News + Resources

Astaara’s deputy chief cyber officer Phil Ponsford spent 31 years serving in the Royal Navy. He was heavily involved in cyber and how the Navy was getting ready for impending cyber security guidelines directed at the maritime industry. He wrote the first cyber guidance for Royal Navy warships, which was recognised by all NATO countries.

He’s also worked with the government, UK coastguard and US coastguard on how maritime regulators and port state authorities were going to cope with IMO 2021 recommendations.

What’s the purpose of the International Maritime Organisation (IMO) recommendations?

As ships have become more automated there has been the introduction of more systems on board to make vessels more efficient. All of this stuff has become embedded, and it’s a vulnerability. Cyber security needs to be treated in the same way as everything else to do with a vessel’s seaworthiness.

Have shipping companies viewed it as vital?

Most reputable shipping companies do get it. There’s so much news about cyber-attacks and ransomware attacks, it would be silly not to take it seriously.

What are the guidelines?

There are different models. What they’ve done is taken the best models, and broken them down into five components; Identify, Detect, Protect, Respond and Recover. This is no different to anything else. You don’t need a separate standalone thing for this, you have existing systems on board. All you need to do is make sure that cyber is included in all of those.

How is the IMO 2021 being adopted by regulators?

It’s being adopted by some faster than others. I’d say that in the lead for definite is the US coastguard, and they’re taking it very seriously. They have guidelines already for their inspectors, and they’ve made it very clear that the consequences of failing your cyber seaworthiness are fairly severe – up to detention. It can definitely cause delay, which leads to business interruptions.

Others are following suit. The Paris MOU nations are following suit. Tokyo MOU are next to go down that line. They’re fairly cyber savvy.

Post-IMO guidelines, what does the future look like?

It’s going to become increasingly routine and mainstream. The master of the ship sat on the Bridge will treat this as a normal daily occurrence. They are used to sitting on a Bridge and taking in myriad of information sources. Cyber inputs will just be another one of those. To be fair, they’re already doing it and it’ll just become another thing that your cyber security officer will report to you just as your chief engineer or your second officer would about the state of your cyber safety on board, just as they would about life rafts, firefighting etc. I think it’ll become routine business, and that is the purpose of the IMO guidelines, to make it routine.

Obviously while this is happening, the adversaries are innovating – the people who write malware who are to cause problems to IT and OT will continue to innovate to find ways to get round the various electronic measures that are out in place to stop them.

What I think will happen in the future is that while the electronic measures, the software from the adversary and the people the guidelines are protecting, will continue to improve as they always do in these things. The real difference that can be made is the people, as in all things. That’s where the shipping company would make a real difference. If they have a cyber culture, they’re training their people and their people respond correctly and respond to the things that go wrong, then actually that’s where they’ll get the real operational edge and that’s where the real improvement will be seen.

It’s all about people?

Absolutely. You can spend millions upon millions on your cyber security, have the most efficient and up to date equipment, firewalls, procedure and monitoring equipment in the world. However, if somebody aboard your ship decides to plug his iPhone into the terminal to recharge it, or they can’t be bothered to remember a password so it’s taped to the surface, then quite frankly an inspector will come on board, look at that and say, ‘OK you don’t know what you’re doing, we’ll now do a full inspection.’

You could have the best systems in the world and after a three-day in-depth inspection they will say, ‘Yes we agree you have an absolutely top line safety management system, and you are very cyber security savvy. However, you’re still being delayed for three days because you’ve had to prove that.’

So, it really is down to the people on board understanding what those procedures are, understanding the safety management system as you’ve written it along the IMO guidelines, and then basically implementing it.

How is it working for a company rather than being at sea?

In many ways it’s very different. In the military when you’re deployed, you’re working seven days a week very, very long hours. So that is what you get used to. It’s like all things, they all come to an end.