The 12 IACS recommendations of cyber safety

On 27 September 2018, the International Association of Classification Societies (IACS) published nine of its 12 recommendations on cyber safety in a bid to highlight the cyber resilience requirements of ships throughout their operational lives. The remaining three recommendations will be released in Q4 of 2018.

As well as hull and machinery, IACS realises that the on-board electrical equipment is becoming increasingly important for safety and security of the vessel. In recognition of the vast increase in the use of cyber systems on-board, the IACS recommendations address the need for:

• A more complete understanding of the interplay between ship’s system
• Protection from events beyond software errors
• The need for an appropriate response and ultimate recovery should the protection fail
• A means of detection to ensure the appropriate response can be implemented.

Noting the ever-changing nature of technology and of cyber threats, IACS has produced these recommendations with an expectation that they should evolve once they have been implemented. The decision was taken to give all stakeholders access to the developing materials and encourage their input. IACS recognises that, in order for ships to increase resilience against cyber attacks and defend against the unpredictability of the cyber security threat to shipping, all sectors of the industry will need to be actively involved. Therefore, collectively, they provide guidance on the most pressing areas of concern at the present time as well as acting as building blocks for the broader objective of system resilience going forward.

The 12 recommendations are:

• Recommended procedures for software maintenance of shipboard equipment and systems: These apply to the use of computer based systems which provide control, alarm, monitoring, safety of internal communication functions which are subject to classification requirements; or if not subject to classification requirements, can nevertheless expose the vessel to cyber risks and have an impact on the safe and secure operation of the ship when integrated with classed equipment or equipment affecting safety.

• Recommendation concerning manual/local control capabilities for software dependent machinery systems: Recommendations in relation to the local control of any machinery (required for propulsion or the safe operation of the ship) which is otherwise controlled remotely, in particular considering the complex programmable control systems for propulsion machinery in the light of SOLAS requirements.

• Contingency plan for onboard computer based systems: Clarification of the need to develop contingency plans if there is a failure of the onboard computer system, especially given that technologies may integrate vessel’s functions and so the failure of that technology can impact more than one system and crews may not be ready to handle multiples failures.

• Network Architecture: Developing broad guidelines on ship board network architecture covering various aspects from design to installation phases which should be addressed by the supplier, system integrator and yard, so that in the event of a failure of network devices or a cyber incident, remaining systems are adequate to allow the ship to continue its mission-critical operations.

• Data Assurance: Data available on ships has become very complex and in a large volume and the ‘Data Assurance’ recommendation relates to the enforcement of the security of the data generated, processed, transferred and stored.

• Physical Security of onboard computer based systems (to be published Q4, 2018)

• Network Security of onboard computer based systems: Providing a minimum set of recommended measures for the resilience of networks against cyber-related risks, vulnerabilities and threats and provide appropriate levels of implementation of such measures.

• Vessel System Design (to be published Q4, 2018)

• Inventory List of computer based systems: For effective assessment and control of the cyber systems on board, an inventory of all of the vessel’s equipment and computer based systems should be created during the vessel’s design and construction and updated during the life of the ship.

• Integration: Recommendations with respect to the organisation of the combination of computer-based systems, so that they are arranged with sufficient redundancy and segregation so as to prevent the complete loss of ship’s essential functions.

• Remote Update/Access: Establishing recommendations for control over remote access to onboard Information Technology and Operation Technology systems and clear procedures and protective measures where remote maintenance is used.

• Communication and Interfaces (to be published Q4, 2018)

The recommendations are currently each standalone documents but it is expected they will eventually be amalgamated into one document over time.

Comment

The technology available to the shipping industry continues to grow at a swift pace. However, hand in hand with that will come more entry points for hackers who themselves become as, if not more at times, sophisticated. This means that ensuring the cyber resilience of a vessel is of key importance. These recommendations are welcomed as they recognise the need to address these issues now while also enabling future discussion and input to assist in the continued fight against cyber threats.