MIT circular arrives: strengthening security against cyber-attacks on ships and ports

The challenges imposed by emerging technologies require constant updating of defence strategies. Ships and ports are no exception. Indeed, the risks of cyber attacks in the maritime sector are increasing and the Mit, the Ministry of Infrastructure and Transport, has updated the security measures for national ships, ports and port facilities with a circular that will come into force on 1 November. Title of the circular: 'Update of security measures for domestic ships, ISM (Company) and port facility operators (port facility)'. The message is clear: 'Cybersecurity must be considered an integral part of overall maritime security management and not an ancillary element, requiring a coordinated and coherent approach between ships, management companies and port facilities, in line with the relevant international, EU and national regulatory framework'.

The document was issued through the General Command of the Port Authority Corps - Coast Guard and the Nis Authority - Transport Sector. The move comes just days after the attempted hacking of the ferry 'Fantastic', of the Italian company Grandi navi veloci (Gnv). The circular, informs the Coast Guard, 'introduces an advanced, modern and binding framework of cybersecurity measures designed to strengthen the resilience of the maritime-port sector, in light of the growing digitalisation of on-board systems, port infrastructure and operational procedures'.

"Risk management in the shipping world has traditionally and predominantly been focused on traditional operations, but," the ministry recalls, "the increasing dependence of on-board systems on digitisation, equipment integration, automation and data network-based systems has, however, highlighted a growing need for cyber risk management also in the maritime sector. The vulnerabilities created by the access, interconnection or networking of these systems and the associated, concrete cyber risks highlight the need for a structured and systematic approach to cyber risk management'.

In particular, the circular defines obligations and recommendations for shipping companies, ship masters, port facility managers, and state authorities involved, requiring the adoption of a structured cyber risk management approach, the full integration of cyber measures in the Safety management systems and security plans of national ships, the updating of internal procedures, the adoption of appropriate and proportionate technical and organisational measures, and the formalisation of prevention, detection, response, and recovery processes in the event of an incident. The Company's policy "must be updated with the inclusion of cyber security aspects and the measures necessary for the security of the ship, also related to cyber risks". The Company must designate ashore, the Cyber Company Officer, as the person responsible for the management and protection against cyber risks who can provide assistance to the ship's Master in the performance of his duties; on board, the Cyber Security Officer, who can be the Master or another crew member with management duties.

The 'risk assessment' (literally 'risk assessment') should identify risks, protections against attacks and responsibilities. The risk assessment,' the document emphasises, 'is not a one-off activity, but must be repeated, following appropriate assessments, at regular intervals (at least once a year is recommended), subject to different assessments by the Company based on risk, complexity and significant changes that have occurred. The risk assessment must be updated whenever new threats arise or following attacks even without consequences'.