[By Commander Michael C. Petta, USCG]
The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.
These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.
Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.
The IMO and International Maritime Regulation
Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.
Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.
In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.
Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.
The IMO’s 2021 Cyber Guidelines
The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.
Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.
The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.
As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.
This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.
The Work that Remains to Secure Ports
SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.
While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.
Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.
With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.
While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.
The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.
Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.
Go to Source
A massive fire broke out at the Port of Beirut on Thursday, incinerating a warehouse full of tires and oil within the port’s free zone. The same area was heavily damaged in the ammonium nitrate explosion that leveled the central port area and the adjacent waterfront on August 4. According to Lebanon’s civil defense agency, […]
Over the course of the past five days, the Australian Maritime Safety Authority arranged a medical intervention for an injured aboard a freighter in the Indian Ocean. On Saturday evening, the Spliethoff tweendecker Dolfijngracht called for assistance while under way about 1,000 nauical miles off the coast of Western Australia. A crewmember had sustained serious […]
The naval forces of the US and Bahrain recently staged a joint force training exercise which showcased the interoperability between coalition warships operating I the Arabian Gulf. Coalition Task Force Sentinel executed combined exercise Sentinel Shield supporting Sentry and Sentinel patrols in the coalition’s area of operations. The guided-missile destroyer USS John Paul Jones and […]
With close to 100 daily cargo flights operated to a destination network spanning more than 65 cities across six continents, Emirates SkyCargo is delivering essential supplies and commodities to people around the world. The air cargo carrier is currently operating 11 Boeing 777 freighter aircraft, each with a capacity to transport about 100 tonnes of […]
The National Transportation Safety Board (NTSB) has released a Marine Accident Brief about an accident that occurred on April 15, 2019, involving the towing vessel DeJeanne Maria which struck the end of a submerged dredge pipeline while pushing two spud barges to the Gulf of Mexico. The incident occurred on the Mississippi River in Pass […]
Best known as a leading passenger airport serving Germany’s most populated federal state North Rhine-Westphalia, Düsseldorf has become transformed into a vital distribution point, during the COVID 19 pandemic, for medical equipment and other life-saving goods, mostly from China. Gerton Hulsman, managing director of cargo operations, reports that the handling teams are working hard to […]
DSV Belgium has solid experience in the transport of pharmaceutical products for different customers. With a pharma hub based at Brussels Airport a lot of experience and know-how has been built up over the years. Last weekend, the forwarder handled one hundred million mouth masks, an important milestone for its Belgian organisation that has put […]
The UK government’s new post-Brexit tariff regime will result in both winners and losers. The new regime is set to replace the European Union’s Common External Tariff from the end of the Brexit Transition Period on December 31, 2020. The UK’s commitment to the ongoing Brexit process and ending the UK’s transition from EU membership […]
Emirates SkyCargo has expanded its weekly scheduled cargo flight operations to cover 75 destinations across six continents. Through its wider reach, Emirates SkyCargo is able to transport essential commodities and other urgently needed cargo more rapidly across the world, allowing exporters and importers across markets to benefit from direct access to widebody cargo capacity. Some […]
Global commercial aviation charter company Albion Aviation Group is reporting that it is seeing a considerable uptake in its professional cargo broker training courses from the current global pandemic crisis and surge in charter demand. “We have completed a number webinar courses for a whole of host of companies, looking to manage their own cargo […]
Operators can continue to use pilots and other crew members who have unable to comply with certain training, recent experience, testing, and checking requirements due to the COVID-19 outbreak in support of essential operations. Additionally, this Special Federal Aviation Regulation (SFAR) provides regulatory relief to certain persons and pilot schools unable to meet duration and […]
Astral Aviation has increased its intra-African network with cargo freighters during the pandemic. While there has been a reduction in capacity to, from, and within Africa, which has been caused by a stoppage of passenger flights and limited frequencies on freighter aircraft, Astral Aviation continues to operate cargo freighters from its Nairobi hub to 13 destinations […]
The U-Freight Group (UFL), with its considerable involvement in eCommerce logistics, says that the latest statistics showing that global e-commerce sales hit $25.6 trillion in 2018 are a further vindication of its decision to enter this sector of the international freight market several years ago. The latest available estimates, up 8% from 2017, were recently […]
Callan Marine is serving as the prime contractor to the Texas Department of Transportation for a maintenance dredging project located at the Bolivar Ferry Terminal, in Galveston, Texas. Work began in May and is estimated to be complete in late July 2020. The project consists of the removal of 600,000 cubic yards of material and […]
Network Airline Management and TAAG Angola Airlines are pleased to announce the renewal of their long-term freighter aircraft contract by an additional 12 months, sealing an ongoing partnership for the foreseeable future. Operating a regular weekly scheduled service from Liege, Belgium, to the capital of Angola, Luanda, Network Airline Management provides a Boeing 747-400F aircraft […]
Qatar Airways Cargo transported 56 SkyCell containers with vaccines from one of the largest vaccine manufacturers worldwide on its scheduled freighter and belly-hold cargo flights for its customer, CEVA Logistics. The 54-tonne shipment consisting of pneumococcal and varicella vaccines were flown from Brussels to Mumbai via the carrier’s hub in Doha on two separate flights. […]