Maritime cyber security

Securing processes, people and new technology

Vessels are becoming increasingly complex with integrated digital systems both on board and onshore. This heightens the threat of cyber-attacks and requires an extended risk and safety assessment to improve cyber security resilience, with the aim to continuously ensure the safety of the crew, passengers and assets. 

There are various reasons why owners and ship managers need cyber security, including: 

• Digital technologies are increasingly applied to areas like navigation, logistics and communication, contributing to greater energy efficiencies and reduced emissions. However, with critical infrastructure increasingly connected it is also being exposed to added risk and uncertainty. 
• The ISM Code, underscored by IMO Resolution MSC.428(98), introduced in 2021, requiring owners, operators, and managers to consider overall cyber risks, and to have a cyber-security management system in place. 
• IACS new unified requirements (URs) for cyber security, requiring owners, yards and suppliers to build cyber security barriers into their systems and vessels, and ship classification societies to verify it. Applies to all newbuilds after 1 July 2024. 
• Standard insurance contracts, which exclude coverage of cyber incidents (CL.380); more and more insurance companies are offering to buy back this exclusion if proper cyber security can be proven. 
• Banks, which may want to see proof of proper cyber security in order to grant loans for buying/building vessels. 
• Ensuring continuous operation of vessels during and after an unintentional cyber incident or a malicious targeted/untargeted cyber-attack. 

Recommended actions and related support
from DNV

DNV recommends assessing all three dimensions relevant to achieve cyber security resilience on board vessels and in offices: people, processes and technology.

DNV recommends assessing all three dimensions relevant to achieve cyber security resilience on board vessels and in offices: people, processes and technology, cf. DNV RP-0496 “Cyber security resilience management for ships and mobile offshore units in operation”.

Typical actions to build cyber security resilience in the improvement phase include:

• Perform general/specialized training and incident response drills for crew and onshore staff
• Implement a cyber security management system for your fleet
• Implement technical barriers such as network segregation, USB control, virus scanning, secure local/remote access, and backup and recovery
• Document vessel topology and SW/HW inventory

Cyber secure class notation

DNV’s Cyber secure class notation provides a framework for third-party verification of a vessel’s cyber resilience across people, process and technology barriers. It covers the IMO requirements as well as IACS unified requirements, and uses recognised IEC standards for easy industry uptake. The different levels are defined to ensure a suitable level of security controls and effort for you as an owner or manager, regardless of the segment or the vessel’s complexity: