Practical considerations for ISM audits after 1st January 2021

This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security.

The new cyber security requirements will take effect after on 1st January 2021. Therefore you can expect that Flag ISM auditors will check that the Company complies with these new requirements at the first DOC (ashore) and SMC (on board) after that date. After all, which auditor would miss the chance to catch out a company with new legislation, or show that they are on top of the latest maritime developments, (even though the subject knowledge and training given to the auditor on cyber security may be scant).

Eazi Security offers assessments to determine gaps in company cyber security measures. Here are some items you can expect an auditor to look at when investigating your compliance with cyber security. Alas, these are not theoretical, they are common issues we have found during the course of our work:-

Do you have a cyber security policy? Has the Company developed a brand new policy or adapted its existing ISPS security policy. If it is the latter, preferably the change is more than simply adding the word “cyber” to the title of the old policy. More importantly, are senior managers ashore and afloat aware of the policy content. Ideally they can speak confidently of the benefits of improved cyber security and be realistic about the challenges the Company face.

Change management – If you can show that your new cyber security arrangements have been implemented following the Company’s change management procedures, including consideration of all aspects of change within the business (e.g. affecting IT and safety departments, vessel and shore staff, suppliers and port authorities etc) it will go a long way towards satisfying an auditor’s curiosity. Conversely, if your company is already fully compliant with cyber security the change management process will identify that no changes (or very minor ones) have been needed.

Training – Ideally both shore and sea staff have been informed of the new ISM policy and procedures. Regular inclusion of cyber matters in the on board Safety Committee Meeting minutes is always good evidence to the auditor of compliance. The auditor will expect the DPA and senior staff ashore to be aware of cyber changes, but should not expect them to know all of the exact technical details (probably because the typical ISM auditor will not understand them him/herself). However, it would help if someone in your IT department ashore is on hand to fill in any technical details during the DOC audit. Ideally get them to practice with the DPA before hand. Decide what information you are going to offer (and not offer) in response to auditor’s queries. If the auditor has the impression that it is all competently covered they are likely to move swiftly on to more familiar ground.

Some considerations on board the vessel. These issues have been seen on our visits to vessels to conduct cyber security audits. They are all obvious, so likely to be picked up, even by an ISM auditor:-

Password and log-in details on display – We know it’s a pain having to remember passwords – why not make it easy and display them next to the bridge computer? (Usually under the perspex of the chart room table). Check that this IS NOT happening on your vessel, you may be surprised.

Single user log-in – It’s annoying for each officer to have to log-in with their own credentials every time they use the computer. Why not just have a single account that everyone uses. Preferablly with a password that everyone can remember (like the name of the vessel, “123456” or even “password”). We see this a lot. Please make sure the auditor does not see it on your vessel.

Updated anti-virus software on computers used in critical systems – A member of the Eazi Security team has observed on more than one vessel that the ECDIS planning station at the back of the bridge recieves the weekly updates from ashore. From this all other ECDIS units on board are updated. Frequently these planning stations have out of date anti-virus software (on one vessel it was over 3 years out of date). Please ensure that all IT systems used in critical systems have been updated, including up-to-date operating systems (are you still running Windows XP on board?).

“Hooky” software – Eazi Security are aware of one vessel whose dynamic positioning system required an upgrade by the manufacturer’s shore based service engineer. He duly attended the vessel and loaded a pirated operating system onto the D.P. control computer. Please check that legitimate copies of software are installed on all your computers, even by equipment manufacturers, and that you have a record of the correct licence keys.

Physical security of IT system components – The vast majority of ships Eazi Security visit have IT equipment on the bridge which can be easily stolen. Routers, switches and servers etc are in visible sight and anybody in port can simply walk off with them. We know that the bridge is a controlled area under ISPS but in port it is rarely a citadel. Consider putting IT equipment out of sight or in a locked server cabinet. And please, if it is the latter, don’t leave the keys in the the lock or drapped over the cabinet handle!

Captain and Chief Engineer’s familiarity with IT processes – Whilst this is changing, it is our experience that most Captain’s and some Chief Engineers are “behind the curve” with the latest IT. A common “auditor’s trick” is to ask the Captain to show how the ECDIS is updated. Most are not able to do it and demonstrate a lack of understanding of the system security fundamentals. Our point is that if they don’t understand the fundamentals how can they understand the potential risks or ensure that best practice is being followed by the junior officers. It is unreasonable for an auditor to expect the Master to be as good as the Second Officer with updating ECDIS but often Master’s admit that it was their first time when asked by the auditor, usually it shows.

Updating ECDIS – a number of vessels today are carrying ECDIS that have been fitted retrospectively. Occasionally, due to limited bridge space, these are located in non-optimal locations for the navigating officers. This may cause limitations, for example one vessel was unable to take the side panel off the ECDIS to update the system with a USB stick and the update had to be done via a link to the other ECDIS. Please ensure that your new ISM security procedure actually reflects what can/can’t be done physically on board.

These are just a flavour of some issues Eazi Security has found when auditing companies and ships. We are always happy to help, give us a call.

If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact David Clayden – email – Tel +44 (0)7711 351463 – Web