Ships are increasingly using systems that rely on digitisation, digitalisation, integration and automation, which call for cyber risk management on board. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together – and more frequently connected to the internet. This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks. Risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media.
To mitigate the potential safety, environmental and commercial consequences of a cyber incident, a group of international shipping organisations, with support from a wide range of stakeholders have participated in the development of these guidelines, which are designed to assist companies in formulating their own approaches to cyber risk management onboard ships.
Approaches to cyber risk management will be company and ship-specific but should be guided by the requirements of relevant national, international and flag state regulations. These guidelines provide a risk-based approach to identifying and responding to cyber threats. An important aspect is the benefit that relevant personnel would obtain from training in identifying the typical modus operandi of cyber attacks.
In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. The same year, IMO developed guidelines1 that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
The commitment of senior management to cyber risk management is a central assumption, on which the Guidelines on Cyber Security Onboard Ships have been developed.
The Guidelines on Cyber Security Onboard Ships are aligned with IMO resolution MSC.428(98) and IMO’s guidelines and provide practical recommendations on maritime cyber risk management covering both cyber security and cyber safety. (See chapter 1 for this distinction).
The aim of the document is to offer guidance to shipowners and operators on procedures and actions to maintain the security of cyber systems in the company and onboard the ships. The guidelines are not intended to provide a basis for, and should not be interpreted as, calling for external auditing or vetting the individual company’s and ship’s approach to cyber risk management.
Like the IMO guidelines, the US National Institute of Standards and Technology (NIST) framework has also been accounted for in the development of these guidelines. The NIST framework assists companies with their risk assessments by helping them understand, manage and express the potential cyber risk threat both internally and externally. As a result of this assessment, a “profile” is developed, which can help to identify and prioritise actions for reducing cyber risks. The profile can also be used as a tool for aligning policy, business and technological approaches to manage the risks. Sample framework profiles are publicly available for maritime bulk liquid transfer, offshore, and passenger ship operations2. These profiles were created by the United States Coast Guard and NIST’s National Cybersecurity Center of Excellence with input from industry stakeholders. The profiles are considered to be complimentary to these guidelines and can be used together to assist industry in assessing, prioritizing, and mitigating their cyber risks.