Secure at Sea: Is your vessel ready for IMO’s Cyber Security compliance?
June 3, 2020 MARITIME CYBER SECURITY
Cyber security threats continue to be one of the top threats facing governments, businesses, and private individuals around the globe with attacks increasing exponentially on vessels and the maritime industry.
State and non-state actors perpetrate these attacks constantly around the clock and around the globe. Over the past few years, we have discussed cyber security-related issues in this column and their effect on the maritime industry. The IMO (International Maritime Organization) has put cyber security regulations in place for compliance by 2021. Many experts believe these will be the first of many regulations for the maritime industry when it comes to cyber security.
There are two specific documents the IMO has put forward regarding cyber security. The first document is MSC-FAL.1/Circ.3; Guidelines on maritime cyber risk management. This document is a guide on the basics of cyber risk management.
The Maritime Safety Committee (MSC), at its 98th session in June 2017, adopted Resolution MSC.428(98). This specifically addresses maritime cyber risk management as part of the vessel’s Safety Management System (SMS). The resolution encourages flag administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after Jan. 1, 2021. This means that vessels that have an active ISM plan must address cyber security within that plan by their first flag inspection after Jan. 1, 2021. There are tools and reference documents the IMO cites to help vessels develop the cyber management plan as part of their ISM.
Specifically, there are three reference documents the IMO recommends when putting together the cyber security part of an ISM plan. The first document was put together by a coalition of maritime organizations called Guidelines on Cyber Security. The second reference document is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is the ISO/IEC 27001 standard on information technology, security techniques, and information security management systems. The final guidance document is published by the U.S. National Institute of Standards and Technology (NIST) called The Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework). There is a lot of information within each of these reference documents.
The primary focus of cyber security programs is to put measures in place to protect both OT (Operational Technology) and IT (Integrated Technology) onboard a vessel. OT is defined as a system we use in our normal day-to-day operations such as navigation equipment, radar, GPS, etc. IT is the system that integrates those devices and connects them eventually to the internet.
Putting an effective shipboard cyber security plan in place is more difficult than land-based operations and requires coordination between multiple devices and support organizations. IT and OT technology being deployed onboard large yachts continues to expand as new software technology is being developed and launched to reduce onboard workloads.
The reference document most maritime organizations, flag states and vessels use to develop their cyber security program is the NIST framework. This framework has five basic parts: identify, protect, detect, respond, and recover. This framework is easy to develop into a basic cyber security plan for a vessel.
In part two of this column, I will explore the framework and some of the basic parts that should be included in an ISM plan as part of a vessel’s overall SMS.
Corey D. Ranslem is CEO at International Maritime Security Associates (www.imsa.global). With more than 24 years of combined Coast Guard and maritime industry experience, he aims to enhance the way mariners handle security threats and risk management. Comments are welcome below.