IMO Cyber Security Guidelines (MSC-FAL.1/Circ.3) and Resolution MSC.428(98) to be Adopted by 1 January 2021
The International Maritime Organization (IMO) has issued MSC-FAL.1/Circ.3 Guidelines on Maritime Cyber Risk Management. The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.
The Maritime Safety Committee adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
Cyber risks are intrinsically linked into people, processes and IT/OT risks and can impact your organisation in many ways. As well as the more traditional confidentiality, integrity and availability (CIA triad) impacts, safety itself is often the overriding factor within Maritime environments.
Figure 1 – Asset values using CIA Triad + Safety
Maritime industries have long focused on safety management systems and management of risks. However, bringing cyber risks into play can often be challenging as they are usually harder to quantify, understand and relate to the physical world around.
Some lessons can be brought across from other industries, and frameworks such as NIST are very helpful in aligning thinking and practice to cyber risks. But there are unique considerations that need to be factored in when applying a robust risk management process to cyber risks within marine and offshore industries.
- Ships move. The locations they are in change and therefore the risks faced change. In some areas they may have internet connectivity through shore based networks, in others via satellite, in others none at all. The impact from GPOS spoofing will depend on the routes taken.
- Cargo may change. What a ship is carrying will change the likely threat actors, from passengers to refrigerated goods and LNG to containers.
- Crews may change. A crew taken on-board in one region may present different risks based on local customs, immigration, border controls, staffing companies and background checks available.
- Networked environments are built around IT and OT systems. It may seem obvious, but how these systems are linked and operated will change the potential impacts significantly.
- Route choice. Where ships sail can be impacted by political tensions and events.
- Adoption of technology. The potential for automation, integration and cloud/shore based services to be intrinsically linked to on-board safety systems is here, and the adoption of these technologies will challenge the traditional attack surface for cyber threats.
- Legacy systems. Ships are built with a long lifespan in place. Land based sectors can update, change and install new technology quickly and implement patching and other basic controls on a daily basis if required. Delivering this on-board a ship that is only in dry dock maintenance at fixed periods can be a real challenge.
The IMO has published guidelines for maritime cyber risk management and recommend that stakeholders need to take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities relating to the digitisation, integration and automation of processes and systems in shipping.
The IMO sets out the goal of maritime cyber risk management as being:
To support safe and secure shipping, which is operationally resilient to cyber risks.
The key recommendations from the IMO include:
- Effective cyber risk management should start at the senior management level and should embed a culture of cyber risk awareness into all levels of the organisation.
- A risk based approach should be adopted with a comprehensive assessment to compare an organisation's current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritised cyber risk management plan.
- The 5 NIST Cyber Security Framework domains should be considered as part of the response to the risk management review (Identify, Protect, Detect, Respond and Recover).
- All operational systems should be included and the process and effectiveness reviewed regularly.
- A plan to communicate awareness throughout the organisation should be implemented.
The IMO is not prescriptive in how these recommendations should be implemented, but refer to best practice from NIST, BIMCO and ISO/IEC 27001 as sources of additional guidance and standards.
The IMO guidance is expected to be implemented within the International Safety Management (ISM) Code procedures and the Safety Management System (SMS) for the vessel.
In order to comply with the requirements of the ISM Code, every company should develop, implement and maintain a SMS. The SMS should embrace the objectives of the code to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment, and to property.
The IMO also released resolution MSC. 428(98) (16 June 2017) that:
- AFFIRMS that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.
- ENCOURAGES administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
- ACKNOWLEDGES the necessary precautions that could be needed to preserve the confidentiality of certain aspects of cyber risk management.
- REQUESTS member states to bring this resolution to the attention of all stakeholders.
The scope of any system affected by cyber risks can be varied. The IMO calls out the following areas in particular that must be considered:
- Bridge systems
- Cargo handling and management systems
- Propulsion and machinery management and power control systems
- Access control systems
- Passenger servicing and management systems
- Passenger facing public networks
- Administrative and crew welfare systems
- Communication systems
These will differ between the sub sector and part of the maritime environment that your organisation is involved in, from shipping, to ports to vendors of equipment. For further details on how Nettitude and LR can help in your specific sector, please contact us or visit our website to learn more about how we can help Marine and Offshore organisations protect themselves from cyber risks.