Shipowners must prepare for compliance with IMO 2021 and look beyond it to the demands of an increasingly digitalised, smarter shipping industry, writes Tore Morten Olsen from Marlink.

The shipping industry is on a voyage to a new horizon, this time it is digital. We are already in the era of the connected ship, where we are witnessing the digitalisation of the asset, with increased levels of remote monitoring, more data collection and analysis points, with the digitalisation of operational technology (OT). The next phase will be digitalised ships, where crew-operated vessels remain the norm but with increased remote assistance using industrial IoT and real time analytics.

The ultimate phase is smart ships, where the digital transformation of the business actually occurs with vessels potentially operated remotely with crew assistance, with ships integrated into a wider digital transformation of the company and its activities within the chains of logistics. But just as the journey of a thousand miles starts with a first step, this voyage needs to understand the main stumbling block to progress. It’s not traditional resistance to change, it’s the need to secure the current and next generation of assets. Put simply, without adequate cyber security this voyage cannot make progress.

What shipowners need to understand more than anything that the digital journey means that a vessel is a single ecosystem, encompassing information technology (IT) and OT and that they need a partner who can help them address both. Traditional cyber security focuses on the IT system and its normally visible components with well-established protective tools. In order to meet the baseline requirements of IMO 2021 amendments to the ISM Code as well as the much more demanding voluntary systems such as SIRE and TMSA, owners need to document protection of OT assets which means proactive threat detection is necessary too.

An analysis of the data gathered by Marlink from a sample of shipowners illustrates the problem. On average the vessel IT network (the ship’s collection of admin PCs and back of bridge support systems) accounts for 22% of cyber threats. The OT network of connected machinery and devices accounts for 10%. The crew LAN remains the biggest area of threat at 68%. This suggests that crew do not in the main have enough awareness around cyber hygiene and procedures for safe use of their handhelds and mobile devices. The situation many crew find themselves in since the start of the pandemic may explain this to some extent but the responsibility lies with owners to provide them with the necessary training.

The IT/OT numbers are equally troubling because they suggest that threats are being increasingly recorded against both PCs and unattended systems and components by actors seeking wider network access. Experts have long warned that the Internet of Things poses a serious threat to security without proper protection measures and the impact of a successful attack could be fatal.

On the bridge – and in officers’ cabins – it suggests that hackers and attackers could be exploiting unpatched software, out of date operating systems and poor hygiene, from default passwords to simple breaches of procedure. Until now these threats had been a fact of life but not a show stopper, assuming that cyber protection software did its job. From January 2021 all that changes when amendments to the International Safety Management Code come into force, requiring owners demonstrate that they have a process of cyber risk management in place. Compliance with voluntary cyber security guidelines until now has tended to succeed or fail on the basis of the human element, relying on an intention to do the right thing. In the future, the vessel will have to demonstrate that it has a policy and procedures in place for crew awareness, a means of ensuring that all systems are up to date and means of proving both.

Given the increasing complexity of onboard systems and their contribution to efficiency, fuel saving and voyage management it also suggests that cyber protection is in itself not enough; owners will need to demonstrate that they have a plan in place for proactive detection of cyber risks. This also has commercial implications. Updates and guidance from industry associations and statutory bodies like class will influence the behaviour of the ship operators moving forward. Owners that cannot demonstrate that the data they are handling on behalf of their customers has the required level of security may find it harder to compete for cargoes from blue chip charterers. These same customers may even assume that an operator should go well beyond the IMO 2021 baseline and have policy and procedures in place more akin to the TMSA or SIRE vetting standards used in the tanker industry.

Owners undergoing inspections during the first months of 2021 will find out whether they have done enough to meet the standards expected of the port state. They will find themselves required to provide compelling and immediate evidence that the ship is in compliance. And it seems likely that as the digital voyage continues, the requirements will continue to tighten, both from a regulatory or a commercial perspective – though customer demand is likely to be the first mover. Seen from that perspective, the stakes have rarely been higher.