Implementing cyber risk management into SMS

Having established in the last article that MSC.428(98) may not be mandatory as far as the IMO rules go but that individual flag and some port states do require shipping companies to address cyber security in their safety management systems, the next thing is to consider how best to do that.

The IMO guidelines published as MSC-FAL.1/Circ.3 in 2021 are no more than three and a half pages of high level recommendations and by themselves do not really contain much useful information for a ship operator addressing the issue for the first time. Section 3 of the guidelines does list five functional elements of cyber risk management which are:

While the above does set out the aims, practical advice will not be found in the document. Instead, the IMO suggests companies to identify ‘Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices’. It also does list a selection of sources that can give more advice.

One of those sources is THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS first published in 2017 by a consortium of industry bodies including BIMCO, ICS, Chamber of Shipping of America, INTERCARGO, InterManager, INTERTANKO, IUMI and OCIMF amongst others. Those guidelines are now in their fourth version published in 2021.

The fourth version of the industry publication is a 64-page document and is much more helpful than the IMO guidelines being a more practical approach. As can be seen from the following diagram, which is taken from the industry publication, the approach covers all of the IMO functional elements but breaks down the approach to cyber risk management into six areas rather than five.

Linked to the industry guideline publication but available separately at a cost of £250 is Cyber Security Workbook for On Board Ship Use – 4th Edition, 2023 drawn up by BIMCO and ICS and published by Witherbys. This is an even more extensive volume and as well as a lot of practical information also contains checklists that internal auditors of an owner or managers SMS could use when integrating cyber security into the system.

As well as the two publications mentioned above, many classification societies and P&I clubs have issued their own variations of advice on how best to implement the guidelines.

Identifying threats

ISM code compliant safety management systems come in many guises from small scale covering small numbers or even single ships through to wide ranging systems of the largest management and operating companies where several hundred ships are covered. This means that the task of identifying roles and responsibilities will differ enormously.

While there may be a temptation to assign the matter to the department or individuals tasked with the organisation’s IT policies, it is very likely that an IT specialist will be ignorant of the level of digitalisation of onboard systems. They will doubtless be able to recognise the threat to communications systems but may have little or no knowledge of systems such as ECDIS, VDRs, AIS, radar, electronically controlled engines, power management systems, monitoring systems, pollution prevention equipment such OWS, ballast management and more. Therefore, it is clear that the involvement of superintendents and officers and crew will be essential.

One of the tasks will be to identify the difference between IT and OT. With IT being transfer of data and OT being operation of equipment and systems that may be controlled electronically.

In most fleets, the level of digitalised and potentially threatened systems on board will vary between ships so identifying those must be done on an individual ship basis. On older ships where most systems are of the analogue variety the range of threatened systems may be small, but most will have at least one ECDIS and a VDR on board and these are vulnerable to attack even if the ECDIS does not have remote updating facility. After the initial checking, future additions to equipment need to be assessed as they are installed to ensure the protection will remain current.

At the other end of the spectrum are new ships coming out of yards that have been designed as ‘smart’ ships. In these there is a high degree of integration as the image below from Hyundai indicates. It should be said that Hyundai and most other shipbuilders that offer this feature have had their systems assessed by classification societies and verified as cyber secure.

In 2020, the International Association of Classification Societies (IACS) published Recommendation on Cyber Resilience to ensure a set of standardised criteria for new builds. It applies to the use of technical systems that provide important functions on board such as control, alarm, monitor, safety and internal communication.
Of course, cyber threats evolve and change over time and what is secure today may not be in the future.

Most safety management systems incorporate the need for crew training in some way but very few would consider the crew to be an essential system per se. However, in the case of cyber threats, one of the main vulnerabilities is people. This can range from personnel making use of insecure data transfer methods such as USB sticks or memory cards, reacting to malware and phishing attempts or connecting compromised devices such as smartphones or tablets to networks.

Protecting & prevention

In an ideal world protection should be a one time exercise using tools and services currently available but unfortunately the cyber threat landscape is constantly changing and no system will ever be fully secure.

There are several precautions that can be taken to best protect systems, and which can be incorporated into a safety management system.

Some of the above will require new dedicated procedures to be written but others – for example updating of ECDIS software – may need to be amended by including features unique to the equipment into an existing procedure.

On the question of passwords, some thought should be given to rules as to length and mixing of character types. There is evidence that suggests a hacker using a single computer will be able to crack an 8 character password in one month if it is a mixture of upper and lower case letters, digits and special characters. That may sound reasonable but a botnet cracking system could achieve the same result in one minute. The botnet method would require two years if the character mix was increased to 11 characters. Passwords using numbers or letters only are cracked almost instantly.

Passwords become easier to crack if they are used in multiple places.

Detecting threats

Threats are not likely to announce themselves unless the attack is made by ransomware so it can be incredibly difficult to detect attacks. The use of scanning and anti-virus software approved by head office on all computers connected to a network will be a useful precaution.
When a specific threat is known to be circulating, IT specialists may be aware of ‘symptoms’ that indicate its presence and the Safety Management System should have in place a process whereby any known threats are circulated to all parties involved in the SMS at the earliest opportunity.

Some threats can be suspected if expected results are not achieved after following a link but this requires vigilance from the user. If this occurs after an inappropriate action such as clicking on a link in an email thought to be genuine the matter should be reported immediately and appropriate responses initiated. A no blame culture within the company will likely make the person involved admit to an error more readily than if no such system is in place. Some third party vulnerability training used on a regular basis will help keep users alert to this threat.

One of the biggest fears of the maritime sector is that a cyber threat could potentially cause a ship to deviate from a set navigation course, lose power or suffer in some other way that affects safety for the ship and potentially for other vessels as well. In these cases, even if not thought likely when considering the cyber threat, procedures for response need to be incorporated. The basics for such procedures may already exist within the SMS as responses to malfunctions in equipment.

Responding to cyberattacks

There should be written procedures for responding to and recovering from cyberattacks. Of necessity these should be available in hard copy as computer systems may be offline. The procedure should include detailed instructions on restoring from backups.

When any device or system is thought to be compromised by a cyberattack, it should be disconnected from any networks as soon as possible. That may not necessarily prevent a contagion having already spread but it could protect other systems if it has not. Simultaneously the ship’s security officer and other key personnel need to be alerted.

If there is duplicated equipment or an alternative system on board that can handle the work of the compromised system, that should be brought into service as the compromised system is shut down. Every SMS should have procedures and contingency measures in case there is a system failure that compromises the safety of the ship, personnel or the environment. The cyber threat is no different in this respect but as things stand most ships do have analogue back ups that can be used in case digital systems malfunction.

One system that may not have an obvious alternative is the communications system especially if the ship has the minimal GMDSS requirements. It might be an easy matter to disable the satellite communications, but VHF radios should not be affected too much. The benefit of segregating crew and ship communications could be that even if one system is compromised the other remains operational. And as new LEO satellite networks begin coming into operation, the likelihood that smartphones and tablets being able to connect to the internet independently could give an alternative communications option.

Electronic navigation systems might give false positions and courses if compromised but a standalone GPS for use in lifeboats should be sufficient to advise the accurate position and ships are still obliged to carry sextants and navigators must be able to use them. Incidentally, the threat of cyberattack and jamming of GPS signals led to the US Navy reintroducing celestial navigation training in 2016 after having begun to phase it out in 2000.

If the attack is serious enough to put the ship and other vessels/facilities in danger then emergency procedures need to be activated.
Details of the attack should be shared with all vessels in the fleet and all shore personnel likely to have been impacted. It is also a good idea to inform the P&I club as there may be consequences that affect insurance cover. P&I clubs should be allowed to share details with other companies in the interests of the industry as a whole.

Recovery from attack

The route to recovery will depend upon the threat and its consequences. IT systems should be backed-up on a regular basis and once the threat (virus, malware, etc) has been removed from the system, a full system restore should be initiated. As previously mentioned, all ships should have hard copy instructions for restoring from backups. These should also be available for shore personnel but for ships they are essential as the vessel may be many days away from outside assistance.

If it is believed that any equipment has been compromised, that equipment should remain unused until the operating system can be checked, restored or replaced as necessary. Advice needs to be sought from the OEM if the system is capable of being rectified remotely as reconnecting it to the ship’s communication system may reactivate the problem.
There are always lessons to be learned from any attack. How did it happen?? Why did it happen? Did the response and recovery procedures work as anticipated? These are all questions that need to be addressed and procedures amended as necessary.

If the source of the problem is found to be related to use of an obsolete operating system that cannot be updated, then consideration should be given to replacing all obsolete equipment as a priority.

IMO, the ISM Code and Maritime Cyber Risk Management

Modern ships are far more sophisticated than ships of just a decade or so ago, and in a world of increasing digitalisation they are becoming even more complex year by year. That is not to say that the core purpose of ships – to move goods and people across the world’s oceans – has changed because in many ways this aspect has remained unchanged, and the only major development was the advent of containerisation almost half a century ago.


What has changed is the reliance on computerised systems be they for stowage calculations, navigation, communications or engine and fuel performance and monitoring. In terms of navigation and performance monitoring, the industry is at a fairly elementary level but as regulators plan to make shipping more efficient and less polluting through eNavigation strategies that could eventually see vessels operating autonomously, this is an area that could see rapid change in the near to mid-future.

Until quite recently, the threat of cyber attacks was considered to be mostly directed at the financial side of the industry. Cyber criminals it was assumed would be looking to infect systems with ransomware or steal data that would give them access to the financial systems of companies and their customers. The idea that the safety of the vessel and physical assets in ports might be at risk was not something that had entered the minds of many.

How the cyber threat became a safety issue

In the 2010s electronic navigation equipment in the form of ECDIS became mandatory on most cargo ships over 3,000gt and passenger ships over 500gt. Just prior to that engine makers had developed electronically controlled engines and were in the early stages of offering monitoring and maintaining engines remotely. GPS jamming had been encountered and while that could impact safety it falls outside of the definition of cyber threat. It was at this time that the idea that navigation and ships’ power supplies could be at risk from cyberattacks.

At MSC 94 in 2014, the Committee considered a proposal to develop voluntary guidelines on cyber security practices to protect and enhance the resiliency of cyber systems supporting the operations of ports, vessels, marine facilities and other elements of the maritime transportation system and agreed to coordinate its future work on this matter with the Facilitation Committee.

At the time the IMO agreed that cyber security was an important and timely issue but that it should not take unilateral action without consultation with other UN bodies and relevant international organizations such as the International Telecommunication Union (ITU). Member States and observer organisations were invited to consider the issue and submit proposals to MSC 95.

Meanwhile, the Facilitation Committee (FAL) of the IMO had been discussing the electronic exchange of data between ship and shore relative to reporting and clearing ships and the use of the GISIS database as a means of storing electronic versions of ships’ documents for use by customs and port authorities.

In 2016 at FAL 39, Canada proposed the development of guidelines on maritime cyber security in light of the dramatic increases in the use of cyber systems across the maritime sector. The proposal asked the committee to explore the subject and to set up a working group to develop the idea. There was a lot of support although the committee referred to the ongoing work at MSC.

With the two committees co-operating the first attempt to address the issue was MSC.1/Circular.1526 – Interim Guidelines on Maritime Cyber Risk Management – (1 June 2016). Those guidelines were to be short lived and were replaced by a circular issued by both committees as MSC-FAL.1/Circ.3 – Guidelines on Maritime Cyber Risk Management – (5 July 2017).

By resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems, the MSC linked the cyber threat with the ISM Code which had been in place since the mid-1990s.

Mandatory or not?

There is a strong perception across the industry that MSC.428(98) required ship operators to include cybersecurity in their safety management systems, this is not actually the case. The resolution actually said:

NOTING the objectives of the ISM Code which include, inter alia, the provision of safe practices in ship operation and a safe working environment, the assessment of all identified risks to ships, personnel and the environment, the establishment of appropriate safeguards, and the continuous improvement of safety management skills of personnel ashore and aboard ships,

1 AFFIRMS that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code;

2 ENCOURAGES Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021;

3 ACKNOWLEDGES the necessary precautions that could be needed to preserve the confidentiality of certain aspects of cyber risk management;

4 REQUESTS Member States to bring this resolution to the attention of all stakeholders.

As can be seen from the wording, there is a strong recommendation and encouragement to include the subject into safety management systems as from 1 January 2021 but no mandatory requirement for individual companies or Administrations (Flag states) to actually do that.

In 2018, the IMO published the fifth version of the ISM Code and here again there are several recommendations to take any appropriate guidelines into account, the words used in the Code itself do not imply a legal obligation to do so.

It must be understood that with all IMO Conventions and Codes each flag state needs to enact laws making the Convention or Code applicable to ships flying its flag. The FAL Convention only applies to ships making international voyages (between two different states) and the same is true of SOLAS and therefore the ISM Code. However, flag states are at liberty to apply the conventions and codes also to ships trading domestically.

Furthermore, it is an anomaly that whilst the IMO can make rules and regulations applying to ships, it is left to Port states to formulate rules that apply to ships regardless of flag calling at ports or in territorial waters. Therefore, it is important to check what the flag state and any port state that a ship may trade to have determined about incorporating cyber risk management into the ISM Code.

It is beyond the scope of this work to list what each administration has done but a good example of mandatory inclusion is the UK. In MARINE INFORMATION NOTE MIN 647(M), the Maritime and Coastguard Agency set out the UK position. This states that for vessels subject to the ISM Code.

From the 1st January 2021, ISM Audits for the DOC and subsequent Safety Management Certificate (SMC) audits conducted by the MCA will verify that that the safety management systems contain elements showing that cyber risks have been addressed.

The notice goes on to say;

Though the IMO Resolution refers directly to those vessels and operators where the ISM Code applies, the need to address identified cyberthreats and vulnerabilities is not limited to those vessels and operators of companies and vessels to which the ISM Code does not apply are strongly advised to note the guidance available on the subject of Cyber Security and assess their own systems against the threats apparent in the increasingly technical environment in which they operate.

By contrast, Malta – which operates a large open registry – highlights in Transport Malta’s Technical Notice SLS 34 that the requirement is non-mandatory but there could be consequences for not incorporating cyber risk management in the Safety Management Systems. It makes specific reference to the US saying;

Notwithstanding the fact that the said Resolution is non-mandatory, the attention of all stakeholders is drawn to the fact that, some countries like the US have made such a requirement mandatory to all vessels that call on ports in the U.S. regardless of the ship’s flag.

The US position and instruction to US Port State Control Officers is contained in USCG Vessel Cyber Risk Management Work Instruction CVC-WI-027(2) which states:

1) If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
2) When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
3) When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the OCMI, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.

Clearly, a ship manager with a fleet containing ships operating under more than one flag state will need to identify what each flag state has to say on the matter and may need to adopt different procedures for different flag ships in its Safety Management System.

LEO networks – will they work wonders for maritime?

As more and more equipment and service providers try to digitalise the shipping industry, one of the obvious needs is for reliable, robust and most importantly low cost broadband communications.

It is one thing to analyse data from let’s say a ship’s main engine to predict potential maintenance needs in the near future using data transmitted over time and with no real degree of urgency. It is another thing altogether to attempt to reset engine parameters while the ship is at sea which some equipment suppliers are now wanting to do


And of course, it’s not only essential equipment like the engine where data transfer is increasing. Cargo owners may want to know the exact conditions prevailing inside the container that is transporting their goods around the world. Owners and time charterers will want to know as much as possible about position, course, performance and bunker consumption.

Then there is the crew and welfare to consider. Seafarers may once have been content with an occasional letter to or from home and maybe a phone call made ashore when in port, but today they demand more or less the same connectivity as people ashore expect and enjoy.

However, connectivity comes at a price and although VSAT costs have come down over time, cheaper ways of connecting and transmitting increasingly large amounts of data are considered essential if shipping is ever to become as digitised as many expect it to be. One possible way of achieving this is the increasing number of new LEO networks being put into service or planned.

Basic information about LEO networks and how they operate can be found here.

LEO systems are not new to maritime, Iridium has been offering a service for over two decades now and since 2020 has been able to offer an alternative to the Inmarsat GMDSS network. The company was authorised by the IMO in early 2020 but could not begin offering GMDSS services until type-approved equipment was available.

Iridium operates its LEO network – which has global coverage – using just 66 satellites with another nine in orbit for use as spares should the need arise. Today the company is using its NEXT generation constellation with satellites launched between 2017 and 2019 replacing the original satellites although these remain in orbit and can be used in an emergency if Iridium deems it necessary.

LEO networks promise a lot however, development for maritime use has not been without difficulties. Iridium itself was initially launched by Motorola in the late 1990s but soon hit financial troubles and was saved only by intervention from the US government. Today the company is in private hands and operates quite successfully.

Other planned LEO systems have also hit problems. LeoSat founded in 2013 folded in 2019 without a satellite going into space. OneWeb founded around the same time was also facing closure in 2020 and filed for bankruptcy. However, its planned constellation of 648 satellites was rescued by the UK government and India-based Bharti Global who found new investors and relaunched the company.

The financial failings are caused by the capital intensive costs of building and establishing a LEO network using so many satellites. Costs will run into billions of dollars before even a single cent can be earned.

OneWeb was to suffer further problems because it was using Russian spacecraft to launch its satellites. With the hostilities in Ukraine, OneWeb was forced to abandon this option and has dozens of satellites stranded in Russia that have not been launched. 

At the time, OneWeb had launched about 75 percent of its planned constellation. It then arranged launches with an Indian space organisation and Elon Musk’s SpaceX. One rocket from India delivered 36 satellites in October last year and since then two SpaceX launches have deployed 80 more satellites. Just two more launches from India are planned.

OneWeb’s use of SpaceX was a little surprising as that company has been building a competing service with its Starlink service. Starlink takes satellite constellations to a new level with regards to the number of satellites. Already there are more than 3,000 satellites in orbit for Starlink and a second generation of 7,500 has been approved by US authorities. Starlink has said it eventually plans to have 42,000 satellites in orbit. Unlike most of its rivals, these satellites are very small and orbit at very low levels, they also have a useful lifespan of only around 5 years.

As things stand, LEO networks for maritime use other than Iridium are in their infancy and unproven. The Starlink Maritime service was only launched in July last year but has been very successful in signing up users and linking with established satellite service providers in the maritime arena. Since the launch last July there has been a constant stream of press announcements from Starlink covering its latest customer gain.

Starlink does remain very much a LEO-focused organisation but OneWeb has merged with Eutelsat which operates a geostationary constellation and Inmarsat plans its own LEO system under the name Orchestra. 

LEO- pros and cons

The reason why LEO networks hold so much promise for maritime is the low latency permitted by the lower earth orbit. Latency is the delay in processing data over a network connection. Theoretically, the lower orbit compared to geostationary satellites can offer a connection fifteen times faster putting ships at sea in the same position as offices linked by cables ashore.

But there are also downsides. The large number of satellites present in the LEO constellations does mean the area covered by each satellite is relatively small. Because the constellations have not been developed with maritime as the sole, or even the most important, customer base, many of the satellites deployed will be in orbits that cover the largest land masses possible.

The Starlink coverage map ( shows good connectivity in Europe and the Mediterranean, around the US East and West coasts and the Great Lakes, Brazil and West coast of South America and Southern Australia. While coverage will likely improve as the constellations expand it is not yet certain when all of the open seas will have reliable coverage.

Another factor to consider is that with LEO systems there needs to be a good line of sight between the satellite and the antenna. Movement of ships at sea can be violent and dynamic so there is the very real possibility of losing contact with a satellite. In addition, as the satellites are in orbit, they are moving targets themselves and there will be a need to reconnect with the next satellite in orbit as one moves away. Although Starlink has developed a maritime antenna, reliable evidence of operation over time does not yet exist.

LEO systems may also face other hurdles. There are objections to the high numbers of satellites being sent into orbit from astronomers and others. There is a safety risk to consider as hundreds of thousands of satellites are sent into space and the possibility of collisions increases. And finally there will be competition for spectrum allocation as more and more LEO systems are deployed. This will be a matter for global regulators to resolve.

So, while LEO networks do offer the chance for shipping’s digitalisation journey to accelerate and expand, there are good reasons to weigh up the pros and cons. Certainly the mandatory GMDSS requirements currently mean ships have to commit to Inmarsat or Iridium for regulatory compliance. However, commercial communications are not covered by those rules so ship operators have a growing choice for their routine needs and increased monitoring of equipment and operation purposes.

The Human Element

It is somewhat ironic that the biggest threat to the cybersecurity of organisations might also be the best defence against it.

According to the Verizon 2022 Data Breach Investigations Report, 82% of data breaches involve a human element, like a user clicking a link in a phishing email. That is pretty damning for the humans involved, but it ignores the fact that of the many millions of cyberattacks made daily, the majority are unsuccessful due to human alertness

 Onboard ships there are many ways in which human fallibility can allow a cyber threat to succeed. They can be trained against, but no human is infallible and even the most alert can be fooled or even click on a link accidentally.

Because ships rely on their communications systems and on many other electronic devices such as ECDIS and engine management systems for safe sailing and navigation, cyber security should be an integral part of the ship’s safety management system under the ISM Code. That would imply procedures should be in place to identify and protect against threats.

However, that introduces the first aspect of the human element. Unlike shore staff, ships’ crews are often transient employees provided by a crewing agent and therefore unlikely to be familiar with the cyber security procedures put in place by the ship operators. Every crew member should undergo a familiarisation process when joining a vessel but often this is ignored or poorly carried out.

Getting to know the systems

Familiarisation should ensure that a new crew member is fully acquainted with the ship, the equipment that they will be required to use as part of their duties, and the ISM procedures that affect them. While the first two may be addressed albeit to a sometimes limited extent, familiarisation with procedures is often little more than a box ticking exercise as the crew member would have almost no chance to absorb the whole of the ISM system procedures in the short time allowed.

Another factor is that familiarity with equipment comes quite naturally to crew who would likely have encountered the same or very similar kit on numerous vessels. Familiarity with procedures is less easy to gain as the processes can be very different from ship to ship. It would be of great benefit to protect from cyberattacks against ships if operators worked together to adopt a common industry wide standard for procedures.

Such procedures should cover use of data transfer devices (USB sticks, CDs and DVDs and SD cards and similar media), use of passwords and permitted use of personal equipment such as smartphones, tablets and laptops. Wherever possible, use of data transfer devices should be limited to checked and approved equipment permitted only for company purposes. Using networked computers for viewing family photos or other personal uses should be prohibited or permitted only on isolated standalone computers.

Personal training

In the early days of shipping companies allowing crew calling communications, it was normal for there to be a single dedicated telephone or maybe a computer terminal allowing emails. Although a massive advancement in crew welfare, this arrangement was not ideal and often caused conflict and resentment when crew could not access the equipment in their spare time in periods of high demand for its use. The modern alternative of allowing crew to use their own devices over a network may have solved the conflict issue but has also multiplied the potential avenues for attack.

Operators that allow use of personal devices should set up a rule regarding their use. If personal or mobile devices are allowed, then they must be equipped with the necessary security measures, including password protection and data encryption, and they should be monitored by the IT department. Some crew may see this as intruding on privacy, but the integrity of the ship’s systems should be the priority.

Ships may not be a prime target for cyber attacks aimed at stealing customer and client personal and credit card data, but they are equally at risk from phishing and ransomware attacks. It has been estimated that the number of cybercrimes is increasing at a rapid rate and costs related to it are expected to reach $10.5 trillion by 2025.

The presence of the human element means relying on tech tools and solutions is not enough. Crews and shore personnel need training in practising good digital hygiene and guidance on what to be alert for. This training can be a combination of discussion meetings or workshops on board at regular intervals and also some form of testing whereby harmless spoof messages are sent from shore that encourage recipients to click through on a link in the same way that a phishing email does. Crew who are repeatedly caught out by these messages can be identified and given further training and guidance.

A good example of this is the anti-phishing feature on GT Maritime’s GTMailPlus. This provides a means of ensuring that staff are educated on how to spot and deal with a potential phishing attack. To help customers assess how vigilant their staff are at spotting potential phishing attacks, GTMaritime are offering customers the chance to take up a free anti-phishing penetration test.

The test will send an email to staff requesting information, and upon completion a report will be provided detailing if any staff complied.

To be effective training needs to be interesting, entertaining and above all avoid a blame culture developing. There are specialist service providers that can assist in this regard. Given the multinational makeup of ship crews, it is also recommended that the training should be understandable to a wide range of people. Using jargon to describe how to deal with threats may be counter productive if it is not understandable.

Part of the training should be to make clear to crew the consequences of a cyberattack succeeding. Some may believe that cyberattacks are all about stealing credit card details or some other financial crime and may not be aware that a malicious virus could actually stop vital equipment on board functioning. If they are made aware of the problem, they will likely be more vigilant.

One final thing to consider is ensuring that at least one person on the ship has the necessary knowledge to manage the cyber threat. He or she should be able to make checks on equipment to ensure that password protection is in place and that the passwords chosen are strong enough and to help crew improve the security of personal devices.

Chinks in the armour

Shipping is shrugging off its digital dinosaur image and embracing new technology in more and more areas of onboard ship operation. However, in doing so ship operators and crew need to grow their awareness of some of the problems that this can create.

In this article, the issue of Windows operating systems updating was explored but there are far more vulnerabilities for an internet connected ship or for any networks on board that may be stand alone. 

An operating system is the foundation for any computer, but it alone does not make that device useful, that is the province of the various applications that are installed on the computer or the network.

Over the years many software developers have turned their attention to maritime related applications. These can range from ship management suites that integrate almost every aspect of ship management from stores, voyage performance, operational data, certificate management, crewing, medicine chest management and more to single applications for any one of those areas and more specialist apps for stowage and stability calculations, weather routeing, passage planning or voyage calculations.

The vast extent of today’s shipping software market can be judged by the number of organisations taking stands at the major exhibitions where for several years now whole halls have been devoted to digital technologies.

In addition to these commercial offerings there are many more apps developed by seafarers or maritime specialists that can be downloaded for use on apple and android devices that crew may use on board. Add to that the vessel tracking and shipping/maritime news and entertainment services and it becomes apparent that the number of apps running on board could easily run into dozens if not hundreds.

Just as with the main operating systems, these apps are likely to update on a regular basis and this can be done either automatically or manually once notification of an update has been transmitted. This updating can be a source of vulnerability to cyber attacks and should be carefully monitored. The updating procedure can also create problems if interrupted – an ever present threat for ships where the internet connection may be fragile under some circumstances – and cause the application to cease operating or to malfunction.

When it comes to vulnerabilities of shipboard networks, one of the factors often overlooked are the various devices attached to or integrated within the network. These can be mice and touchpads, keyboards, monitors, speakers, microphones, cameras, printers, bluetooth controllers and more. All of these require a driver to function correctly.

In the most fundamental sense, a driver is a software component that lets the operating system and a device communicate with each other. There are also drivers that work as intermediaries between software applications and the function driver that controls the device.

It is possible for these drivers to become corrupted so that a device ceases to function properly.

In the early days of computing, once a device was connected to a network the set-up software that came with it needed to be installed for the device to run. The devices were rarely upgradeable and if a driver became corrupted then it was only necessary to re-install the software from the disc that came with the device.

In some devices, the drivers were installed within the device and no additional software was needed. These so-called ‘plug and play’ devices were however limited to the state in which they were supplied. Today, it is very common for devices to be upgradeable by way of new firmware. Some devices require this to be done manually but others will communicate via the internet to check for updates on a regular basis.

Printers – generally the most innocuous of devices – often fall into this category. Most users’ concerns with printers are poor print quality and regular replacement of ink cartridges. Few would consider them as one of the main chinks in the armour of an onboard network. But they are.

This link to the online cyber security specialist details how the organisation used the remote firmware updating of printers to raise awareness of this vulnerability. Cybernews makes the point that once cybercriminals get their hands on your printer, they can do all sorts of nasty things, including:

Printer vulnerability was also discussed on another cyber security website. This article describes how a cyberattack was launched on 150,000 printers installed around the globe by a hacker called Stackoverflowin. The good news is that the hacker did it for fun and to spread awareness on how vulnerable internet connected printers are to cyber crooks. The printers concerned included models from all the major manufacturers.

Depending upon the ship operator, attaching peripheral devices might be limited to certain personnel ashore or onboard but in many shipping companies, little thought is given to the potential threat and how the onboard network is managed is left to the officers and crew to decide. In particular, adding a new printer costing around $50 would hardly warrant a company IT specialist to travel to the ship to link it to the network.

Getting back on track

Whatever the reason a computer network or elements of it has become unusable, restoring the system is the most urgent task. This process is known as recovery and typically requires a diagnosis of the problem, and then finding and implementing a solution.

If the operating system or critical files have become corrupted, recovery is usually achieved by reinstalling the operating system or perhaps using the system’s inbuilt recovery system. In windows this is called System Restore. Reinstalling the OS requires specialist skills and should not be attempted as the first option as it could mean that files on the system that might be recoverable and applications are deleted entirely.

System Restore will attempt to restore the system to its last stable state preserving most if not all files. It would be prudent for this type of operation to be included in a company Safety Management System and written instructions of how to carry it out be available in hard copy on the ship.

Protecting essential files – some logbooks are now allowed to be digital – should be done by way of regular back-ups. Ideally back up files should be recorded on a separate storage medium such as a second hard drive or external storage. If cloud storage is available on the company network or via a third party this will make the information more secure and recoverable.

Depending upon the OS of the onboard network, it may be possible for a third party to access the system and carry out the recovery process remotely. Third party assistance can also be useful in storing files and data away from the onboard network. An example of this is the GTReplicate service offered by GTMaritime. 

GTReplicate provides the function to be able to automatically save files and data either onshore or integrated with something like Sharepoint. In the event of a system failure in the onboard network, it would be possible to retrieve the data and return it to the vessel. 

If the failure is caused by a hardware malfunction such as a hard disk, CPU, or motherboard, then these will have to be replaced. Specialist help will be needed to do this unless someone on board has the appropriate training.


System updates – a necessary inconvenience

Computers on ships are a fact of life in these digital days and just as computers ashore they are subject to all manner of security threats and issues. Whether they are standalone devices or are integrated into a network that could be limited to the ship itself or part of a wider company network, these computers are vulnerable to all manner of cyber threats.

A standalone computer installed years ago that is used only for producing letters or filling forms and is not connected to the internet is probably safe, but those that have wider applications are where the vulnerabilities lie.

There has been much discussion about cyber protection in recent years but one aspect that is often overlooked is ensuring that a computer’s operating system is kept up to date. Although it is not the only operating system available, Microsoft’s Windows is probably the most widely used.

For those who are only interested in producing the letter, crew list, customs form or report they are working on, the choice of operating system may not be a consideration. There are probably ships in operation that have very early Windows versions on their computers and are unaware that support for their operating systems ceased many years ago.

Depending upon the source used, Windows accounts for between 76% and 91% of all operating systems used by computers connected to the internet. Of all the computers using Windows, Windows 10 is used by 72%, Windows 11 by 14%, Windows 7 almost 11% and the rest spread over other versions.

Microsoft has always recognised the problem of bugs – defects in the program not revealed during the development stage, and threats caused by malicious malware and viruses and has regularly released updates to the operating system aimed at eliminating known problems. In this regard the company is fighting a constant battle with hackers and the criminally minded in protecting its clients and their reputation against new threats.

However, there is a lot of work involved in this and as older systems drop below a pre-determined user level or when Microsoft decides to offer free upgrades to a new operating system, the company will end support. The same is true of applications that run on the computer (Office, Word, Excel etc or third party apps). Windows XP, Windows 7 and Microsoft Office 2010 are all examples of products that are no longer supported by updates although they will still operate.

With Windows 10, Microsoft’s default mode for the operating system was for it to download and install cumulative updates automatically. Designed as an aid for less technically minded users, this facility can be a nuisance and was controversial when introduced. The same system continues in Windows 11.

A criticism often levelled at the automatic update feature is that it may not activate for several days or weeks but then seems to be activating daily before reverting to a less regular activation. There is of course a valid reason for this, new threats do not happen on a daily basis but need to be addressed as and when they do arise. The frequency of updates reflects the growing cyber threat that users face and should be recognised as such.

Although intended to protect the machine from attack and to improve performance, the updates can sometimes contain bugs and can cause problems with applications that previously ran faultlessly. Usually this is due to a driver or application compatibility issue. Another issue is that downloading and installing the updates will cause the device to become unavailable for a period – often lengthy.

This last point can be annoying as it impacts workflow, but on a ship, it could even make essential systems suddenly unavailable. It is possible to turn off this automatic updating feature, but that in itself could mean that the system is no longer protected by the security updates introducing other vulnerabilities.

To avoid system availability issues but at the same time ensuring security updates are received, it may be an idea to disable the automatic update feature of the operating system and perform a manual update. This manual update can be done when the ship is less likely to be compromised such as immediately after arrival in port. After performing this update, a check should be carried out on essential system availability as comprehensively as possible. Any issues should be reported to head office and to the equipment system maker so that the information can be disseminated to other ships in the fleet.

Ideally the question of operating system updates should be incorporated into the company ISM system. This could involve a risk assessment of the impact on equipment availability, compatibility of systems and ensuring back up while a device is being updated.

If replacing a computer that is integrated into a network onboard, compatibility issues could be discussed with the company’s IT department or the computer supplier beforehand. It may be better to have the new computer loaded with the same operating system as that which it is replacing rather than a new version.

There are applications available that can check for updates of the operating system and other software applications without necessarily performing the update immediately. These types of applications can be configured in various ways to make updating simpler. Some are available as free downloads from the Internet but unless their use has been sanctioned by the shipowner, they should not be installed by crew acting alone.

Calculating the cost of multiple providers and integrating non-SOLAS vessels into GMDSS

Safety communications have been at the heart of international rules on ship safety for around a century now but are now in the process of undergoing modernisation after the completion of a review of the 1999 GMDSS regime that was embarked upon in 2012. The review was completed in 2021 and adopted at MSC 105 in April 2022.

As a consequence of the review, some obsolete requirements were removed, and eleven resolutions were adopted that amended the performance standard of much of the equipment used on board ships.

One of the reasons for the review was a desire that GMDSS be opened up to satellite service providers beyond Inmarsat which had been granted a monopoly when GMDSS was first established.

That monopoly was broken a few years ago when Iridium was accepted as a service provider and Inmarsat itself was allowed to integrate its Fleet Broadband service into GMDSS. 

Other providers are already some some way along the route towards becoming accepted and no doubt more will follow. One likely consequence of this is that maritime distress and safety services will alter so that as well as the international service, other systems will perhaps be able to provide a regional service with different carriage requirements.

This aspect of GMDSS modernisation is not without its problems as it is beginning to dawn that multiple service providers bring problems that were not thought of previously. The biggest issue is one of cost. At MSC 105, The MSC considered a report from the Correspondence Group on Dissemination of Maritime Safety Information (MSI) and Search and Rescue (SAR)-related information.

For GMDSS to be effective, it is vital that information is disseminated to ships and other users over every communication network accepted as part of GMDSS. Presently the cost of broadcasting this information is paid for by IMO member states to the service providers. When there was just one – or as now two – organisations involved the cost would have been minimal, but it is accepted that there are cost implications for information providers concerning the dissemination of information over multiple GMDSS mobile satellite services.

At MSC 105 it was agreed that dissemination of MSI and SAR related information was an integral service of the GMDSS and critical to preserving the safety of life at sea and, therefore, once a mobile satellite service was recognized by the Organization, it must then be used by all information providers covering its service area. 

The MSC urged MSI and SAR information providers to take the necessary actions to expedite the use of all mobile satellite services recognized by the Organization providing services within their service areas for the dissemination of information to ships navigating in those areas.

At the same time, the Sub-Committee on Navigation, Communications and Search and Rescue (NCSR) was instructed to continue considering technical solutions for the dissemination and reception of MSI and SAR related information over multiple services, including interoperability issues and broadcast monitoring, with a view to addressing the operational and financial burden of disseminating the information to ships. This is something that will be addressed over future meetings of MSC.

Although the SOLAS Convention and the GMDSS were developed with commercial shipping in mind and apply only to ships over 300gt on international voyages, it should not be forgotten that many other ships and craft put to sea and sometimes are involved in safety incidents whether as victims or as aid providers. 

Unless a flag state sets requirements for vessels such as private yachts, leisure craft, domestic ferries, cargo vessels, work boats and fishing boats there is no legal obligation for vessels to carry safety communications equipment or for those aboard to have any specific training in emergency and SAR procedures. Nevertheless, many of these ships do carry communications equipment that is of a type similar to GMDSS equipment. VHF radio is a typical example.

The growth in personal connectivity in recent years does however mean that a lot of such vessels may have communications equipment that is incompatible with GMDSS. In particular many people now carry smart phones as their sole means of communication across voice, text and internet platforms.

After MSC 105 this year, the IMO published MSC.1/Circ.803/Rev.1 – 16 May 2022 which contains guidelines for the participation of non-SOLAS ships in the GMDSS and guidance on the development of training materials for GMDSS operators on non-SOLAS ships. Being just 10 pages long, this document cannot substitute for a more comprehensive investigation into how non-SOLAS craft and their crews can benefit from participating in the GMDSS in some way.

It does, however, serve as a good introduction to the subject and should be brought to the attention of any owner or crew member on a non-SOLAS ship. To that end, it would be helpful if the owners and operators of non-SOLAS fleets were to ensure that their vessels were properly equipped and crew appropriately trained. 

As personnel on leisure and fishing vessels probably feature most in maritime casualty statistics, they too would likely benefit from ending reliance on inappropriate cell phones or the like and ensure that they have at least the basic equipment to initiate an alert and to communicate with SAR operatives.

Software – keeping it current

In recent years there has been a growing trend for shipping to be more digitalised. The benefits of more digitalisation are claimed as vessels being more efficient and economic, improved safety, less pollution and GHG emissions, ability to have remote surveys and much more.

There is some merit in these claims although some of the claimed benefits are doubtful to say the least. Many of the new systems and equipment are marketed as being ‘plug and play’ or ‘fit and forget’ with the advantages they bring expected to begin to flow immediately and for all time. What is often overlooked in the initial decision to purchase and later during service, is that most of these systems do need to be kept under constant review as regards the software or firmware version installed and in use.

Seafarers should not be unused to updating essential systems as they have after all been doing just that in the analogue era with charts and nautical publications being required to be current at all times. That said, a good number of ships have been detained over time for not doing that so there is maybe a lack of commitment on some ships. Chart updating has changed in recent years with the advent of electronic charts and ECDIS. Ships can now choose to be electronic and paper or electronic only. They can even still use paper charts as the main navigation method but must maintain ENCs on the mandatory ECDIS.

With two ECDIS systems on board, the requirement to update paper charts has become obsolete on some ships but it must not be forgotten that an ECDIS is only as good as its operating system and sometimes that needs to be updated itself. Maintaining an ECDIS’ software is vital because it ensures the system meets the current standard mandated by the IMO.

When first purchased it is likely that the ECDIS maker will advise all owners when a new software version is released. But as ships change hands and maintenance regimes end, keeping the ECDIS up to date may be overlooked. The result could very easily be a detention by Port State Control because as stated in IMO SN.1/Circ.266 on maintenance of ECDIS software, “ECDIS that is not updated for the latest version of IHO standards may not meet the chart carriage requirements as set out in SOLAS regulation V/”.

An example of the laxity with which chart updating might be tainted even in the electronic age of ECDIS and Electronic Navigation Charts is that during in a Concentrated Inspection Campaign carried out by the 47 member states of the Paris and Tokyo Port State Control in 2017, some 3.8% of ships inspected reported deficiencies in having up to date electronic navigation charts or ECDIS backups.

Deficiencies in ‘safety of navigation’ which includes this aspect average around 10% of all deficiencies each year in PSC statistics making this the second most common reason for detainable deficiencies.

Electronics appear in many more systems than charting. For example, the AIS, communications systems, engine management, loading computers and much more are commonly controlled by computers even if they do not immediately appear to be.  When developing electronic equipment, manufacturers produce an operating system or firmware to control the functionality of the device or system but as with all things, something vital may be overlooked and need to be added and bugs and glitches can occur in uncommon procedures that operators may decide to use. Feedback from users prompts many of the changes. When these become known and also when a new regulatory requirement may be added, the makers release a new version of the firmware. This can happen quite frequently – one model of AIS has had no less than six firmware versions released in three years and that is about par for the course.

Communication management systems that connect together multiple systems and different makers equipment and which determine message priorities and allow the best transmission method for messages may need regular updating to work effectively. Each new version of software will add functionality and may need to be installed each time new equipment is added to the network. Because these systems are normally used with subscription services, the service provider will normally advise when a new version of software becomes available. They will also advise how to obtain and install the new software.

Updating methods will vary according to the machine type and manufacturer. Some may require the equipment to be connected to the internet but most commonly an SD card or USB flash drive is used.

The overall process of firmware upgrading is not that difficult, but it is essential to follow the manufacturer’s instructions exactly. Sometimes a video clip is available to demonstrate the process. The first step is determining what version is running on the equipment and whether an update is needed. This may mean selecting a menu choice or following a set sequence of control button activations.

The next steps involve downloading the new version onto a PC or tablet, unzipping it if necessary, transferring to the appropriate accessory and then connecting that to the device to be upgraded. A reliable power supply for the device during upgrading is essential if the risk of damage (sometimes terminal) is to be avoided. If there is any doubt as to how the update should be done it is best to postpone until an experienced technician can do it.

On some systems and devices, updating is performed regularly whenever connected to the Internet if appropriate settings have been activated. This is how Microsoft updates its Windows Operating System and many other software providers do the same.

It is essential that some checks are carried out before any unscheduled updating process is begun. Many cyber attacks are initiated using a phishing email that purports to come from a manufacturer or supplier and which contains clickable links but is actually sent by a hacker. This could allow a whole IT network on the ship to be compromised.

New performance standards – ensuring compliance

It is more than 30 years since the GMDSS was developed and since then there have been significant changes to the communications systems used by ships. Therefore it is not surprising that an update and revision of the system was much needed.

The new revised GMDSS is not on the same scale as the fundamental change that occurred previously in the 1990s, but it has necessitated a rewriting of a whole chapter of SOLAS and amendments to a number of others. In some ways this is a sensible thing since it brings together regulations on communications that have been diffused through SOLAS chapters.

From an operational viewpoint, it is the 11 revised performance standards for services and equipment that will need to be looked at most carefully. Some of these may require older equipment to be replaced on existing ships and will apply to new builds from 1st January 2024.

These revised performance standards will be promulgated in new IMO resolutions shortly. They have not yet been published (as of 17 June 2022) but the resolution numbers and texts are known having been agreed at MSC 104 and adopted at MSC 105. The full list is detailed below with the new resolution titles, the resolution they are superseding and a brief note on the main changes.


This replaces resolution A.699(17) and should be read in conjunction with new Resolution MSC.508(105).

The main thrust of this is directed at flag and port states planning to broadcast safety information on HF and seeking approval from the IMO for the broadcast schedules.


This amends or replaces resolution A.525(13), MSC.148(77), MSC 148(77) as amended, Resolution A.700(17).

It sets new standards for NAVTEX equipment that should comply also with the requirements set out in resolutions A.694(17) and MSC.191(79).

There is not necessarily a mandatory requirement to replace existing equipment although individual flag states can do this. The resolution recommends flag states to ensure that NAVTEX receiver equipment:

It also recommends that equipment for the reception of NBDP broadcasts of navigational and meteorological warnings and urgent information to ships by HF if installed on or after 1 January 2024 conforms to performance standards not inferior to those specified in the annex to the present resolution. if installed before [1 January 2024], conforms to performance standards not inferior to those specified in the annex to resolution A.700(17).


Replaces A.801(19). As with MSC.507(105) above, this new resolution is aimed at administrations rather than shipping companies and deals with provision of services in different sea areas. More specifically it deals with the establishment of Coast Stations providing DSC (Digital Selective Calling) services and covers basic principles, criteria and availability.


Supersedes resolutions A.530(13) and A.802(19), as amended.

It sets new standards for Search and Rescue Transponders (SARTs).


Replaces Resolution A.803(19).

Again, this updates the performance standard for equipment, in this case VHF installations used for voice and DSC specified in the GMDSS requirements as opposed to VHF for general use on board vessels.

It will apply to new vessels from 1 January 2024, but existing vessels can continue to use current equipment if permitted by the flag state.


Replaces Resolutions A.804(19), as amended, and A.806(19), as amended

As with the previous new resolution, this updates the performance standard for equipment for installations used for voice and DSC specified in the GMDSS requirements.

 It will apply to new vessels from 1 January 2024, but existing vessels can continue to use current equipment if permitted by the flag state.


Replaces Resolution A.807(19), as amended.

This new resolution updates the performance standard for equipment for installations specified in the GMDSS requirements.

It will apply to new vessels from 1 January 2024, but existing vessels can continue to use current equipment if permitted by the flag state.

Any new equipment will need to be type-approved by Inmarsat and since Inmarsat no longer has a monopoly on GMDSS provision, not all ships will be obliged to carry an Inmarsat C receiver for GMDSS purposes.


Supersedes resolution A.814(19).

This new resolution does not cover any specific piece of GMDSS equipment but is guidance for eliminating false distress signals which do occur on a regular basis. Flag states are encouraged to disseminate the information and also to consider establishing and enforcing national measures to prosecute repeat offenders.

While there is no new requirement for equipment, the new guidelines should be incorporated in appropriate procedures in a company ISM System.


Supersedes resolutions A.762(18), A.809(19) and MSC.149(77).

The performance standards for survival craft VHF sets have been updated regularly over time. This new resolution is a continuation of that trend and is intended to ensure functionality of equipment meant to be used only in emergency situations. The equipment should always be inspected at regular intervals and maintained in a serviceable condition.

There is no need to replace equipment on existing ships but any new equipment installed after 1 January 2024 must comply with the latest standard.

Equipment installed between 1 July 2005 and 1 January 2024 should conform to performance standards not inferior to those specified in the annex to resolution MSC.149(77). Equipment installed from 23 November 1996 up to 1 July 200 should, conform to performance standards not inferior to those specified in annex 1 to resolution A.809(19) any equipment installed earlier is subject to the standards specified in annex 1 to resolution A.762(18).


These are very minor changes applying to equipment installed aft 1 January 2024 and used for two-way on-scene radiocommunications for search and rescue purposes using aeronautical frequencies 121.5 MHz and 123.1 MHz.

One change refers to using a colour for the equipment distinguishing it from other portable equipment, while the other incorporates a word change saying ‘Unless otherwise stated, the equipment should comply with the applicable requirements of volume III, part II, chapter 2 of annex 10 to the ICAO Convention.


Supersedes resolution A.811(19) and applies to a shipborne integrated communication system installed after 1 January 2024 either to a new vessel or as a replacement on an existing vessel.

The performance standards cover the requirements for hardware, software and documentation and include aspects such as software and firmware maintenance, malfunction and restoration interfacing, and documentation among others.

 Where the resolutions apply to new equipment, it will be for manufacturers to ensure that the equipment meets the requirements and has appropriate type approval. For ship operators, the changes will mean that any replacement equipment meets the new resolutions and can properly interface with other elements of GMDSS that may not be replaced.

Where new elements are added to the GMDSS system, there will be related changes in training needs and in the STCW requirements.

At the moment, the new resolutions, although approved, are more than a year away from taking effect. This should give ship operators sufficient time to analyse what is needed and to investigate the market for new equipment. If current equipment appears to be near end of life, it can safely be replaced with equipment meeting current requirements and should not have to be replaced after 1 January 2024.

Manufacturers of equipment will likely be dropping any lines that do not meet the new standards and that could lead to shortages of equipment in the run up to the 1 January 2024. That is especially likely given the restricted supply of electronic components at this moment in time.