GDPR TMSA Cyber Security<\/p>\n
<\/p>\n
Tanker owners should be prepared for new EU and IMO cyber security regulations as they must already comply with maritime security requirements under OCIMF\u2019s TMSA 3,\u00a0<\/strong>writes Martyn Wingrove <\/b><\/p>\n There are increasing amounts of cyber security-related regulations that shipping companies will have to comply with, but tanker owners are already ahead of the game. Ship operators will need to include cyber in ship safety and security management under the ISM Code from 1 January 2021.<\/p>\n Before that, they need to be aware of cyber and data security regulations, including the EU general data protection regulation (GDPR) and the EU directive on the security of networks and information systems (NIS).<\/p>\n Much of the requirements under these forthcoming or new regulations are already within Oil Companies International Marine Forum (OCIMF)\u2019s third edition of the Tanker Management and Self Assessment (TMSA) best practice guidelines. This came into force on 1 January this year, with a new element on maritime security and additional requirements of key performance indicators and risk assessments.<\/p>\n Regulation changes were outlined at Riviera Maritime Media\u2019s European Maritime Cyber Risk Management Summit<\/em>, which was held in London on 15 June. The event was held in association with Norton Rose Fulbright, whose head of operations and cyber security Steven Hadwin explained that \u201cdata protection and cyber security needs to be taken seriously from a legal point of view.\u201d<\/p>\n Data, such as information on cargo and charterers, could \u201cbecome a considerable liability\u201d. If data is lost \u201cthen GDPR could be in play\u201d said Mr Hadwin. Regulators \u201ccould impose a fine of up to 4% of that organisation\u2019s global annual turnover.\u201d<\/p>\n PwC UK cyber security director Niko Kalfigkopoulos explained the legislation and reasoning behind the NIS Directive, which went into full effect in May this year. \u00a0\u201cThese regulations have teeth\u201d he said because of the potential size of fines and damage to a company\u2019s reputation from being a victim of a cyber attack. This is one of the reasons why boardroom executives should be aware and understand what is required for compliance.<\/p>\n Class support<\/strong><\/p>\n During the summit, class societies provided cyber security guidance as they collectively attempted to define cyber secure ship notations. Lloyd\u2019s Register cyber security product manager Elisa Cassi said shipping companies should have a third party monitor their IT network and the operational technology (OT) and employ staff to \u201cstop people sharing data or compromising procedures\u201d.<\/p>\n Tanker owners \u201cneed to identify any compromise before an attacker tries to penetrate\u201d, Ms Cassi explained, noting that shipping companies need to \u201cinvestigate the vulnerabilities through analytics and machine learning\u201d, understand the behaviour of potential threats and use predictive analysis.<\/p>\n ABS advanced solutions business development manager Pantelis Skinitis said shipowners need to change passwords on operational technology, such as ECDIS and radar, as some remain unchanged since they were originally commissioned on the ship. He also advised owners to verify vendors and service engineers and that their USB sticks are clean of malware.<\/p>\n ABS has created cyber safety guidance for ship OT, particularly for ships coming into US ports and terminals. In its development, ABS identified the risks, vulnerabilities and threats to OT. \u201cManaging connection points and human resource deals with the biggest threat to OT systems on board,\u201d said Mr Skinitis.<\/p>\n DNV GL has developed new class notations covering cyber security of newbuildings. It has also produced an online video for instructing shipping companies to become more aware of cyber threats. During the summit, DNV GL maritime cyber security service manager Patrick Rossi said ship operators should set up multiple barriers to prevent hackers.<\/p>\n These should include firewalls, updated antivirus, patch management, threat intelligence, intrusion detection, emergency recovery and awareness testing. OT should be segregated from open networks, only official ENC-provider USBs and update disks should be used and cleaned of malware before being inserted into ECDIS and these systems should be segregated from the internet.<\/p>\n Cyber regulations and guidance for shipping<\/strong><\/p>\n EU General Data Protection regulation (GDPR) came into effect from 25 May 2018<\/p>\n IMO \u2013 Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code<\/p>\n TMSA 3 \u2013 cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018<\/p>\n EU privacy rule (PECR) of individuals traffic and location data<\/p>\n Rightship added cyber security to inspection checklist<\/p>\n BIMCO \u2013 guidelines based on International Association of Classification Societies<\/p>\n <\/p>\n