By Duncan Duffy, Head of Electrotechnical Systems, Lloyd’s Register Marine & Offshore
Increasingly interconnected computer-based systems on ships open the potential for attacks to affect human safety, the safety of the ship and to threaten the marine environment. Attackers may target any combination of people and technology to achieve their aim. To safeguard shipping from current and emerging threats, a range of measures can be adopted.
The discussion of specific measures is illustrated elsewhere in our case studies, however it is useful to understand the developing regulatory and assurance frameworks under which these apply. Guidelines on Maritime Cyber Risk Management  were approved at IMO MSC 98 and provide high-level recommendations on cyber risk management in the shipping industry. Functional elements that support effective cyber risk management are grouped in a manner familiar to users of the NIST framework  - Identification, Protection, Detection, Response, and Recovery from a cyber-event.
At the same IMO meeting, a resolution was adopted which encouraged administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the company's Document of Compliance after 1 January 2021 . For commercial vessels of convention size trading internationally, this clarifies that the identification of cyber risks and the establishment of appropriate safeguards falls under the ISM Code, with secondary aspects including physical security of IT and OT systems able to be dealt with by the ship security plan required by the ISPS Code, if and when required.
The IMO Guidelines on Maritime Cyber Risk Management reference flag State Administrations' requirements, relevant international and industry standards and best practices to inform the technical criteria and operational procedures necessary to make cyber resilient ships, whose resilience can be maintained in-service.
Of the many available sources of guidance, interim recommendations from IACS  and industry guidelines from BIMCO et al  cover technical and operational considerations for cyber risk management. In addition to this, it is becoming increasingly clear that to enable cyber resilient ships that can be maintained in-service, the context of operational use needs to be clear and considered as a part of system design.
For onboard operational technology, using computer based systems that depend on software to provide control, alarm, monitoring, safety or internal communication functions and which are subject to classification requirements, IACS Classification Societies have agreed unified requirements for functionality . These may not be mandatory for navigation and communications equipment required by SOLAS chapter V and SOLAS chapter IV respectively; however the ISM Code requires that a SMS takes into account guidelines and standards recommended by classification societies and maritime industry organisations when assessing the cyber risk and establishing appropriate safeguards for such equipment.
It seems that a single cyber event has the potential to influence the technical and engineering requirements underpinning certificates including ISM, Classification, Safety Construction, Safety Equipment and Safety Radio certification. Things just got complicated.
Cyber Risk Management for the Whole Organisation
Lloyd's Register (LR) and Nettitude's professional services can help companies address cyber risk management in approved Company Safety Management Systems (SMS) and meet the sector specific risk management challenges.
The management of risk should cover tactical steps (e.g. building a risk register or assessing current risks) and compliance, through meeting sector specific frameworks, but leading ultimately to a strategic view of cyber across the whole organisation's operations – ships, shore, 3rd parties and cloud services. For this latter service, LR and Nettitude have developed a comprehensive cyber framework for the Marine and Offshore sector, the LR Cyber Security Framework (LR CSF) . The LR CSF is based on measured outcomes and provides multiple levels of maturity for organisations at different stages and with different aspirations. It works alongside industry standards and supports port authorities, ship builders, ship owners, operators and managers to manage cyber security risks in a holistic manner.
Ship-specific Classification Services
The development of LR's classification standards is a dynamic process and as the threats evolve, the standards adapt to ensure that safety, operability, performance and the security of vessels are kept to the desired level during their service life. LR and Nettitude have released a new procedure for the Assessment of Cyber Security Controls for Ships and Ship Systems . The new procedure is part of our “ShipRight Procedures” that support LR Rules. Compliance makes systems assessed eligible for a ShipRight Descriptive Note. The procedure was developed to provide an independent assessment of the effectiveness of cyber security controls within connected, integrated and internet-enabled systems and environments. It was designed with multiple levels of maturity across eight domain areas to enable organisations to reach a baseline while setting a desired future position that is appropriate for the risks faced. We aim to make best practice simpler.
 IMO MSC-FAL.1/Circ.3, “Guidelines on Maritime Cyber Risk Management”, July 2017
 NIST “Framework for Improving Critical Infrastructure Cyber security”, version 1.1 2018
 IMO MSC.428(98), “Maritime Cyber Risk Management in Safety Management Systems”, June 2017
 IACS Recommendations 153- 164, Various titles, Sept and Oct 2016
 “The Guidelines on Cyber Security On board Ships”, version 3.0, BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, OCIMF, WSC and IUMI, 2018
 IACS Unified Requirement E22 “On Board Use and Application of Computer Based Systems”, June 2016