Maritime cybersecurity developments from IMO and IRClass. Also, reference guidelines from ISO/IEC 27001 Standards, NIST and guidelines published by BIMCO, INTERTANKO and ICS among others.

1. View all posts by Maritime Outlook January 3, 2018
Maritime Cybersecurity Developments
maritimeoutlook.wordpress.com/2018/01/03/maritime-cybersecurity-developments/
Image courtesy: Safety4Sea.com
As we enter 2018, maritime cybersecurity which seems to have been widely discussed
amongst our peers in the preceding years seems set to be taken a step further with more
and more classification societies looking into setting up their framework to deal with a class
approval for a cyber-secure maritime eco-space.
Risk management is fundamental to safe and secure shipping operations. Traditionally risk
management has been focused on operations in the physical domain, but greater
reliance on digitization, integration, automation and network-based systems has created an
increasing need for cyber risk management in the shipping industry.
Cybersecurity for ships that are underway, moored or at berth requires a ship or fleet-wide
approach. There are already security standards under the ISPS code, but cybersecurity
requirements can provide additional guidance regarding the cyber-related aspects of the
security measures. There are vulnerabilities created by accessing, interconnecting or
networking various systems which can lead to cyber risks. Cyber attacks on any of the
following:
bridge systems,
cargo handling and management systems,
propulsion and machinery management and power control systems,
access control systems,
passenger servicing and management systems,
passenger facing public networks,
administrative and crew welfare systems, and
1/3

2. communication systems
can result in damage or even losing course of the ship, which can drastically affect the
safety of the ship, port facilities and marine property.
In June 2016, the IMO issuedMSC.1/Circ.1526 “Interim guidelines on maritime cyber risk
management”. The Guidelines provided high-level recommendations on maritime cyber risk
management to safeguard shipping from current and emerging cyber threats and
vulnerabilities. The Guidelines also included functional elements that support effective
cyber risk management. This was further replaced by MSC-FAL.1/Circ.3 “Guidelines on
Maritime Cyber Risk Management” during the 98th session of the Maritime Safety
Committee in June 2017.
These guidelines presented functional elements that supported cyber risk management.
These functional elements are not sequential i.e. all should be concurrent and continuous
in practice and should be incorporated appropriately in a risk management framework.
1. Identify: To define personnel roles and responsibilities for cyber risk management
and identify the systems, assets, data and capabilities that, when disrupted, pose
risks to ship operations.
2. Protect: Implement risk control processes and measures, and contingency planning
to protect against a cyber-event and ensure continuity of shipping operations.
3. Detect: Develop and implement activities necessary to detect a cyber-event in a
timely manner.
4. Respond: Develop and implement activities and plans to provide resilience and to
restore systems necessary for shipping operations or services impaired due to a
cyber-event.
5. Recover: Identify measures to back-up and restore cyber systems necessary for
shipping operations impacted by a cyber-event.
These elements encompass the activities and desired outcomes of effective cyber risk
management across critical systems affecting maritime operations and information
exchange, and constitute and ongoing process with effective feedback mechanisms. There
should be an appropriate level of awareness of cyber risks at all levels of an organization.
The level of awareness and preparedness should be appropriate to roles and
responsibilities in the cyber risk management system.
This IMO issued guideline was meant to provide a foundation for better understanding and
managing cyber risks, thus enabling a risk management approach to address cyber threats
and vulnerabilities. For detailed guidance, a reference to Member Governments’ and Flag
Administrations’ requirements as well as relevant international and industry standards is
recommended. Additional guidance and standards may include, but are not limited to:
1. The Guidelines on Cyber Security Onboard Ships produced and supported by
BIMCO. CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
2. ISO/IEC 27001 Standard on Information Technology – Security Techniques –
Information security management systems – requirements. Published jointly by the
International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC).
2/3

3. 3. United States National Institute of Standards and Technology’s Framework for
Improving Critical Infrastructure Cybersecurity (the NIST Framework).
Based on the IMO guidelines and other reference standards, the Indian Register of
Shipping (IRClass) came up with a set of class rules. The implementation of the new rules
helps IRClass to identify the cyber risk issues from as early as the design stage of the
vessel. A final verification then takes place once the vessel is built, and periodically during
annual surveys. A vessel and it’s shipping back office which is certified for cyber safety is
assessed as complying with the class rules and will be provided with an additional class
notation.
In addition to the class rules, IRClass has also
developed the first edition of ‘Cyber Safety
Guidelines for Port and Shipping Company
Facilities’, a guide to safeguarding technology
systems from internal and external cyber threats as
stated in this media release on 28th Aug 2017.
These guidelines are designed to help companies
identify gaps and mitigate cyber security risks.
The only bit left to see is whether this will be
efficiently implemented globally or whether it will
turn into another ‘one-more-paper-for-the-annual-
audit’ mindset.
Looking for information based on marine engineering, navigation, maritime law or just life at
sea? Head towards https://maritimeoutlook.wordpress.com for the latest developments.
3/3