By CDR Michael C. Petta
Introduction
The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.
These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.
Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.
The IMO and International Maritime Regulation
Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.
Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.
In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.
Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.
The IMO’s 2021 Cyber Guidelines
The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.
Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.
The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.
As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.
This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.
The Work that Remains to Secure Ports
SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.
While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.
Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.
With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.
While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.
Conclusion
The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.
Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.
Featured Image: CMA CGM’s Benjamin Franklin at the Port of Los Angeles, December 26, 2015. (Photo via Wikimedia Commons)