IMO 2021
Cyber security New Regulation
The International Maritime Organization (IMO) safety code has included a cyber chapter with specific compliance terms including mandatory obligation: MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management.
According to the regulation, all vessels are required to implement the necessary cyber security measures no later than January 2020. The said regulation mandates the implementation of several layers of protection to be implemented in addition to conducting cyber risk assessment.
IMO regulation is part of much larger guidance and standards such as BIMCO, CLIA, ICS, OCIMF; ISO/IEC 27001 Standard on Information Technology; and United States NIST Framework for Improving Critical Infrastructure Cyber Security.
The International Maritime Organization (IMO) safety code has included a cyber chapter with specific compliance terms including mandatory obligation: MSC-FAL.1/Circ.3Guidelines on maritime cyber risk management.
According to the regulation, all vessels are required to implement the necessary cyber security measures no later than January 2020. The said regulation mandates the implementation of several layers of protection to be implemented in addition to conducting cyber risk assessment.
IMO regulation is part of much larger guidance and standards such as BIMCO, CLIA, ICS, OCIMF; ISO/IEC 27001 Standard on Information Technology; and United States NIST Framework for Improving Critical Infrastructure Cyber Security.
On December 23rd 2020, BIMCO issued its fourth edition of the industry cyber risk management guidelines, Guidelines on Cyber Security Onboard Ships which lays the foundation for further improvements and refinement of companies’ cyber security risk assessments.
General Framework
The IMO/NIST/BIMCO framework offers ablueprint for developing a cyber risk management program, based around Five Steps:
Identifying
risk
Detecting
risk
Protecting
assets
Responding
to risk
Recovering
Asset Mapping
Shipowners must conclude a complete inventory of at-risk systems. This step includes both onboard and offshore systems, and Information Technology (IT) and Operation Technology (OT). Such mapping provides ship owners the full understanding and visibility of all systems as part of such risk assessment.
Threat Analysis
Ships should then undergo a cyber risk analysis that assesses threats and vulnerability, as well as the impact of the exploitation of IT and OT systems on cybersecurity. Such Analysis shall determine relevant risk, evaluate equipment surface of attack, and consider mitigation measures that have been or should be applied onboard.
Policies & Procedures
Once this is done, owners can develop a set of policies and procedures for cyber risk management that is tailored to their vessel and its equipment. This step includes the onboard cyber safety management rules to be drafted under a specific policy which will include a disaster recovery plan, roles, and responsibilities of personnel, and more.