Complying with the IMO 2021 Cyber Risk Management Regulations

Background

Safety and cybersecurity —
hand-in-hand.

The International Convention for the Safety of Life at Sea (SOLAS) is an international maritime treaty establishing minimum safety standards for equipment, construction, and operation of merchant ships. SOLAS covers over 150 nation-states, encompassing more than 90% of merchant ships by gross tonnage.

SOLAS Chapter IX — Management for the Safe Operation of Ships — requires every shipowner and any person or company that assumes responsibility for a ship to comply with the International Safety Management Code (ISM).

The purpose of the ISM Code is to ensure safety at sea and prevent damage to property, personnel, and the environment. In order to comply with the ISM Code, a company must be audited after submitting a Safety Management System Manual (SMS) approved by a Flag Administration or Recognized Organization.

Upon successful audit, the following certifications are issued:

• Document of Compliance (DOC) — issued to the company
• Safety Management Certificate (SMC) — issued to each vessel

Overview

What is the objective?

Per the IMO Guidelines on maritime cyber risk management, the goal of Resolution MSC.428(98) is to “support safe and secure shipping, which is operationally resilient to cyber risks.”

What is required?

The IMO resolution effectively addresses cyber risks as a part of safety management systems within the ISM Code. Nearly all of the international shipping community is required to comply with the ISM Code, as respective countries are parties to SOLAS. Therefore, in order to comply with the ISM Code, internationally voyaging vessels must address cyber risks within their safety management systems.

When is the deadline?

The deadline for compliance is “before January 1, 2021 or the first annual verification of the company’s DOC after January 1, 2021.” In order to be in compliance with the ISM Code, organizations will need to address their cyber risks at some point during 2021 (if doing international business that year).

Who is affected?

The ISM Code applies to the owner or anyone who assumes responsibility for the operation of the ship. Both owners and operators (if different) will need to be in compliance.

Importantly, port operations play an equally critical role in the maritime industry. While port operations do not fall under Resolution MSC.428(98), it is pertinent that port facilities undertake appropriate cybersecurity measures — to protect both themselves as well as clients coming to and relying on the safe and secure operation of port facilities. Moreover, as vessels bolster their cybersecurity postures, owners and operators may show reluctance in working with port facilities that do not share their level of cyber risk management as port cyber incidents have the potential to impact vessels and at-sea operations.

Functional Elements of Cyber Risk Management

The existing ISM Code covers people, processes, and technology across elements such as incident response planning or emergency situation preparation. As such, addressing cyber risks within the safety management system — thereby in compliance with the IMO resolution and ISM Code — also touches on people, process, and technology, covering all functional elements as further defined in the IMO guidelines. Addressing cyber risks should cover:

• Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operations.
• Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
• Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
• Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
• Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

Scope

Importantly, the IMO recognizes “no two organizations in the shipping industry are the same” in its Guidelines on maritime cyber risk management. The IMO guidelines are expressed in “broad terms in order to have a widespread application.” As such, they are not prescriptive in execution but in fundamental principles and intent. Both the IMO guidelines and the ISM Code require organizations to address cyber risks towards the aim of operational resiliency and across various elements within an organization.

While there is considerable room for interpretation, an approved safety management system must adequately address both the ISM Code objectives (the intent) as well as functional elements (identify, protect, detect, respond, recover) in a manner that is concurrent and continuous in practice.

Achieving Compliance

How to Begin

The following sections correlate the key tenants of each document provided or referenced by the IMO, including the IMO resolution, the IMO guidelines (based on NIST), the ISM Code, the Guidelines on Cyber Security Onboard Ships (published by BIMCO et al.), and the ISO/IEC 27001 standard. The information is organized to facilitate ease of understanding, identification of an organization’s current cybersecurity posture, and the ability to identify gaps and implement safeguards at a high level. The following sections include:

• Assess Cyber Risks: Identify cyber risks to ships and operations
• Design a Secure Cyber Architecture: Design a cyber risk management framework
• Protect Vessels and Operations: Implement safeguards to ensure operational resiliency

To further assist organizations as they prepare for compliance and track their progress, a high-level checklist is also provided at the end of this overview.

What’s Covered

• IMO Resolution MSC.428(98)
• MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management
• Guidelines on Cyber Security Onboard Ships by BIMCO et al.
• ISO/IEC 27001
• U.S. NIST Framework for Improving Critical Infrastructure Cybersecurity

IMO 2021 Cyber Risk Management Compliance

Assess cyber risks

Cyber-related risks and threats to your vessel and operational networks are mounting, and so are the maritime industry cybersecurity compliance requirements. Between the IMO Resolution MSC.428(98) and other programs like the Tanker Management and Self Assessment (TMSA), you’ll need to get a handle on your vessel IT and operational technology (OT) networks before you can even commence.

Cyber risk assessments can help jump-start your efforts to create a cybersecurity strategy and establish an initial baseline of cybersecurity requirements and internal standards for your vessel networks. For that reason, the majority of cybersecurity frameworks and regulations have an assessment component — IMO included.

Assess Cyber Risks

Recommended Action: Reassessments

Incorporate cyber risk management into the implementation, review, reporting, and auditing functions of the safety management system, including:

• Ensure policy implementation at all levels of the organization, onboard and ashore
• Periodically review and report deficiencies
• Hold inspections at appropriate intervals
• Carry out internal safety audits, onboard and ashore, encompassing cyber risk management as it impacts safety
• Establish or extend the safety management system to constitute an ongoing process of feedback mechanisms in relation to cyber risk management

IMO 2021 Cyber Risk Management Compliance

Design and document a secure cyber architecture

Organizations in the maritime industry will have different needs and levels of maturity when it comes to the breadth of their vessel IT and OT networks and cyber-related systems, so approaches to securing their maritime cyber architectures will vary. A couple of methods are described for maritime organizations to design a secure maritime cyber architecture; both are covered in the following section as you design your secure cyber architecture.

Organizations must also update their safety management system, including relevant documentation, to account for their maritime cyber risk management framework.

Design a Secure Cyber Architecture

Recommended Action: Updating the Safety Management System for Cyber Risks

Update or adapt the safety management system to account for the cyber risk management framework (as designed above). Include relevant documentation as indicated below:

• Document how cyber risk management objectives will be achieved or adapt existing language
• Document roles and responsibilities of personnel for cyber risk management
• Document procedure for ensuring and maintaining resources for cyber risk management
• Document cyber risk procedures, plans, and instructions
• Document cyber risk emergency and incident response plans
• Document procedures for cyber non-conformity, accident, or incident reporting
• Document procedures for corrective actions and recurrence prevention
• Document identified critical assets where the sudden operational failure could create hazardous situations
• Document specific measures aimed at promoting reliability and resiliency
• Document procedures for the creation and maintenance of back-ups within the ship’s operational maintenance routine

IMO 2021 Cyber Risk Management Compliance

Protect vessels and safeguard operations

Ultimately, the goal of the IMO Resolution is to protect vessels and maritime operations.

Now is the time to review your operations and management of your vessels to ensure their security, safety, and reliability from the onslaught of emerging cyber-attacks. With a thorough and effective cybersecurity risk management approach, you’ll be able to ensure that you have the resources needed to protect your onshore and offshore operations. And with real-time visualization of your data and protection of critical assets, and continuous monitoring across your vessels and maritime operations, you will be on your way to achieving IMO cybersecurity compliance.