Countdown to new IMO cyber guidelines deadline
Recognising current and emerging threats, the International Maritime Organization (IMO) has introduced new guidelines on cyber risk management in safety management systems. These are complementary to the safety and security management practices already established by the IMO. They advise that these should be implemented no later than the first annual verification of the respective company's Document of Compliance after 1 January 2021.
The importance of marine cover that protects both operational and information technology
Whilst operational technology (OT) systems are often based on the same technologies as IT systems, and therefore face many similar threats, there are some important differences. These require the cyber risk to a firm's operational assets to be managed with its own strategy, rather than as an extension of an IT infrastructure.
Business system controls within the IT infrastructure can be critical to a company's operation but their failure is unlikely to result in a physical event such as the release of hazardous materials or loss of power to a vessel.
As underlying operational technology has become more digitalised and less mechanical over recent years, there has been an associated improvement in safety within the marine industry.
However, the IT and OT environments are increasingly being connected to gain efficiencies and monitor systems. This connection brings new risks and the potential of systemic loss.
Operational technology - claims scenarios
The operational technology policy covers the physical damage of a vessel and responds in the event of a cyber incident. A range of cyber events can trigger the policy including:
• Ransomware embedded within Automatic Voltage Regulator software could prevent generators from providing power. Maximum speed is reduced to a level that is insufficient for the tide resulting in the ship running aground.
• Malware propagates from an IT system to a vessel's computer corrupting the software which runs the integrated bridge system. This results in the auto pilot not following correct track.
• A disgruntled employee embeds malware in the Electronic Chart Display & Information System software update causing it to lose reference, resulting in the vessel running aground.
• The assisted collision Automatic Radar Plotting Aid (VHF/GPS/AIS) is corrupted or alerts overridden meaning there is insufficient time to take avoiding action
Read more : www.maritimecyberinsurance.com