Currently Reading: Introduction

Complying with the IMO 2021 Cyber Risk Management Regulations

Ensuring the safe and secured operation of vessels at sea and onshore.

This regulatory overview summarizes key parts of the IMO 2021 cyber risk management measures, encompassed in ISM safety management systems (SMS), with cross-references to ISO/IEC 27001 and the Guidelines on Cyber Security on Board Ships.

imo-2021-cyber-overview

Download Your Overview

Take your reading offline and get an in-depth understanding of the 2021 IMO cyber risk management regulations.

Download Overview

IMO 2021 Cyber Risk Management Compliance

Table of Contents

    ...ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.”
    Introduction

    The IMO 2021 Cyber Risk Management Resolution

    In recognition of the urgent cyber threats to global shipping, a significant cybersecurity compliance deadline facing the maritime industry is the International Maritime Organization’s (IMO) Resolution MSC.428(98).

    IMO Resolution MSC.428(98) “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.”

    IMO subsequently published guidelines to facilitate appropriate cyber risk management for vessel owners and operators. Based on the NIST cybersecurity framework and tailored for the maritime industry, these guidelines provide recommendations — including functional elements — to support effective cyber risk management. The IMO guidelines also reference additional guidance and standards, including:

    • The Guidelines on Cyber Security Onboard Ships by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF, and IUMI.
    • ISO/IEC 27001 standard on information technology, security techniques, information security management systems, requirements, published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

    The following overview correlates the key tenants of each document — IMO resolution, IMO guidelines (based on NIST), ISM Code, Guidelines on Cyber Security Onboard Ships, and ISO/IEC 27001. In this overview, the information presented is organized to facilitate ease of understanding, identification of an organization’s current cybersecurity posture, and the ability to identify gaps and implement safeguards at a high level.

    • Assess Cyber Risks: Identify cyber risks to ships and operations
    • Design a Secure Cyber Architecture: Design a cyber risk management framework
    • Protect Vessels and Operations: Implement safeguards to ensure operational resiliency

    Regardless of the method, guide, or standard, establishing a cyber risk management framework, implementing appropriate safeguards, and updating the safety management system to reflect such adaptations are required to comply with IMO/ISM cybersecurity regulations beginning January 1, 2021.

    Background

    Safety and cybersecurity —
    hand-in-hand.

    The International Convention for the Safety of Life at Sea (SOLAS) is an international maritime treaty establishing minimum safety standards for equipment, construction, and operation of merchant ships. SOLAS covers over 150 nation-states, encompassing more than 90% of merchant ships by gross tonnage.

    SOLAS Chapter IX — Management for the Safe Operation of Ships — requires every shipowner and any person or company that assumes responsibility for a ship to comply with the International Safety Management Code (ISM).

    The purpose of the ISM Code is to ensure safety at sea and prevent damage to property, personnel, and the environment. In order to comply with the ISM Code, a company must be audited after submitting a Safety Management System Manual (SMS) approved by a Flag Administration or Recognized Organization.

    Upon successful audit, the following certifications are issued:

    • Document of Compliance (DOC) — issued to the company
    • Safety Management Certificate (SMC) — issued to each vessel
    New Cybersecurity Regulations

    Addressing cyber risk management on board vessels

    To address increasing cyber threats to maritime operations and mitigate new cyber risks, the following was adopted by the IMO and added to the ISM Code (2018 Edition).

    • Resolution MSC.428(98): On June 16, 2017, the IMO adopted Resolution MSC.428(98) that “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.”
    • MSC-FAL.1/Circ.3:On July 5, 2017, the IMO issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management. These guidelines provide “high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.”
    A Comprehensive Guide to Maritime Cybersecurity

    This guide will help you navigate the ins and outs of maritime cybersecurity and get you geared up to establish your maritime cybersecurity action plan.

    Read More

    ...to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.”
    IMO Resolution MSC-FAL.1/Circ.3
    Overview

    What is the objective?

    Per the IMO Guidelines on maritime cyber risk management, the goal of Resolution MSC.428(98) is to “support safe and secure shipping, which is operationally resilient to cyber risks.”

    What is required?

    The IMO resolution effectively addresses cyber risks as a part of safety management systems within the ISM Code. Nearly all of the international shipping community is required to comply with the ISM Code, as respective countries are parties to SOLAS. Therefore, in order to comply with the ISM Code, internationally voyaging vessels must address cyber risks within their safety management systems.

    When is the deadline?

    The deadline for compliance is “before January 1, 2021 or the first annual verification of the company’s DOC after January 1, 2021.” In order to be in compliance with the ISM Code, organizations will need to address their cyber risks at some point during 2021 (if doing international business that year).

    Who is affected?

    The ISM Code applies to the owner or anyone who assumes responsibility for the operation of the ship. Both owners and operators (if different) will need to be in compliance.

    Importantly, port operations play an equally critical role in the maritime industry. While port operations do not fall under Resolution MSC.428(98), it is pertinent that port facilities undertake appropriate cybersecurity measures — to protect both themselves as well as clients coming to and relying on the safe and secure operation of port facilities. Moreover, as vessels bolster their cybersecurity postures, owners and operators may show reluctance in working with port facilities that do not share their level of cyber risk management as port cyber incidents have the potential to impact vessels and at-sea operations.

    Addressing Cyber Risks

    Complying with the IMO/ISM 2021 cybersecurity regulations

    Many industries and organizations address environment, health, and safety (EHS/HSE) and cyber risk management separately, often managed by entirely different departments. Conversely, IMO Resolution MSC.428(98) essentially merges the two seemingly separate ‘disciplines’ under one framework — operational risk management — encouraging maritime organizations “to ensure that cyber risks are appropriately addressed in safety management systems.” There are considerable similarities between safety and cyber risk management practices, and the two clearly impact each other in today’s digitally connected world. So, what does this look like?

    First, the ISM Code defines safety management systems (to include cyber risks) as:

    Safety management system means a structured and documented system enabling company personnel to implement effectively the company safety and environmental protection policy.”
    ISM Code

    Functional Elements of Cyber Risk Management

    The existing ISM Code covers people, processes, and technology across elements such as incident response planning or emergency situation preparation. As such, addressing cyber risks within the safety management system — thereby in compliance with the IMO resolution and ISM Code — also touches on people, process, and technology, covering all functional elements as further defined in the IMO guidelines. Addressing cyber risks should cover:

    • Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operations.
    • Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
    • Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
    • Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
    • Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

     

    Scope

    Importantly, the IMO recognizes “no two organizations in the shipping industry are the same” in its Guidelines on maritime cyber risk management. The IMO guidelines are expressed in “broad terms in order to have a widespread application.” As such, they are not prescriptive in execution but in fundamental principles and intent. Both the IMO guidelines and the ISM Code require organizations to address cyber risks towards the aim of operational resiliency and across various elements within an organization.

    While there is considerable room for interpretation, an approved safety management system must adequately address both the ISM Code objectives (the intent) as well as functional elements (identify, protect, detect, respond, recover) in a manner that is concurrent and continuous in practice.

    IMO 2021: Three Steps to Ensure IMO/ISM Cybersecurity Compliance

    Read More

    Achieving Compliance

    How to Begin

    The following sections correlate the key tenants of each document provided or referenced by the IMO, including the IMO resolution, the IMO guidelines (based on NIST), the ISM Code, the Guidelines on Cyber Security Onboard Ships (published by BIMCO et al.), and the ISO/IEC 27001 standard. The information is organized to facilitate ease of understanding, identification of an organization’s current cybersecurity posture, and the ability to identify gaps and implement safeguards at a high level. The following sections include:

    • Assess Cyber Risks: Identify cyber risks to ships and operations
    • Design a Secure Cyber Architecture: Design a cyber risk management framework
    • Protect Vessels and Operations: Implement safeguards to ensure operational resiliency

    To further assist organizations as they prepare for compliance and track their progress, a high-level checklist is also provided at the end of this overview.

     

    What’s Covered

    • IMO Resolution MSC.428(98)
    • MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management
    • Guidelines on Cyber Security Onboard Ships by BIMCO et al.
    • ISO/IEC 27001
    • U.S. NIST Framework for Improving Critical Infrastructure Cybersecurity
    IMO 2021 Cyber Risk Management Compliance

    Assess cyber risks

    Cyber-related risks and threats to your vessel and operational networks are mounting, and so are the maritime industry cybersecurity compliance requirements. Between the IMO Resolution MSC.428(98) and other programs like the Tanker Management and Self Assessment (TMSA), you’ll need to get a handle on your vessel IT and operational technology (OT) networks before you can even commence.

    Cyber risk assessments can help jump-start your efforts to create a cybersecurity strategy and establish an initial baseline of cybersecurity requirements and internal standards for your vessel networks. For that reason, the majority of cybersecurity frameworks and regulations have an assessment component — IMO included.

    In the context of a ship’s operation, cyber incidents are anticipated to result in physical effects and potential safety and/or pollution incidents. This means that the company needs to assess risks arising from the use of IT and OT onboard ships and establish appropriate safeguards against cyber incidents.”
    Guidelines on Cyber Security Onboard Ships, BIMCO et al.
    Check out the original text:

    Comprehensively assess cyber risks across people, processes, and technology, including IT, OT, and data.

     

    References:
    ISM Code: 1.2.2.2, 10.3; IMO Guide: 1.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.9, 3.1, 3.4, 3.5.1; Industry Guide: 3, 4; ISO/IEC 27001: A.8.1.1, A.8.2.1, A.12.6.1, A.15.2.1, A.16.1.4, A.17.1.1-2

    Reassess cyber risk implementation, review, reporting, and auditing functions of the safety management system.

     

    References:
    ISM Code: 1.4.6, 2.2, 5.1.5, 10.2.1, 12.1; IMO Guide: 2.1.8, 3.3, 3.5, 3.6, 3.7; ISO/IEC 27001: A.5.1.2, A.9.1.1, A.9.2.5,A.12.6.1, A.12.7.1, A.13.2.4, A.14.2.3, A.15.2.2, A.16.1.4, A.17.1.3, A.18.2.1-3

    Assess Cyber Risks

    Recommended Action: Cyber Risk Assessments

    Comprehensively assess cyber risks across people, processes, and technology, including IT, OT, and data. Reassess cyber risk implementation, review, reporting, and auditing functions of the safety management system.

    The goal of maritime cyber risk management is to support safe and secure shipping, which is operationally resilient to cyber risks.”
    IMO MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management
    Assess Cyber Risks

    Recommended Action: Reassessments

    Incorporate cyber risk management into the implementation, review, reporting, and auditing functions of the safety management system, including:

    • Ensure policy implementation at all levels of the organization, onboard and ashore
    • Periodically review and report deficiencies
    • Hold inspections at appropriate intervals
    • Carry out internal safety audits, onboard and ashore, encompassing cyber risk management as it impacts safety
    • Establish or extend the safety management system to constitute an ongoing process of feedback mechanisms in relation to cyber risk management
    IMO 2021 Cyber Risk Management Compliance

    Design and document a secure cyber architecture

    Organizations in the maritime industry will have different needs and levels of maturity when it comes to the breadth of their vessel IT and OT networks and cyber-related systems, so approaches to securing their maritime cyber architectures will vary. A couple of methods are described for maritime organizations to design a secure maritime cyber architecture; both are covered in the following section as you design your secure cyber architecture.

    Organizations must also update their safety management system, including relevant documentation, to account for their maritime cyber risk management framework.

    Cybertechnologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment...However, the vulnerabilities created by accessing, interconnecting or networking these systems can lead to cyber risks which should be addressed.”
    Guidelines on maritime cyber-risk management, IMO
    Check out the original text:

    Design, establish, or incorporate cyber risk management into the organization’s safety management system.

     

    References:
    ISM Code: 1.2.2.2, 10.3; IMO Guide: 1.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.9, 3.1, 3.4, 3.5.1; Industry Guide: 3, 4

    Update or adapt the safety management system to account for cyber risk management framework. Include relevant documentation.

     

    References:
    ISM Code: 1.1.4, 1.2.2, 1.2.3.1, 1.4, 2.1, 3.2, 5.1, 6.5, 7, 8.1, 8.2, 9.1, 9.2, 10.3, 10.4; IMO Guide: 2.1.9, 3.5; Industry Guide: 1, 5.1; ISO/IEC 27001: A.5.1.1, A.6.1.1, A.6.2.1-2, A.7.1.1-2, A.7.2.1-3, A.7.3.1, A.8.1.3, A.8.2.1-3, A.9.1.1, A.9.2.1-2 & 4, A.9.3.1, A.10.1.1-2, A.11.1.1 & 3-5, A.11.2.9, A.12.1.1, A.12.2.1, A.12.3.1, A.12.6.1-2, A.12.7.1, A.13.2.1 & 4, A.14.2.1 & 5-6 & 9, A.15.`1.2, A.15.2.1-2, A.16.1.1 & 4 & 7, A.17.1.1-3, A.18.2.1-3

    Design a Secure Cyber Architecture

    Recommended Action: Incorporate Cyber Risk Management in the Safety Management System

    Design, establish, or incorporate cyber risk management into the organization’s safety management system. Update or adapt the safety management system to account for cyber risk management framework (as designed above). Include relevant documentation.

    Design a Secure Cyber Architecture

    Recommended Action: Updating the Safety Management System for Cyber Risks

    Update or adapt the safety management system to account for the cyber risk management framework (as designed above). Include relevant documentation as indicated below:

    • Document how cyber risk management objectives will be achieved or adapt existing language
    • Document roles and responsibilities of personnel for cyber risk management
    • Document procedure for ensuring and maintaining resources for cyber risk management
    • Document cyber risk procedures, plans, and instructions
    • Document cyber risk emergency and incident response plans
    • Document procedures for cyber non-conformity, accident, or incident reporting
    • Document procedures for corrective actions and recurrence prevention
    • Document identified critical assets where the sudden operational failure could create hazardous situations
    • Document specific measures aimed at promoting reliability and resiliency
    • Document procedures for the creation and maintenance of back-ups within the ship’s operational maintenance routine
    IMO 2021 Cyber Risk Management Compliance

    Protect vessels and safeguard operations

    Ultimately, the goal of the IMO Resolution is to protect vessels and maritime operations.

    Now is the time to review your operations and management of your vessels to ensure their security, safety, and reliability from the onslaught of emerging cyber-attacks. With a thorough and effective cybersecurity risk management approach, you’ll be able to ensure that you have the resources needed to protect your onshore and offshore operations. And with real-time visualization of your data and protection of critical assets, and continuous monitoring across your vessels and maritime operations, you will be on your way to achieving IMO cybersecurity compliance.

    Stakeholders should take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes and systems in shipping... Risk management is fundamental to safe and secure shipping operations.”
    Guidelines on maritime cyber risk management, IMO
    Check out the original text:

    The functional elements should be incorporated in the risk management framework, concurrently and continuously. Include actions in the existing SMS to account for cyber risk management.

     

    References:
    ISM Code: 1.2.2, 1.2.3.1, 1.4; IMO Guide: 2.1.9, 3.5; Industry Guide: 1, 5.1

    Implement cyber risk management changes as outlined in the new or updated cyber risk management policy or framework.

     

    References:
    ISM Code: 1.2.2, 1.2.3.1, 1.4; IMO Guide: 2.1.9, 3.5; Industry Guide: 1, 5.1

    Protect Vessels and Operations

    Recommended Action: Establishing Concurrent and Continuous Cyber Risk Management

    The functional elements — identify, protect, detect, respond, recover — should be incorporated in the risk management framework, concurrently and continuously. These functional elements encompass people, processes, and technology.

    Get Your IMO 2021 Cyber Checklist.

    Download this overview, including all the information above and a fillable checklist to track your progress.

    Download Overview


    Additional Resources

    Is your safety management system audit-ready?

    Readiness begins with understanding your current cybersecurity posture. A trusted partner can help.

    Mission Secure is offering a limited-time, complimentary IMO 2021 Cyber Readiness Review. The Readiness Review is a simple, no-cost, three-step process for establishing your organization’s cyber readiness baseline.

    • Cyber Overview: Mission Secure provides a 30-minute primer on IMO 2021 compliance and maritime sector-specific considerations. Obtain answers to compliance questions and secure your cybersecurity bearings.
    • Cyber Readiness Screener: Participate in a guided, 60-minute cybersecurity self-assessment drawing upon the most common frameworks used in the maritime sector today.
    • Scorecard and Recommendations: Receive a complimentary IMO Readiness scorecard with recommendations for further action. Understand your organization’s alignment with the major cybersecurity frameworks and begin charting a course for increased security.
    Get Your Complimentary IMO Readiness Review.

    Is your safety management system audit-ready? Get your complimentary IMO 2021 cyber risk management review to find out.

    IMO Readiness Review

    Safety and cybersecurity are not based on frameworks or checklists; for us, it is a habitual action. We have lower downtime than our competitors due to the preventative maintenance we implement on our vessels. Cybersecurity is a key program in minimizing downtime risk as well. We are extremely pleased with our partnership with Mission Secure to improve our overall operational cybersecurity.”
    Vice President of IT, LNG Global Shipping Provider

    Ready to get started?

    Download the regulatory overview, “Complying with the IMO 2021 Cybersecurity Regulations.”

    Download Overview