EMSA guidance focuses on addressing cybersecurity onboard ships, securing digitized maritime sector

The European Maritime Safety Agency (EMSA), an agency of the European Union (EU), published Wednesday guidance on how to address cybersecurity onboard ships during audits, controls, verifications, and inspections. The EMSA document offers guidance for the cybersecurity-related elements that should be assessed during maritime security inspections on EU Member State flagged ships while also aiming to focus on those security measures and mechanisms defined in the existing EU maritime security legislation. 

Without the aim of setting any legal requirements, the EMSA document has been developed to provide EU Member States’ Maritime Administrations/Designated Authorities guidance in addressing cybersecurity onboard ships during security-related audit and inspection activities. The European Commission also notes that the EU maritime security legislation is focused on physical security, but provides a useful framework through which to consider where cyber-protective measures may be the most useful, especially these days when ships are becoming increasingly digitized.

Finalized during the 92nd meeting of the EU Maritime Security Committee on Nov. 8, the document is considered a living document to be revisited in the EU Maritime Security Committee when considered necessary.

“Security is addressed under the ISPS Code for global shipping and Regulation (EC) 725/2004 for the EU Member State flagged ships, specifically,” the EMSA document said. “Cybersecurity is included in the aforementioned documents, as illustrated in the previous section. However, cybersecurity, and cyber risk specifically, should be addressed within the context of the ISM Code, according to the IMO Res. MSC. 428 (98). This discrepancy creates ambiguity during security-related ship audits, controls, verifications, and inspections carried out within the Regulation (EC) 725/2004 context.”

The EMSA guidance identified that a Ship Security Assessment (SSA) must consider the security of the ship’s computer systems and networks, which is understood to mean ‘cybersecurity,’ as all systems on board a ship are potentially vulnerable to cyber threats. “Consequently, the resulting Ship Security Plan (SSP) must include the development of measures to address the cybersecurity vulnerabilities identified in the SSA. If cybersecurity is addressed in any other existing documentation, such as the ship’s Safety Management System (SMS), as encouraged by the IMO MSC.428 (98), a cross-reference in the SSP would suffice,” it added. 

Additionally, Member State inspections and verifications may then verify these measures, as the minimum needed to conform with the legislation. “Based on this mandatory, for EU Member State flagged ships, paragraph, this document provides detailed guidance on how to address cybersecurity onboard ships throughout the mandatory paragraphs of Regulation (EC) 725/2004,” according to the document. 

The EMSA guidance also pointed out that “according to IMO Res. 428(98) cybersecurity and cyber risk should be addressed within the context of the ISM Code and to avoid unnecessary duplication of effort, a possible way of addressing the regulatory requirement of Regulation (EC) 725/2004, as stated above, is to include a cross-reference to the relevant ship SMS content3, in the SSP.” 

It added that those involved in preparing the SSA should be able to liaise with the designated personnel for the cybersecurity of the ship, onboard and/or in the shipping company’s offices. “If there is a lack of expertise, they should draw on the expertise of cybersecurity experts.” 

It is worth pointing out that the requirement to be able to draw on expert assistance concerning radio and telecommunication systems, including computer systems and networks is mandatory for EU Member States, the EMSA document identified. “In considering cybersecurity in the SSA, the unique Information Technology (IT) and Operational Technology (OT) environment of each ship should be taken into consideration. In principle, higher reliance on IT and OT systems should entail a higher cybersecurity risk since the consequences of a potential cyber incident would be far more disruptive.” 

The document also identified that it is important to identify equipment and technical systems the sudden operational failure of which may result in hazardous situations and are therefore key to the operational functioning of the ship. “Such equipment and technical systems, for example, GMDSS/GNSS, bridge systems, loading and stability computers, engine control room console, fleet management software, etc. should be cyber risk assessed, to identify how they could be vulnerable to cyber incidents,” it added.

Once the assessment process is completed, the security measures and weaknesses identified in the SSA should be addressed in detail in the SSP. Preparation of an effective SSP should rest on a thorough assessment of all issues that relate to the security of the ship, including cybersecurity. Thus, they must include (or reference) measures to address the cybersecurity weaknesses identified in the SSA. These could include procedures for addressing cyber threats and preventing, responding to, and recovering from cyber incidents, including provisions for maintaining critical operations of the ship, as identified in the SSA. 

Some of the recommended minimum measures for basic cyber hygiene onboard laid down in the EMSA document include asset inventory, update management, data protection and backup, USB (universal serial bus) protection and removable device management, account and access control management, network management, remote connection protection, cybersecurity awareness and training, and incident detection, response, and recovery. 

 When it comes to reporting cybersecurity incidents, the EMSA guidance laid down that the SSP (or the equivalent reference document) should address the procedures for detecting and reporting a cybersecurity incident, as any other security incident. It also should indicate the authority to which a cyber incident is reported. If a cyber incident is reported to a national authority competent for cybersecurity, the national authority competent for maritime security should also be informed, and vice versa. 

“Records of cybersecurity incidents should be kept. The analysis of the cyber incidents that occurred should be part of the SSA review, in order to evaluate the effectiveness of existing countermeasures and establish proper ones to mitigate the emerging vulnerabilities,” the guidance said. “Information sharing of anonymized data with relevant entities, such as information sharing and analysis centers, is encouraged in order to raise awareness and increase capacity building within the broader maritime transport sector.”

As drills should test individual elements of the SSP19 if cybersecurity measures are included in the SSP, then some drills may focus on readiness against cyber incidents and the personnel’s knowledge of cybersecurity, the EMSA document defined. “As exercises should test communication, coordination, resources availability, and response, if cybersecurity measures are included in the SSP, then some exercises may focus on testing the effectiveness of communication and coordination among the crew, shipping company, IT department, and Competent Authority, in case of a cybersecurity incident.”

It added that electronic records should be protected against unauthorized deletion, destruction, or amendment. If the SSP is kept in electronic format, then it must be protected by procedures aimed at preventing its unauthorized deletion, destruction, or amendment 

Addressing Port State Control Inspections and Cybersecurity, the EMSA guidance said that the “Paris MoU instruction 54/2021/02 provides guidelines for PSC Officers with regards to ISPS requirements, while instruction PSCC 55/2022/09 provides guidelines on the ISM Code. This latest Instruction states that ‘ISM auditing is the responsibility of the flag State and the Company and does not fall under the scope of port State control.’ Therefore, a PSC officer, qualified as DAO, conducting a PSC inspection cannot perform an audit of the ISM safety management system, where cybersecurity procedures on board the ship could be included.”

In its conclusion, the EMSA document said that with cybersecurity increasingly being a challenge for the maritime sector, including ships, the European Commission wishes to clarify the relevant provisions of EU maritime security legislation in this regard, to implement a standardized and harmonized approach for ships operating under an EU Flag. “As maritime and cybersecurity practices evolve with time, this guidance may be updated whenever deemed appropriate, “ it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.