Implementation of ISM Code requirements

The International Maritime Organization (IMO, International Maritime Organization), which sets maritime safety standards globally, has expanded the Safe Operation of Ships and Pollution Prevention Management System applicable to shipowners to include aspects of cyber risk management. All entities must achieve compliance with the new guidelines by the first ISM (International Safety Management Code) certification audit, which will take place after January 1, 2021. The obligation applies to both ships and the company’s onshore infrastructure.

What are the most important information systems on ships and in maritime transport in general?

Karolina Krużewska-Ossowska: The most important IT and OT systems used in the maritime transportation industry that should be secured against potential cyber-attacks on land and at sea as a priority are: navigation bridge systems, cargo handling and management systems, propulsion, machinery and power control systems, access control systems; communications, passenger service and administrative systems; and all other IT/OT systems that could compromise security and business continuity in the event of a cyber-security incident.

For us, automation systems are key to ensuring safe shipping. In the event of their failure, unauthorized access or human error, the ferry service could be disrupted, and in extreme cases this could endanger the safety of passengers and the ship’s crew. Priority is also given to the passenger service system, which, through its functionality, oversees the entire process of booking ferry tickets, checking in passengers, embarking passengers and cargo. A serious disruption in its functioning would prevent embarkation, the process of boarding passengers, and would stop the ship in port.

What was the process of preparing for a Cyber Security Management System audit?

K.K.-O.: All for One Poland (formerly SNP Poland) supported us with the implementation of the Cyber Security Management System, and the process consisted of conducting a zero audit and inventory of the assets we had, with a focus on the systems most vulnerable to cyber threats. The next step was to conduct a detailed analysis and risk assessment of specific IT and operational systems, along with a plan for dealing with the risks. The plan called for taking appropriate measures to minimize the identified risks, also taking into account the implementation of new solutions and routine activities to increase the level of cybersecurity. Among these were regular testing of system vulnerabilities, increasing the scope of cyber security training for employees, and continually improving the system to ensure an appropriate response to new threats.

What is the product of this project? What requirements does ISM Code have in this regard?

K.K.-O.: The end product of the project is primarily an integrated system, including both documentation describing in detail the Cyber Security Management System at Polferries, which is a kind of roadmap, and implemented solutions to help implement security procedures on land and at sea.

The ISM Code was enacted in 1993. It was the first formalized and mandatory standard for managing the safe operation of ships in the history of shipping. It imposed an obligation on shipowners to implement and maintain a Safety Management System. Initially, the code dealt with physically executed operations. Technological advances have resulted in ships being equipped with increasingly sophisticated information systems, hence the need to enrich existing procedures to include cyber threats. For this reason, the current documentation has been fundamentally expanded from that previously in place and is of significant importance.

In industries where human lives are at stake, written procedures that can be used in emergency situations, under time pressure and often operating under stress, are very important. Previous ship plans have focused on threats caused by human error, system failure or natural disaster. Now we are also ready for new threats – cyber threats. In today’s reality, where cyber attacks happen on average every 39 seconds, new procedures are very important and significantly improve safety at sea and have an impact on the protection of the marine environment.

Karolina Krużewska-Ossowska, Data Protection Inspector and Board Agent for Cyber Security, PŻB S.A.

Can you give a specific example? What risks were identified during the preparation for certification, how were they minimized?

K.K.-O.: All for One Poland’s consultants placed considerable emphasis on our clarification and sealing of logical and physical access policies to IT/OT devices both on ships and throughout the organization. We have increased testing and auditing of the security status of IT/OT infrastructure, including by conducting regular vulnerability tests.

What did the security audit itself look like?

K.K.-O.: The audit included an assessment of all elements of the shipowner’s safety management system and activities to which the ISM Code requirements apply. It was conducted by the Polish Register of Shipping SA, which is an organization recognized by the Administration.

The auditors asked about the solutions used to secure computers and systems, both at headquarters and on ships. They highlighted the procedure for regular reviews of system documentation and improvement plans, including conducting regular tests of security systems.

It was verified that the shipowner has appointed a team responsible for overseeing compliance with the implemented Cyber Security Management System. Polferries has appointed a Board Supervisor for Cyber Security, responsible for information security and business continuity within the framework of implemented controls, who works closely with the Information Security Forum.

The FBI provides direction on information security, reviews documentation and procedures, and analyzes any information security breaches.

We have also established an Incident Response Team, which immediately responds to information security incidents in a specific and predetermined manner. Separate communication channels have been established for employees to report any incidents. The Security Operations Center is responsible for protecting and maintaining IT/OT systems in Polferries’ area of operations.

The backup process for key data was checked, the procedures for which were described in the IT/OT security policy and the backup policy. The procedure for physical control and authorization of access to facilities, premises and computers was also checked. PRS auditors asked for documentation of the training provided to personnel, especially on ships, regarding attacks based on human elements (using social engineering).

The audit ended with us obtaining a Document of Compliance, which is essential for our business. This document is recognized as proof that the shipowner is capable of meeting the requirements of the Code. Without it, no ship can go to sea.

The certificate is only valid for one year, so the next audit is just a few months away. What new tasks has the new chapter of the Security Management System, including cyber security, brought to the Data Inspector?

K.K.-O.: The introduction of the Cyber Security Management System has expanded the scope of my tasks, but in many ways it has made my work easier, as managing risks in cyber security at sea and ashore and ensuring the security of processed personal data complement each other and form a common pillar to build safe shipping that is resilient to cyber threats.

Much more emphasis has been placed on employee training with regard to cyber threats, especially those involving social engineering, namely phishing and spoofing. Employees’ awareness and vigilance in this regard has increased significantly, which, with cyber-attacks increasing by 300% in this pandemic era, is of colossal importance for ensuring information security and business continuity. Great emphasis is placed on providing information on how to defend against cyber-attacks and incident response procedures.

We are in a continuous process of improving the security system, so in theory next year’s audit should be easier for us compared to this year’s. We emphasize continuous improvement of the existing system, apply solutions and technology with high and proven standards, manage risks and ensure business continuity plans. We provide maritime transportation services according to defined and effective procedures, translating into ensuring the confidentiality of data and information, security of systems and services, efficient passenger service and safe shipping.

Cyber piracy is a huge threat. How do cyber security standards serve to reduce the risk of attacks?

Andrzej Madejski: Ensuring IT security is one of the key technological challenges for maritime companies. With an increasing number of successful cyber attacks on organizations, the maritime industry must have and continuously develop a secure infrastructure, which, with the increasing digitization of ships, is exposed to many dangers from cyber criminals. It is essential to analyze potential threats, diversify risks and skillfully manage them using the latest solutions that will minimize situations that could lead to the loss of company assets.

Andrzej Madejski, CEO, PŻB S.A.

The implementation of technological innovations guarantees a lot of new opportunities for our industry, but at the same time causes an increase in cyber threats, related to data processing. OT technologies are increasingly willing to use IT systems, and thus the risk of cyber threats is increasing. The consequences of a successful attack by cyber criminals on critical shipping systems can be catastrophic and lead to huge financial and image losses, as well as threaten the safety of people and, in extreme cases, the country. Regularly enhancing network protection and continuously improving information security are challenges facing shipowners around the world today.

Cybercrime is growing at an alarming rate. It is estimated that the global cost of cybercrime will reach $6 trillion by the end of 2021. Successful implementation of cybersecurity in both IT and automated OT systems is an essential defense against cyber attacks. Training for employees is also extremely important, as human error is the cause of more than 95% of cybersecurity breaches.

Adherence to current cyber security standards undoubtedly reduces the risk of attacks and indicates appropriate handling of detected incidents. This translates directly into passenger safety, but also into the protection of our assets and corporate image. Among the many best practices, one can point to such actions as:

– precise identification and indication of potential risks in relation to the business and the solutions used,

– Preparation of a detailed and precise set of procedures and plans for handling individual assets,

– Continuous training of naval and land-based cadres in cyber security,

– Establishment of a qualified team to constantly monitor and supervise the infrastructure on ships and ashore, ensuring the constant availability of resources and their safety,

– Verification of applied solutions and implemented policies through external auditors.

Risks to IT infrastructure are often more mundane. What measures is Polferries taking to improve security in this area?

Andrzej Pilarski: The maritime industry is becoming increasingly dependent on advanced technologies. The development of digitization is affecting most systems of the maritime transport sector. Changes are affecting navigation, loading, communication, notification and safety systems.

Andrzej Pilarski, Member of the Management Board, PŻB S.A.

Polska Żegluga Bałtycka S.A. is taking numerous measures to ensure an increase in the security level of its IT infrastructure. We have implemented and are developing a Safety and Quality Management System, compliant with the ISM Code and ISO 9001:2015, confirmed annually by the recognized certification body Polski Rejestr Statków S.A.. The regulations implemented are aimed not only at meeting convention regulations, but most importantly the requirements of our customers. All company employees and ship crews are responsible for the implementation of pro-quality measures.

Both onshore and offshore personnel have regular training in data protection and cyber security. The purpose of these trainings is to raise awareness and develop the habit of using cyberspace responsibly and safely, to ensure the utmost caution when processing personal data in information systems, and to respond quickly in the event of an incident.

PŻB S.A. is investing in the development of IT infrastructure to provide a secure passenger service system. The company’s primary goal is safety and customer satisfaction. Our customers use regular ferry services between Poland and Sweden, and a large part of them spend their leisure time with us, relaxing and having fun on the ferry. Taking care of their safety at every level is our priority.

Interviewed by Miroslawa Huk, All for One Poland