Cyber Risks and PSC Inspections

As cyber risks are required to be addressed in a vessel’s SMS it introduces another avenue that can be assessed during PSC inspections.

Will PSC inspectors be focusing on cyber compliance?

Presently there is no indication that PSC inspectors will be focusing specifically on compliance with the cyber risks identified in the vessel’s SMS. While there may be no targeted campaigns, as with all new regulations it is likely that they may receive some level of attention during inspections.

Crew preparations – know your procedures

A vessel’s procedure for cyber risk management is no different to any other shipboard procedure. The crew should familiarise themselves with the procedures and have a working knowledge of what is required. Senior ranks will require an in-depth understanding and are likely to be responsible for training junior crew members.

First impressions

As with any shipboard operation, an inspector’s first impressions will play a large part in deciding how well they think the vessel is performing. If an inspector walks up a well rigged gangway and crew follow the correct ISPS procedures, straight away the inspector will have a good impression. The same will happen if they walk into a ship’s office or bridge and the crew are displaying a good level of cyber risk management. While a typical PSC inspector may be very experienced in traditional ship operations, cyber risk management may be as new to them as it is to the crew. Therefore, during initial inspections, it is likely  that they will be assessing a basic level of cyber risk management.

Getting the basics right

While cyber risk management may seem a very complicated field there are simple rules that all crew members can follow. Inspectors will likely look for evidence of breaches of basic cyber risk management such as:

• Password management- passwords for ship’s equipment such as ECDIS should not be openly displayed.
• USB policy – crew should be aware of the importance of not connecting personal devices into shipboard equipment or the ship’s network. They should be aware of the process for handling USB devices from 3^rd parties such as agents or technicians.
• Restricting access to key areas of the ship and locking/logging off computers when not in use.
• Crew having an awareness of receiving emails that are phishing attempts or attachments that could contain malware.

If Senior Officers are familiar with the cyber risk management elements of the SMS and focus on all crew getting the basics right, they should sail through PSC inspections!

The Australian Maritime Safety Authority (AMSA), the UK’s Maritime Coastguard Agency (MCA)  and United States Coast Guard (USCG) have produced guidance notes on adopting cyber risk management in SMS. The majority of this information is targeted at creating robust procedures rather than compliance.

USCG Office of Commercial Vessel Compliance (CG-CVC) Mission Management System (MMS) Work Instruction (WI)

AMSA document

MCA MIN 647 – Cyber security measures within safety management systems