Questions the DPA should ask their I.T department

This overview continues the Eazi Security series on practical considerations for Designated Persons Ashore (DPA’s) to ensure full compliance with Resolution MSC 428(98) on maritime cyber security.

It is generally accepted that it is legitimate and sensible for the DPA to delegate some of the safety management (ISM) tasks to others within the Company. However, the DPA is not able to delegate their responsibility “to ensure the safe operation of each ship” and “monitor…..aspects of the operation of each ship” (ISM Code Section 4).

We have mentioned in previous blogs that some technical aspects of cyber security maybe outside the scope of a DPA’s expertise. This is through no fault of the DPA, they tend to be expert in on-board operational matters and have a good “feel” for what is safe and unsafe on board. It may be that the finer points of digital security, and the associated technical jargon, is somewhat outside of their expertise.

This makes managing the effective compliance of the forthcoming changes to the ISM Code (MSC 428(98) – cyber security) – for which the DPA is responsible – much harder than previous changes. Most DPA’s will be relying on the Company’s IT Department to deliver the systems and control measures that satisfy an external ISM auditor.

In short the DPA remains responsible for all aspects of the ISM code but may not have all the necessary cyber security knowledge and experience to ensure compliance. In this case the DPA will be required to show that there is sufficient oversight of the IT Department. There are many questions the DPA could ask of their IT Department to ensure that they are monitoring and thereby complying with the requirements of the ISM Code. Some of the DPA’s questions may even be answered by their IT Department, although to what extent and clarity is, in our humble opinion, widely variable.

Here are five questions we would suggest that the DPA ask (preferably with answers in writing for evidence to the ISM auditor) to satisfy themselves that their IT Department is aware of the requirements of MSC 428(98) and are managing the risks appropriately:-

  • 1. What IT functions directly relate to the requirements of the ISM Code?
  • MSC428(98) requires that the “safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”. Therefore, if the IT function is outside the objectives and functional requirements of the ISM Code then it is not strictly a matter for the DPA. For example, a Customer Relationship Management (CRM) software for shore based customers does not impact the requirements of the safety and pollution prevention of the Code and is therefore outside the remit for the DPA to monitor. So, be very clear what is and (more importantly) what is not the responsibility of the DPA to monitor.

  • 2. Does the Company have an IT cyber security policy: are all company employees aware of it, and; is it fit for purpose both ashore and on board vessels?
  • Ideally the cyber security policy should be in understandable, non technical language (i.e. something a seafarer would understand) and be included either in the ISM system or, if the IT Department has its own quality system (ISO 9000 or ISO 27000), there should be a bridging document/reference from the Safety Management System (SMS) to the IT quality system.

  • 3. Has the IT Department developed workable procedures and processes for the vessels that recognise the communications and technical limitations on board?
  • For example, a procedure that requires extensive computer skills from seafarers (for instance, to restore a back-up image onto a hacked server on board) will require either excellent work instructions or a sufficiently trained ETO/Officer on board. Are the procedures written in plain English/working language of the vessel? Or do you need a degree in Klingon to translate?

    Also, have the procedures which may work ashore been adapted/tested to ensure that they work on board the vessel. Particular reference to the off-line environment on-board should be explored. And do the procedures cover all of the IT functions on board. Particularly integrated bridge systems and their interfaces?

  • 4. What disaster recovery procedures have been developed and when was the last time they were properly drilled?
  • Are the recovery procedures credible to you as a DPA and proportionate to the threat? For example has thought been given to vessels that are at sea at the time of a company wide cyber attack?

    When was the last drill where a server ashore was actually restored? Or do the IT team only ever do desktop exercises where they talk through a scenario but don’t actually physically go through the process. It is amazing what problems come to light when you physically do it (someone does know how to get into that server room after hours – now where do we keep that spare key? Sound familiar, we’ve seen it happen).

  • 5. What evidence is there that the IT Department is following their processes and procedures?
  • Ideally the IT Department will be following their own formal quality assurance framework (for example ISO 9000 or ISO 27000) but it is not unheard of that compliance lapses immediately following a successful audit. Conversely, compliance may be better in the run up to a QA audit. Does your IT Department have a formal framework and where are they in the audit cycle? Are they following their own processes or are they using the “Hamlet approach” (more honoured in the breach than the observance).

    It might also be worth looking at any management of change process the IT Department are following to implement the changes as a consequence of the new ISM Code requirements. Does the IT Department have a change process plan? How is it being recorded? What involvement do you as DPA have in it? Are you up to speed with it? And, what documentary evidence can you present to the external ISM auditor that evidences compliance with MSC 428(98)?

    Questions often lead to more questions and as a DPA your role is to monitor and ensure. With regard to answers, we would suggest that when the external ISM auditor asks “…and what are you doing about cyber security?” perhaps it is best not to answer “I’ve left all of that to the IT Department”.

    Safe travels.

    If you wish to know more about Eazi Security and their world leading cyber security software solutions please contact Mr David Clayden   Email Tel +44 (0)7711 351463 Web