Taking Lessons from El Faro to Assess Cyber Risk
The International Maritime Organization (IMO) January 2021 deadline for ship owners and managers to incorporate cyber risk management into existing Safety Management Systems is closer than many realize, especially given the complex profile that the risk presents and the need for a well-detailed procedure to help protect marine assets and businesses. The failure to properly address cyber risks is much greater than the simple fact that a vessel could be detained by Port State Authorities if it were found to be not in compliance. It is good that the risks that a cyber event poses to maritime interest are being brought forth, but it is important that we remember that it is only one of the many risks we face. By examining past failures dealing with traditional risks, we can better understand how we have underestimated or normalized the risks that are present in our environment. With the recent release of the NTSB Final Report on the El Faro’s sinking, I have spent time reviewing the report and looking back at my own experiences. I am saddened to see many similarities in the conditions present for both the El Faro loss and that of the Marine Electric in 1983. Several statements and findings in the NTSB Report affect numerous shipboard operations – not just the heavy weather that was the case with the El Faro. The shipboard operations impacted will include the upcoming Cyber Security safeguards and procedures.
The NTSB Report has the following passages regarding vessel Safety Management Systems:
“Safety Management System. According to the ISM code, it is the responsibility of the company—the owner or any other organization that has assumed responsibility for operation of a ship—to establish an SMS for its vessels. According to section 1.2.2 of the code, the SMS should “assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards.” In this manner, the code (section 7) directs that the “company should establish procedures, plans and instructions, including checklists as appropriate, for key shipboard operations concerning the safety of the personnel, ship, and protection of the environment.” Furthermore, the code requires that the company “identify potential emergency shipboard situations, and establish procedures to respond to them.”
“Summary. Merely having an SMS is not sufficient to prevent catastrophes. It is necessary to have dedicated personnel assigned to provide captains with effective guidance and procedures. Robust training and auditing ensure that guidance and procedures are being followed. DPs should be actively involved in the maintenance of the SMS and should monitor their assigned vessels throughout each voyage.”
The NTSB Report also contains the following recommendations:
- NTSB recommends to the U.S. Coast Guard in Safety Recommendation M-17-40 to: Review and implement training of Coast Guard inspectors and accredited classification society surveyors to ensure that they are properly qualified and supported to perform effective, accurate, and transparent vessel inspections, meeting all statutory and regulatory requirements.
- NTSB recommends to the American Bureau of Shipping in Safety Recommendation M-17-62 to: Enhance training of your surveyors to ensure that they are properly qualified and supported to perform effective, accurate, and transparent vessel surveys, meeting all statutory and regulatory requirements.
- NTSB recommends to TOTE Services, Inc. in Safety Recommendation M-17-69 to: Conduct an external audit, independent of your organization or class society, of your entire safety management system to ensure compliance with the International Safety Management code and correct noted deficiencies.
These passages and the three recommendations stemming from the El Faro incident should be remembered when planning for the upcoming Cyber Security SMS Procedures and the issues that will arise in writing, implementing and auditing effective procedures.
While the vessel Safety Management System is the best platform for the Cyber Security program to reside on, we cannot overlook the fact that this is a non-traditional Risk. We cannot approach our procedures and auditing process the same way we have the majority of our operational risks within the SMS. The fast-paced world of cybersecurity and the risk it presents lie in many ways in direct opposition to our traditional maritime environment and risks that we have faced for generations. You can’t hear it or see it like a traditional risk. But it is continually making additional inroads into the way we operate and manage vessels on a daily basis. That fact is not going to change and the risks associated with using this technology are not going to go away. Unfortunately, that is the risk approach that many within the Maritime community approach cybersecurity with. This must change, because the nature of cyber risk is such that it could have catastrophic impacts throughout our industry. The nature of ports and shipping lanes is such that the fate of one company impacts the fortunes of all.
Some of the key questions that we need to be asking include:
- What are the required levels of shipboard and shoreside support that these new technologies require in the near and short term?
- Have the costs and additional risks of a particular technology been properly evaluated?
- Do the benefits outweigh the risks – bottom line, does it make sense?
As we approach the IMO Cyber deadline of 2021, it is important to keep in mind the goal of our Safety Management Systems and ensure that our cybersecurity procedures are practical, functional and effective. It is also important that we look at the role that auditors and shoreside support have in the effective implantation of these policies. As the NTSB stated in the El Faro report: Merely having an SMS is not sufficient to prevent catastrophes. It is necessary to have dedicated personnel assigned to provide captains with effective guidance and procedures. Robust training and auditing ensure that guidance and procedures are being followed.
To that point, the need for independent cybersecurity audits to ensure that procedures are adequate is a departure of our normal SMS Auditing criteria. However given the nature of this risk and the potential impact of the failure to adequately protect a vessel, a new approach is warranted. A key point that we at Allianz Global Corporate & Specialty raise with our assureds is the fact that cybersecurity is a race without a finish. As we proceed further on the course of utilizing technology to address the concerns and challenges of marine transportation, the need for proactive, customizable cybersecurity platforms will continue to grow. The first step in this process is to identify your current exposure. While cyber risks continue to evolve and develop, we cannot lose sight of the traditional risks that ships and sailors face. Perhaps the most important lesson from the loss of the SS El Faro is that we learn from our collective past to protect our future.
(As published in the April 2018 edition of Maritime Reporter & Engineering News)