IMO 2021 puts a spotlight on cyber security

In 2017, IMO adopted Resolution MSC.428 (98), which states that a ship’s safety management system (SMS) should account for cyber risk management in compliance with the ISM code. For vessel owners, this means integrating cyber risk into their SMS by developing and implementing onboard procedures and mitigation measures – by January 1, 2021.

Applying the NIST framework

To help owners achieve compliance, IMO has provided guidelines based on the NIST framework. The framework offers a basic blueprint for developing a cyber risk management program, based around five steps: identifying risk, detecting risk, protecting assets, responding to risk and recovering from attacks.

However, ship owners and managers are likely to need additional guidance when putting this framework into practice. The NIST framework was designed as a generic template for cyber security management (it is not maritime-specific), and IMO’s guidelines do not provide a detailed methodology for addressing regulations.

Digging into the details

First, ship owners must define the high-level structure of their cyber security policy by developing a complete inventory of at-risk systems. This should include onboard and offshore systems, Operation Technology (OT) and Information Technology (IT) and equipment. This allows owners to gain a comprehensive understanding of all systems, in order to assess their risk criticality. 

Ships should then undergo a cyber risk analysis that assesses threats and vulnerability, as well as the impact of exploitation of IT and OT systems on cyber security. Experts can then determine relevant risk, evaluate equipment surface of attack and consider mitigation measures that have been or should be applied onboard.

Once this is done, owners can develop a set of policies and procedures for cyber risk management that is tailored to their vessel and its equipment. This policy should address onboard cyber safety management rules, define the roles and responsibilities of personnel, include crew training activities and provide crisis management strategies.

Preparing with class notations

To help ship owners achieve compliance with IMO 2021 cyber requirements, Bureau Veritas has developed a comprehensive framework for cyber security based around our NR 659 Rules. Our holistic approach covers organizational and technical measures, allowing ship owners to protect their assets and define expectations for personnel, shipyards and manufacturers.

Our CYBER MANAGED notation allows owners of in-service vessels to develop a cyber risk management system using a risk-based methodology and standardized framework. Owners and contractors are requested to develop a complete map of their IT and OT systems (Cyber Repository), high-level management principles (Cyber Policy) and detailed on-board procedures (Cyber Handbook).

For newbuilds, our CYBER SECURE notation ensures compliance with cyber security guidelines that include functional, testing and verification requirements. CYBER SECURE adds a “secure by design” layer to the procedural aspects covered by CYBER MANAGED, and further includes requirements for the selection and hardening of on-board equipment.