The Norwegian Maritime Authority (NMA) has issued a warning to companies to be on their guard against cyber-attacks and to focus on their digital security, following a spate of ransomware and virus incidents impacting several companies and municipalities in the country, including the maritime industry.
“The virus attacks on maritime companies, municipalities and others show how vulnerable we can be, but also how important it is to have good training, competence and routines. It is important to be well prepared, both to prevent attacks and to handle them if they come,” said acting Director General of Navigation and Shipping, Lars Alvestad.
The NMA notes that while it will monitor compliance with the 2021 IMO requirement that cyber risk be included in safety management plans for ships and shipping companies covered by the ISM Code, it is the companies themselves that are responsible for assessing and mitigating their own risk when it comes to digital incidents.
“An increase in the use of digital systems and connections for ships and shipping companies means increased vulnerability to digital incidents. When such incidents are not handled the right way they may, in the worst-case scenario, jeopardise the safety of the crew and passengers,” said Nils Haktor Bua, Senior Surveyor at the NMA.
At the beginning of the year, as a part of its work on cyber resilience, the NMA and the Norwegian Environment Agency presented a proposal for a new strategy for maritime digital security in response to a request from the Ministry of Trade, Industry and Fisheries and the Ministry of Transport and Communications.
“The strategy points to a number of measures for increased digital security in the maritime industry. The shipping companies also hold much of the responsibility for the security in their digital systems. Many are doing a good job, but there are companies that need to focus more on this,” added Mr Alvestad.
Johan Stensen, ISM Coordinator at the NMA, reminds all companies to maintain awareness and to develop a proper overview of their digital systems, lines of communication, dependencies and system vulnerabilities.
“Make sure that crew and personnel have the necessary training to detect and avoid attacks. Procedures must be in place and known so that they can be used if a digital attack comes. You should train for digital incidents the same way you train for other security incidents,” he said.