10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

Controlling Sub-Sea Infrastructure


The recent implosion of the 
Titan, a sub-sea submersible used for taking elite, high-paying tourists to see the wreck of the Titanic, brought the safety protocols of both vessels into focus. There were no statutory requirements for regulating the Titan and neither were there any when the Titanic sank in 1912! As a reactive measure, the maritime community came up with the Safety of Life at Sea (SOLAS) Convention soon after the sinking of the Titanic. Ironically, after the Titan submersible imploded, we have come to realize there are no requirements covering this vessel. Perhaps with time, the involved counties will react.

The question is, why was nothing done proactively? Tourists go up in hot air balloons all the time. Is there any statutory requirement that these tourist companies must meet? Is there even a requirement to have a management system in place so that these companies work systematically, appreciate the risks in the context of the organization, and plan their operations keeping risks in mind? It is true that entrepreneurs do not like regulations and consider requirements a hindrance in a free business environment. And yet the Titanic, which was declared to be “unsinkable,” did, in fact, sink! In the United States, the domestic towing vessel industry functioned without statutory requirements until recently. The industry avoided regulation, but tragedies occurred, and now the industry is regulated under the U.S. regulatory framework. A process-based management system is the best systematic structure to produce conforming products and services, ensure continual improvement, and implement the statutory requirements if available.

The intent of this article is to proactively start a discussion on the need for regulating sub-sea infrastructure to reduce its affect on the marine transportation system. The phrase “sub-sea infrastructure” refers to equipment and technology placed on or anchored to the ocean floor. This infrastructure may include, but is not limited to, cables for telecommunication, cables for power transmission, pipelines for transmission of fluids, and other stationary equipment for scientific research.

The growth of sub-sea infrastructure is a global phenomenon. As an example, is in the interest of all nations, and particularly here in United States, to promote wind farms, which are a source of renewable energy. When these wind farms are placed in selected geographical locations along the continental shelf, they need sub-sea cables. But are there any laws controlling the systematic development of the industry to enable an effective marine transportation system and its protection of maritime community interests and environmental interests? Is there a central agency responsible for this coordination to allow for a balanced approach to risks? The amount of cabling piling up needs management and oversight.

Sub-sea infrastructure, the definition of the problem

Numerous industries have a stake in sub-sea infrastructure. Examples include oil and gas, telecommunications, fishing, scientific research, and perhaps military/defense applications such as sonar and other arrays and obstacles. This infrastructure is a requirement, but it also faces various challenges including those that can lead to accidents, environmental damage, and possible breaches in national security. All these bring out very significant concerns related to sub-sea infrastructure and the lack of comprehensive and globally accepted standards, requirements, obligations, and assurance mechanisms. It is not that organizations such as the United States Coast Guard, the National Oceanic and Atmospheric Administration, the Bureau of Safety and Environmental Enforcement, the U.S. Army Corps of Engineers, the Environmental Protection Agency, and other federal and state agencies do not look at these issues.

Nevertheless, it remains a concern that there is no single agency or overarching requirement to provide a framework to the industry on harmonized implementation of requirements. This lack of harmonization can mean inconsistencies in design, installation, and maintenance practices which may not address risks uniformly. This can generate consequential risks, leading to increased accidents, mechanical failures, and costs to the industry and the nation.

Recent tragedies and accidents

Recent tragedies and accidents involving sub-sea infrastructure have been limited, and yet must not lead to complacency by the agencies involved. The few that have occurred indicate the challenges and trends pointing to the need for proactive requirements. The recent tragedies include:

  • Deepwater Horizon. The potential consequences and challenges inherent in deep-water oil drilling were brought out by the Deepwater Horizon tragedy in 2010. The oil rig explosion in the Gulf of Mexico caused a massive oil spill and resulted in the loss of 11 lives. Although not technically a sub-sea incident, it highlighted a series of failures in design, maintenance, and company oversight—all factors pointing to the importance of robust safety standards and requirements, and the implementation thereof. The Deepwater Horizon incident was not directly related to sub-sea infrastructure; however, it heightened the risks associated with offshore oil and gas production and the potential for catastrophic environmental damage.
  • Nord Stream 1 and Nord Stream 2. Occurring in September 2022, the damage to these gas pipelines in the Baltic Sea highlighted concerns around sub-sea infrastructure. These pipelines transport natural gas from Russia to Europe; in this incident, they sustained multiple leaks. The exact cause of the damage is unclear, though deliberate sabotage was suspected and is still under investigation. Regardless of the ultimate findings, this incident exposed the vulnerabilities of sub-sea infrastructure to sabotage, and the potential for significant environmental and economic consequences are real. Intentional attacks to the sub-sea infrastructure have the potential for widespread disruption of energy supplies. Apart from the Nord Stream, there have been other sub-sea incidents affecting the gas and oil industry. In 2021 a fire broke out on a sub-sea production control umbilical off the coast of Brazil, causing significant damage to the underwater equipment and resulting in a major oil spill.
  • English Channel Internet Disruption. In 2021, a ship dragging its anchor on the seabed in the English Channel cut the three main internet cables to the Channel Islands. Although this only resulted in slower broadband speeds in this instance, there remains the possibility that it could have resulted in a complete outage.

Looking ahead

These incidents represent leading indicators of a tragedy in the making should proactive action not be taken. The critical importance of safety for sub-sea infrastructure underscores the need for a more comprehensive and rigorous approach to standards and assurance. Industry stakeholders together with regulatory bodies within the United States and global organizations such as the International Maritime Organization must work together to establish a harmonized set of safety standards, implement robust assurance mechanisms, and foster a culture of safety throughout the sub-sea industry.

The increasing reliance on sub-sea infrastructure for various industries (including wind farms) necessitates a proactive approach to safety and risk management. There is definitely a need to invest in research and development to enhance the resilience and monitoring capability of sub-sea infrastructure. The various companies in the sub-sea industry are holding their proprietary information close to the vest. This is understandable. However, these organizations are in competition with totalitarian governments, in which control of business practices is the exclusive dominion of the state. It is necessary to enhance transparency and information-sharing among industry stakeholders to facilitate better risk assessment and incident prevention.

Conclusion

Promoting a culture of safety that prioritizes risk identification, risk mitigation, and continual improvement is essential. There is no common ISO standard for sub-sea management systems. Of course, ISO 9001 is interpretable and can be used as the basis for now. Environmental protection is a challenge for a developing industry, and as such, even greater urgency is needed for statutory requirements encompassing all aspects of stakeholder interests, the marine industry in general, and the protection of the environment for generations to come.

Marine transportation remains the most important way for goods to be shipped across the world, as approximately 80 percent of the world’s goods are transported by ships. Vessels need a place to anchor in normal operating conditions as also in emergencies. A crowded seabed in harbors makes this a challenge for the entire maritime industry.

Without adequate and effective regulatory oversight, it may be too late to take action once cables and other sub-sea equipment have already been laid. Further, multiple agencies regulating the same aspects of the industry can potentially lead to bureaucratic delays.  There is therefore an urgent need to create a single statutory body to regulate the sub-sea infrastructure industry, which will greatly benefit all parties invested in the maritime transportation system.

Exemplar Global Publication “The Auditor”

Maritime Leadership – Beyond Designated Person Ashore (DPA)


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

It appears the maritime leadership is limited to the DPA/DP (Designated Person Ashore). The worst is when senior leadership of a company, washes its hands off, of the leadership role, by assuming a DP will do all that needs to be done! The ISM (International Safety Management) Code, in clause 4 defines the role of the DP (designated person).  It is to be remembered that the DP is indeed the link between the company and those on board, to the extent decided by the leadership/ ownership of the maritime company. The DP with clause 4 of the ISM Code has his/ her role defined as the link. However, there is much more to it. There is a kind of upstream and downstream relationship between the safe operations of a vessel, and the leadership exercised by the shipping company. The DP can represent and do his best in meeting objectives if he/she is resourced and supported by the leaders. Maritime leadership is strengthened by the contribution of the DP. This is particularly true when a tragedy occurs, and the crisis management team is called to minimize the aftermath of the tragedy and hands-on dealing with the tragedy. The DP as part of the crisis management team and must play a lead role in providing his/ her experience, expertise to ensure the situation does not worsen. DP should be competent, involved and participate in designing the safe operations of the vessel as also to predict the risks and trends from the available company and industry data and make timely recommendations, to ensure tragedies do not occur. But once they occur the same detailed knowledge has to be used to meticulously plan the response actions.

The leadership of the company, particularly when not from the marine background, should orient itself to matters maritime during good times. It is in normal good times that the relationship of confidence has to build with the DP. Regular access to the TM (top management) of the company by the Designated Person Ashore, makes teamwork smooth in a crisis situation. The leadership working together with DP and the team is able to ensure the company’s safety objectives, environmental policy implementation and functional requirements are met. Regular drills and exercises and analysis of situations ensure that the lessons learnt thereof, are used as input for further planning and resourcing.  Clause 4 of ISM Code is not just a job description basis for the DP, but also an input to the leadership to see where they fit in so that the support when required can be provided in a crisis without delays in a crisis. Building trust is a responsibility both the DP and the organization must build. There is much more to this dynamic leadership role. Meeting the safety, prevention of human injury or loss of life, and avoidance of damage to the environmental objectives of the company given in clause 1.2 of the ISM Code are the DP’s responsibilities. He/ she is the implementer of safety and environmental policy as given in clause 2 of the ISM Code. This however cannot be achieved without resources and support from the company top leadership.

Emergency preparedness is a requirement of the ISM Code. Clause 8 of the ISM Code requires implementation on board, with office support lead by the Designated Person Ashore and resourcing provided by the top management of the company. The DP with his/her team brings the considered opinion as input to the organizational decision-making body. Making preparations for being able to respond to emergency situations at sea needs forethought in appreciating the risks, and preparations in advance. It starts with recognizing the hazardous situations, creating the procedures, conducting drills and exercises, and learning lessons from exercises conducted, other industry inputs, similar occurrences anywhere. Data drives risk appreciation and trend recognition. Managements have to look ahead at possible crisis and be prepared with timely quick response.

Crisis if handling well, requires and brings out clearly that not just competence, but motivation and leadership are all of the utmost importance. As primary consultants in the field of maritime work,  QMII (www.qmii.com ) has worked on crisis management, handling media, and building teams for over 30 plus years now. Our experience shows clearly that a leadership team working with not just the Designated Person Ashore, but all departments in a participatory manner determines the success of addressing a crisis.

Safe operation of ships and prevention of pollution requires dynamic leadership at the company level with the involvement of the DP using the expertise in the ISM Code and SOLAS as also other relevant IMO conventions, as also Flag State advises to formulate robust, well thought out plans for crisis management.  A process-based management system approach is most important. “If an organization can do not describe what they do as a process, then they do not know what they are doing,” it is to be remembered that behind every casualty at sea are many detentions, and behind them indicators like Major NCs (non-conformities) and near misses. The maritime leadership with Designated Person Ashore included must lead to prevent a crisis.

Effectiveness of the ISM Code


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

The ISM (International Safety Management) Code, in itself, is not a magic wand, that will bring safety or prevent pollution. It depends on the organization on how it implements the Code. Safe operation of ships and the prevention of pollution should have been any organization’s objective. Yet all over the world owners to save money compromise these objectives. Did not the Titanic on April 15, 1912, sink, trying to create a record of crossing the Atlantic, by going North to cut distance, run into the iceberg?

The sinking of the Titanic, with a loss of nearly 1500 passengers and the crew was an eye-opener. It led to the SOLAS (Safety of Life at Sea) convention. Did the negligence and continued operation of ships compromising safety stop with SOLAS? Sadly not. The investigation by Justice Sheen into the sinking of the Herald of Free Enterprise, on March 6, 1987, looked at why SOLAS had not helped prevent the tragedy. It brought out the necessity for a process-based management system, and the SOLAS Chapter IX was updated to authorize the ISM Code. It provides the guidelines for the implementation of a system to ensure the safety of vessels at sea.

The Flag State Administrations whose flag the ships sail under, legitimize the use of the code making it mandatory for internationally trading vessels. If any company is bent upon not implementing it in the spirit of it, then of course the objectives of the code as also the functional requirements will not be met. Owners and Operators of the vessels often look to short term gains wherein they compromise the standards and bypass the rules. They have to understand that behind every casualty at sea are many detentions and behind them indicators like Major NCs (non-conformities) and near misses.

The Flag States who do not strictly inspect and audit vessels to the ISM Code and issue SMC (safety management certificates), are actually, to retain the business of ship owners, jeopardizing the same ships! Even some responsible Flag States, due to shortage of manpower outsource their duties to ROs (recognized organizations), often represented by class societies. This results in diluted control, as an outsourced process needs strict monitoring of the process to ensure the performance is not affected. Not managing an outsourced process is as good as not taking responsibility. Authority can be delegated, bot the responsibility.

NCs (non-conformities) drive correction and CA (corrective action), and as such should be welcome as inputs to ensure continual improvement of the system based on the ISM Code. Yet, there are every day common examples of Masters of ships negotiating to somehow get the auditors to not give NCs. This is because the management ashore is not mature to realize, that keeping the master’s pressurized and performance being judged by NCs reported is creating an environment of fear and hiding of NCs. A good SMS (safety management system) based on the ISM Code, if correctly implemented should welcome NCs. The DP (designated person) should know that the “only bad NC, is the one which the organization does not know about.”

For domestic vessels, and for that matter towing and small vessels, and perhaps in due course of time for domestic passenger vessels, one would think a new standard would be required? Sub Chapter M for the towing industry in the USA, is nothing else but the ISM Code domesticated. The ISM Code is a useful well thought of document which provides strong fundamentals based on hundreds of years of sea experience, loss of life, cargoes, ships, and fortunes. The process-based management system it propagates would systematize operations. However, for an effective management system, the implementers have to be motivated and committed. The Flag States have to be strict and vigilant in their issue of certificates. When they outsource the certification to Ros, they must not wash their hands of their responsibility. The strict monitoring of the ROs by ensuring good clear concise MOUs (memorandums of understanding) with clear provisions to audit the ROs must be put in place. The owners and operators through their organization should put in place a robust internal auditing program that gives the objective inputs on the implementation of the ISM Code.

– by Dr. IJ Arora

Subchapter M is a positive Regulation from the USCG to improve safety


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Introduction. Industry maturity is essential in the implementation of any regulatory requirements. The reluctance of the industry toward implementation of the Subchapter M requirements is short-sighted.

Based on the analysis of casualties, tragedies and near misses, statutory bodies at the insistence of the executive (Congress as the representative of the citizens) propose regulations for compliance; to ensure the safety of the marine environment. The USCG is a premier internationally respected maritime authority and they have taken a lot of time to come out with Subchapter M, incorporating the best practices and lessons learned from years of implementation and enforcement of the ISM Code (toned down as required for the domestic towing industry in the US). Owners often, especially small businesses, see the initial investment as an expensive inconvenience. They perhaps fail to recognize the long-term benefits of safe operations using a system approach. An incident, accident, loss of life or marine pollution will be far more expensive than the initial investment. Not only to them but to the entire industry on the inland waters.

Appreciating Risks in the Context of the Maritime Environment. [1]This regulation may initially seem to many like another ‘policing’ activity by statutory bodies. When driving a car, people don’t wear a seatbelt to avoid being caught by the police. It is to keep the passengers in the car safe. The industry too must implement the Sub M regulations in the spirit of ensuring safety, mitigating risks in the context of the maritime environment and systematizing their operations. It is all about the PBMS (process-based management system) approach.

ROI (Return on Investment). Even without pollution or injuries estimated costs for the towing and barge industry are greater than $3 million. The cost of a closed waterway can amount to millions of dollars per day.[2] The NTSB concluded the probable cause of the grounding of the MODU Kulluk was, inadequate assessment of the risk for the planned tow of the Kulluk and implementation of a tow plan insufficient to mitigate that risk. As part of the Kulluk[3] team responsible for recommending safety measures, following the USCG & NTSB report them core reason for the incident is not surprising.  After all, “A bad system will let down a good person every time”.

Correct Implementation. This non-implementation of maritime safety regulations typically leads to tragedies. Every organization endeavors to produce a conforming product/service. Inspection before releasing the product to customer results in either clearing or rejecting the product or service. This dependence on inspection is a cost raiser. After all, rejection means delays and off-hire in the maritime industry. The intent should be to improve the auditing of the procedures comprising the management system so that processes result in a conforming product/service. The USCG has come out with the Subchapter M to provide that framework to create the management system, monitor it, inspect and audit it; thereby ensuring safety and in effect prevent loss in every way, including the loss of a vessel to a casualty. The industry must understand this aspect of the intended.

Learning from Tragedies. The tragic sinking of the Titanic a century ago is still teaching us lessons that we often neglect in implementing in the international maritime industry. I bring this international example as it has a lesson for the domestic industry. The SOLAS convention which was the outcome of the tragedy, investigations, and introspection by the maritime industry, further led to MARPOL, the ISM Code and later the STCW convention. The implementation of all these was dependent on the Flag States, then the issue came up, about the Flag States doing their job. Ships had the SMC[4] and other trading certificates; the maritime companies maintained some standards by them maintaining a DOC[5]. However, Flag States had no check. So, more regulations now, to bring the Flag States under the preview of the IMO with the IMSAS Audits to the III Code. More regulations are not the answer but are essential when implementers are reluctant to implement in the spirit of the regulation.

Lessons from the Sinking of the Herald of Free Enterprise. The example of the Titanic is essential as Sub Chapter M is implemented. The ISM Code is a good safety initiative to be implemented. The learning in its clauses has been at the cost of precious seafarers’ blood. One of the primary lead-ups to the ISM Code was the sinking of the Herald of Free Enterprise, a British RoRo[6] car passenger ferry on 7 March 1987 killing 193 passengers in near calm seas, when the vessel put to sea with the bow door open. A public inquiry into the sinking lead by Lord Justice Sheen castigated the ship’s owners when Lord Sheen “identified disease of sloppiness and negligence at every level of the corporation’s hierarchy”. This was almost the first time that instead of blaming just those at sea, those ashore were held responsible. It was this need for the operators and owners of seagoing vessels to have a management system with well-designed procedures that were to be resourced and monitored that necessitated the ISM[7] Code.

Role of TPOs. It is this ISM Code then which has been studied by the USCG and converted into the Sub Chapter M with all their expertise and wisdom. USCG is following the pattern of monitoring based on ROs[8] for international shipping by decentralizing and approving TPOs[9] for monitoring and controlling the implementation of Sub M. The purpose and objectives of these TPOs is not to interpret the Sub M to the convenience of the industry, but to implement the USCG intend to ensure safety.

This simple P-D-C-A, Plan-Do-Check-Act cycle is the magic in ensuring the TSMS[10]  or the MS as per USCG direction, works to ensure safety on board and for the others. A good plan based on company policy wisely converted into measurable objectives to drive the procedures, work instructions and the personnel on board and ensure leading to good implementation. The competence of the crews and top management motivated to understand this is essential for them and others who ply in our waters. The Check Stage should be all-encompassing with primarily getting inputs from objective auditing, enabling better decision making by the leadership based on objective inputs. The check stage is mainly the audits, but it should consider any other inputs as failed inspections, near misses, industry inputs and new emerging risks. This stage also includes reports from the USCG and so on. This stage is vital and requires good training of auditors[11]. Auditors and management who understand that “the only bad nonconformity is the one which is not known to the organization.”[12] The Act stage is often very neglected, where top management leaves the review to their second-tier management. If they are committed to the management system (TSMS), it is essential that the leadership conduct a management review at regular intervals, soon after a mishap and any time they are in doubt about the state of the system functioning. At each stage of the PDCA cycle risk must be considered.

The TPOs will be cleared by the USCG as per USCG procedures. A lot is dependent on them, as they will implement the Subchapter M requirements on behalf of the USCG. The Statutory USCG requirements are created to provide, the required oversight, to maintain stakeholder focus, to protect the interests of the customer when tow boats & services are certified. USCG has outsourced this to TPOs who should perform to expectations, be well resourced, have the infrastructure and create the environment for compliance in the spirit of the regulations. The TPOs should maintain organizational knowledge levels as also maintain competent personnel and take accountability for the effectiveness of the TSMS.

Options for Compliance to Sub M. The USCG has provided options to the towing industry to choose from to ensure compliance. In Option A -the “Coast Guard Option” per (46 CFR 136.130(a)(1)) offers the best for small towing companies who own just two or three vessels. This option requires annual visitation by the CG for the inspections. In Option B wherein the “TSMS” Option (137.130) would be the more logical choice, for larger operators, for convenience, and for the cost. It requires, either Internal (first-party) surveys to be overseen by a TPO or external (TPO) surveys, where the TPO conducts independent verifications to assess compliance at the appropriate times in the cycle. The USCG Certificate of Inspection (COI)[13] is valid for five years and requires a valid TSMS issued by a TPO.

Whichever option is selected by the company they have to see the value of their system. If it is a paper exercise, of course, it will not bring the results. The fear that this will increase paperwork is misplaced. The TSMS does mean a little more of system implementation and so a little increased paperwork is to be expected. Companies should not go overboard with paperwork. Refrain from over documenting your system or using a template that does not reflect how they operate. Increased operating & compliance costs are not necessary. There will perhaps be some initial costs to comply however, the cost of operating safely is much lower than the cost of an accident. Another fear owner may have could be the interference in their business. However, increased safety on the inland waterways benefits all including, boat owners and other leisure craft operators, crew members, the environment and the economy (ensuring waterways not shut down).

Conclusion. In summing up, based on my experience and involvement as also work with USCG, I can say this is a very well-intended, well-meant initiative to help the towing industry. The real joys will come from the correct implementation. Subchapter M is not only about compliance. It is about building a safety culture. It encourages the industry to streamline and reduce the paperwork that supports compliance/conformity, by greater use of technology, by identifying common areas and integrating documentation requirements as also motivating the workforce to use and improve the system. To use the reporting and monitoring systems, to build a culture of risk assessment / risk-based thinking and to explore measures to reduce the cost of compliance as also to improve monitoring and develop performance indicators. The early risk appreciation from data driving risks and NC[14]s driving Correction[15] and CA[16] will itself pay for the investment by providing confirming vessels as product and service of the industry.

 

 

[1] For the Context of the Organization guidelines refer to Clause 4 (4.1,4.2 & 4.3) read with Clause 6.1 of the Standard ISO 9001:2015.

[2] Transportation Statistics Annual Report 2017.

[3] https://maddenmaritime.files.wordpress.com/2016/10/tsac-1401-recommendations-kulluk-grounding.pdf

[4] Safety Management Certificate per the ISM Code.

[5] Document of Compliance as Per ISM Code.

[6] Roll-on roll-off.

[7] International Safety Management Code.

[8] RO: Recognized Organization representing a Flag State as per role defined in SOLAS.

[9] Third Party Administrators.

[10] Towing Safety Management System.

[11] https://www.qmii.com/iso-9001-training/

[12] Quote original by Dr. IJ Arora President and CEO QMII. www.QMII.com

[13] Coast Guard Certificate of Inspection.

[14] Non-Conformity.

[15] Correction is a quality term describing the immediate actions taken to address a NC.

[16] Corrective Action. CA is based on RCA-root cause analysis.

Subchapter M: Bane or a Boon?


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Request a free copy of IJ's Subchapter-M Presentation 


Re-thinking the ISM Code


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

The ISM code, when implemented in 1998, was meant to encourage organizations to take ownership for the safe operations of their ship and the safety of the environment they operate within. Many years hence and the benefit of the ISM code is still being debated. Has it been a boon or a burden to the maritime industry?

Given the number or maritime accidents and loss of lives, most would opine that safety would be second nature to those at sea. Something like wearing a seatbelt when driving a car where the person does it for their own safety and for those travelling with them. It is not done out of fear of the enforcement authorities. So then why has the ISM code not driven a similar safety culture within the maritime industry?

Boon or Burden?

In many companies, the ISM code implementation has become a paperwork drill; where it is seen as a means of demonstrating to regulators that the requirements have been met. The reasons for this culture are many, including but not limited to:

  • Lack of effective communication between ship and shore staff (one of the key issues the ISM code aimed to address)
  • Fear of reporting of non-conformities / near misses (lack of job security)
  • Hierarchical structure of companies
  • Authoritarian leadership (my way or the highway)
  • Systems not customized to the vessel (generic to the fleet)
  • Poor system implementation

The ISM code provides a system approach to continual improvement but only when the code is implemented in the right spirit. Personnel often do not understand the ‘WHY’ for implementing an SMS and their need to do the right thing. Often conformity/compliance is stressed even when the actions may not be the right thing to do. Measures such as Bridge Resource Management are add-ons to ensure effective communication of risks and challenging of group thinking. However, often the training is not sufficient to enable challenging a senior officer unless they are encouraged to do so. Most mariners today view the SMS on board as a burden. Over-documentation is slowly killing the system and once incorporated into the system, requirements rarely get removed. SMS reviews done by the Master do not truly evaluate how the SMS is adding value to the effectiveness of the system.

The Case for Risk-Based Thinking

ISO 9001 in its revision in 2015 introduced the concept of risk-based thinking, wherein organizations shall assess the risks to their system given the changing environment they operate within and then plan to take actions to address these risks. This concept of risk-based thinking is driven down to awareness of the entire staff of the need to contribute to the effectiveness of the system. While the ISM code in its objectives requires companies to identify and safeguard against all risks this has in many cases become a paperwork exercise of completing a risk assessment form and filing it. The ISM code in essence has encouraged companies to identify potential emergencies, prepare contingency plans for them and the drill in these. Often these are limited to the same 10 or 12 scenarios such as grounding, oil spill, man overboard etc. Many maritime companies are ISO 9001 certified but often the scope of this certification only extends to the shore-based offices. While the certification scope may be limited, there is nothing stopping companies from extending the system to vessels or at the least the concept of risk-based thinking.

The safety culture must start with the commitment of the leadership and then be reinforced throughout the organization. The fear of reporting non-conformities must be eradicated. This can only be achieved when personnel are confident that there will be no repercussions. Regardless of the safety culture of organizations however, given the contractual nature of employment at sea, it is often difficult to inculcate a sense of commitment to the SMS. Mariners in general tend to work safely and watch out for safety of their shipmates. At times though, the culture of “follow the procedure” leads to actions being taken even when they may not be the best, given external influences and circumstances.

Consultation and Participation

ISO 45001, a standard for occupational health and safety management systems, introduces the need for ‘organizations to maintain a process for consultation and participation of workers at all applicable levels and functions, and, where they exist, workers’ representatives, in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system’. Getting inputs from the entire workforce enables quicker and easier buy-in to the system. The SMS while capturing the various requirements should be designed for easy use by the users of the system. Often SMS manuals on board are bulky and rarely referenced. Personnel choose to follow the practices they have learned over the years from other ship mates and mentors rather than reference the SMS.

When asked for feedback on how to improve the system, many mariners have ideas but the system at times does not provide an avenue for this feedback to be captured and formally implemented within the SMS. Best practices often remain limited to a vessel as a result. Following the concept of risk-based thinking, organizations need to consider the risk of barriers to participation and take measures to reduce these. Many accidents/incidents and near misses could be addressed if mariners could have asserted themselves in the situation and alerted someone to the problem/potential non-conformity.

Conclusion

Some in the industry are calling for increased regulation to improve the maritime industry in ensuring ships are operated safely. However, regulators can only do spot checks. They are not on board 365 days of the year. Operational pressures play a major role in how risks are assessed. The grounding of the Torrey Canyon is a prime example of this as is perhaps the Titanic.

As the use of technology increases and reliance on electronic systems, consequently new risks will be introduced to the maritime industry. This new era will benefit from a re-think of the ISM code to encourage the inclusion of risk-based thinking (beyond just a documentation exercise) and the participation of mariners to actively improve the SMS and embrace safety. In conclusion, maritime companies (with or without a change to the ISM code), in the interest of their mariners and the maritime industry at large need to rethink their approach to implementation and maintenance of the SMS.

SECURING THE MARITIME IoT FRAMEWORK


Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 61

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 62

Notice: Trying to access array offset on value of type bool in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/functions.php on line 63

Notice: Undefined index: extension in /home/u841158213/domains/qmii.com/public_html/wp-content/themes/jupiterx/lib/api/image/class-image-editor.php on line 179

As technology advances, there are a growing number of providers that are developing products and services based on the IoT (Internet of Things) framework. In the maritime industry, it is increasingly common for vessel containers to be tracked from ashore and even machinery performance metrics, providing remotely automated readouts, to those ashore. With the increased use of technology, the risk of these networks being compromised also increases. There are a growing number of incidents in the maritime industry where systems were compromised leading to losses in millions of dollars.

On an average when these breaches occur it may take over 100 days before they are even detected! Various maritime organizations and associations have published guidelines on measures to be taken to prevent/deter such a compromise, but history has shown that the maritime industry tends to be more reactive than proactive. Even the ISM code now includes as an appendix a circular on guidelines for maritime security. As part of the implementation of the ISM Code measures for cybersecurity should be included in the system. From the security of networks to machinery to contingency plans in case of breaches occur.

The implementation of cyber-security measures includes the need for protection of three aspects of the system; the IT aspect, the human aspect, and the physical aspect. Organizations need to consider the cyber-security risks at the planning stage of the system and determine where vulnerabilities lie and how to address them. Instead of reinventing the wheel organizations may consider the implementation of an information security management system based on ISO 27001. ISO 27001 lays the framework for the IT security of the system. Once implemented and used, based on industry feedback the standard includes an annex of controls for implementation to secure the system. ISO 27001 has a total of 114 controls split across 35 control categories.

If an organization already has an ISO management system framework in place, for example, an ISO 9001 based system, integration of ISO 27001 into the existing management system would be a simple exercise. This integration has been made easier by ISO through the use of the High-Level Structure across standards. QMII has over 30 plus years encouraged its clients to “appreciate your management system”. As such we build upon your existing measures and documentation to fill the gaps for requirements set by the standard. This ensures continuity in system acceptance by the users, the changes to the system are minimal and easier to implement. For successful implementation of your system beware of templates that promise conformance to the requirements. They may enable you to gain certification but will not ensure any long-term success least of all cybersecurity.

Learn more about how you can improve your management system and integrate the requirements of ISO 27001 into your existing management system.