On March 10, the Digital Container Shipping Association (DCSA), in conjunction with its nine member carriers, published the DCSA Implementation Guide for Cyber Security on Vessels (Guide) to help shipping companies comply with the International Maritime Organization (IMO) Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems.
The Guide provides shipping companies with a “management framework that can be used to reduce the risk of cyber incidents that could affect the safety or security of the vessel, the crew, or the cargo.”
This guidance comes at a critical time, as cyber incidents have affected shipping companies in very significant ways. In 2017, the “NotPetya” malware executed a ransomware attack on shipper Maersk, forcing the company to disconnect and subsequently rebuild its entire global network, and causing an estimated $300 million in damages.
The Guide is designed to help shipping companies implement and ensure compliance with the Baltic and International Maritime Council (BIMCO) Guidelines for Cyber Security onboard Ships (Guidelines) and the National Institute of Standards and Technology Cyber Security Framework (Framework).
Broadly, the Guide maps the BIMCO Guidelines to the NIST Framework, providing concrete guidance on how to implement and improve a security program.
Some of the areas the Guide emphasizes include:
Identify (Assets, Systems, Risks, Tools)
- Inventory physical devices and systems, as well as software platforms and applications
- Map communication and data flows
- Catalog external information systems
- Prioritize resources (such as hardware, devices, data and time) based on classification, criticality and business value
- Establish cybersecurity roles and responsibilities for the entire workforce
- Assess threats and vulnerabilities (identify, analyze and evaluate risks)
- Address risks
Protect (Sensitive Information, Critical Systems and Functions)
- Manage and protect physical and remote access
- Incorporate principles of least privilege and separation of duties
- Create and build awareness of roles and responsibilities, and train appropriately
- Implement appropriate data security (at rest, in transit, asset management and verification)
- Conduct, maintain and test backups
- Create, implement and test response plans
- Perform appropriate maintenance, including updates and patches
Detect (Potential Cybersecurity Events)
- Monitor networks, physical environments, personnel activity and external service provider activity to detect potential cybersecurity events
- Perform vulnerability scans
- Test detection processes
- Communicate event detection information
- Improve detection processes continuously
Respond (to Cybersecurity Events and Other Threats to Operations)
- Execute a response plan during or after an incident
- Ensure that personnel know their roles when incident response is necessary
- Report incidents appropriately
- Coordinate with stakeholders and share information to build cybersecurity situational awareness
- Establish procedures to receive, analyze and respond to vulnerabilities
- Contain and mitigate incidents and newly identified vulnerabilities
Recover (Restore Systems, Ensure Continuity)
- Execute a recovery plan during or after an incident
- Identify measures to back up and restore cyber systems necessary for shipping operations impacted by a cyber event
It is hoped that the Guide will assist vessel owners and operators in recognizing cyber threats to vessels, and to take proactive steps to guard against that and to be able to plan ahead of any cyber attack, as well as recover from one.
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the cybersecurity challenges faced by the industry.