

Angelicoussis Group information security officer, Kostas Grivas, said URs bring “obvious benefits” such as eliminating “scattered requirements”.

They provide “common and crystal-clear ground for auditing and control purposes”, and establish “a solid description of the minimum technical, procedural and other criteria that govern a vessel’s cyber resilience”, he said. Finally, they ensure “all stakeholders are responsible for the vessel’s cyber security”.

Classification society ClassNK deputy manager for cyber security, Makiko Tani, also acknowledged the new requirements will “contribute to the visibility of ever-digitalising shipboard networks and their assets”.

However, as there is no one-size-fits all cyber-security solution, she said, “Additional controls beyond those specified in the requirements may be necessary, depending on the vessel’s connectivity.”

To properly address the cyber risks that a specific vessel is exposed to, she said shipowners must conduct a thorough cyber-risk assessment.

“This relies on C-level commitment to establishing a cyber-security programme that facilitates compliance with URs E26 and E27 and any other future industry requirements while supporting the organisation’s digital transformation strategy,” said Ms Tani.

The importance of looking beyond the IACS URs was also emphasised by Viasat subsidiary Inmarsat Maritime chief of staff Laurie Eve, who proposed three key areas where companies should “focus and invest, not only to meet new requirements, but also to go beyond compliance and build good cyber resilience.”

The first key area, people and culture, addresses the notion that people are the weakest link in cyber security.

“According to a 2023 report from the United States Coast Guard, as well as findings from Inmarsat’s security operations centres, phishing is the most common initial access vector in cyber attacks. Investing in people, therefore, should be an absolute no brainer,” commented Mr Eve.

He added that a company should focus on training and awareness, managing user privileges, investing in a quality management system and standards such as ISO 27001, assessing suppliers’ risk-management practices, and embedding cyber security in the organisation’s continuous improvement culture.

The second key area is network-connected systems and services. Given the number of attack surfaces on board a vessel and the ever-growing volumes of data moving between systems, many companies lack the time and resources to address all possible weaknesses.

Mr Eve said one solution is a risk-management approach in which the organisation assesses the risks, sets its risk appetite and implements security measures according to the costs it is willing and able to bear.

The third and final key area, according to Mr Eve, is an incident response plan (IRP). It is prudent to assume at some point there will be failures and a security breach, he added.

An IRP comprises a robust set of contingencies to keep the cost of business disruption to a minimum. It requires investment in backup and data systems as well as regular staff training. “Having a plan is good; training, rehearsing and improving the plan is better,” explained Mr Eve.

While these recommendations apply to all shipowners, Mr Eve acknowledged there are differences from small to large operators in terms of the budget and internal capability invested in cyber resilience.

“Inmarsat’s Fleet Secure offers a one-stop-shop for cyber-security requirements, which makes it a particularly good fit for smaller operators without the inhouse capability to put together their own solutions,” he said.

Combining three components – Fleet Secure Endpoint, Fleet Secure Unified Threat Management and Fleet Secure Cyber Awareness Training – the Fleet Secure portfolio provides the tools and facilitates a risk-management approach, supporting “compliance with the new requirements” and, more broadly, “increasing cyber resilience”, Mr Eve added.