Maritime

Frequently asked questions

Below you find a collection of FAQs questions related to Cyber security

Click on the questions to read the answers:

IMO cyber resolution and ISM

Is IMO considering any IT personnel to include in Safe Manning Certificates?

Answer:
Answer:
The IMO is not requiring any additional manning as a part of this decision. When that is said seafarers shall be qualified for their jobs (cf. the Maritime Labour Convention, 1.3: 1. Seafarers shall not work on a ship unless they are trained or certified as competent or otherwise qualified to perform their duties. When it comes to manning the international solution is that: [Flag State] shall require that all ships that fly its flag have a sufficient number of seafarers employed on board to ensure that ships are operated safely, efficiently and with due regard to security under all conditions, taking into account concerns about seafarer fatigue and the particular nature and conditions of the voyage (cf. The MLC Regulation 2.7). For most flag States manning is set through application where the shipowner/DoC Holder documents compliance with IMO resolution A.1047(27). We have no indication that manning requirements will change.

Is there any minimum requirements recommendation for the company to appoint on board Cyber Security Officer?

Answer:
Answer:

There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.

Should the Cyber Security risk included only in the ISM risk assessment or also in the ISPS risk assessment?

Answer:
Answer:

The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. When that is said cyber risk may also impact security (ISPS) and working and living conditions (MLC) so we encourage also needs related to these to be considered. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.

Is cyber security audited and verified under the DoC/SMC or is another certificate needed?

Answer:
Answer:

The statutory certificates will be the SMC and the DoC. Any deficiency will be identified in the audit reports and handled as other deficiencies.

Is cyber security not part of the SMC audit on board ships?

Answer:
Answer:

The IMO decision is to verify compliance starting with the 1st annual Company (DoC) audit after January 1st 2021. This will be the starting point for the assessing compliance. As this will include the SMS measures for ongoing compliance and continuous improvement, the systematic to assess implementation and handling on board will remain and include cyber security.

What category of vessels is cyber security rules applicable to?

Answer:
Answer:

The IMO decision linking cyber security to ISM means that cyber security must be handled on vessels where the ISM Code is applicable. The risks to vessels and companies is of course not limited to these vessels so we encourage also others to identify and handle cyber risk.

Do we have to be able to prove that the crew members has aware about the Cyber security?

Answer:
Answer:

Yes, in order to handle cyber security and cyber risk, we do expect you to have effective measures through your safety management system ensuring compliance on board. With the use of personal equipment by most, we do expect that all on board will be involved and have to be aware to some degree. In addition there will have to be crew members with special responsibilities for cyber security on board and to some degree that will also have to include the others. Where to draw the lines and set up the organization must be a part of the revision of the SMS which you must consider also noting the outcome of the performed the risk assessment.

All crew members have to follow the courses or only officers?

Answer:
Answer:

There are competency requirements in the ISM Code and the MLC which will have to be complied with. So far there are no mandatory courses.

If there are gaps in the cyber risk established in the SMS, would it become an non-conformity or simply be used as an improvement tool?

Answer:
Answer:

In the 2020 audits DNV GL aim to raise the awareness of cyber security, however from 1st of January 2021 it will be a standard audit item and deficiencies will be tagged as any other deficiency.

If company is ISO 27001 certified, what would DOC audits look like for them?

Answer:
Answer:

If you have combined services through the DNV GL Seamless Management Systems services including ISO 27001 in scope we will ensure to utilize overlaps and take out synergies in one audit crediting both. If these are not delivered as seamless then there will be two audits and it will always be the statutory ISM/DoC audit which will verify compliance and through which required statutory certificates will be issued.

Am I right that Cyber Risks Assessment requirement coming on force from 01-2021 only?

Answer:
Answer:

The handling of risk has been and is a requirement from the ISM code, what is new is that the IMO in 2017 identified cyber security as a risk and mandated verification of handling through the safety management system starting from the first annual DoC audit after 01.01.2021

Cyber secure classification rules

Is the Cyber secure class notation mandatory?

Answer:
Answer:

The Cyber secure class notation is a voluntary additional notation used to prove the cyber security resilience of the vessel. However, the Class notation can be a good tool to use to proof compliance to other mandatory regulatory and commercial requirements.

How is DNV GL's Cyber secure rules aligned with other industry requirements?

Answer:
Answer:

There is a vast amount of different standards being used for cyber security across industries. We have chosen to base our rules on recognised IEC standards already in use in the maritime industry such as IEC62443 (control system cyber security) and IEC61162-460 (bridge systems) to ease industry uptake of the rules and have made maritime and offshore profiles for these. The IEC62443-2-1 which we have based our procedural requirements on, is also well aligned with the ISO27000 standards more used for information technology (IT) systems.

Moreover, the entry level Cyber secure class notation(Link) reflects the IMO MSC.428(98) cyber requirements. We also believe the Cyber secure class notation levels are well aligned with maritime regulation and charter requirements.

What are the different levels of the Cyber secure class notation?

Answer:
Answer:

The Cyber secure class notation has three main levels, in addition to the (+) qualifier.

1. The entry-level class notation Cyber Secure addresses the most critical vulnerabilities (security profile 0). In addition, the notation requires that a cyber security management system is established to ensure secure ship operation and meet the upcoming IMO resolution MSC.428(98). Systems under consideration is the 10 essential and important vessel functions.

2. Class notation Cyber Secure (Essential), formerly called Basic, includes all of the Cyber secure entry-level notation above, but in addition examines the control systems in more detail to ensure security controls/capabilities at security profile 1 (provide comprehensive protection against casual or coincidental cyber security threats/violations).

3.Cyber Secure (Advanced) covers the same scope as the Essential scope, however with increased security level (security profile 3). This is primarily intended for more complex newbuilding projects and is designed to protect against intentional violations using sophisticated means and specific control system skills.

4. If additional and/or other systems are requested addressed for cyber security, the (+) qualifier can be added to any of the three levels above.

See the Cyber secure class notation service page(Link) and Cyber Secure notation level selector app web page (Link) for more details.

Which level of the Cyber secure class notation would you recommend for my vessel?

Answer:
Answer:

The level selected from the Cyber secure class notation for your vessel will depend on cyber security risk, complexity, remote connection, system interconnectivity, available resources, etc.

As a rule of thumb, existing merchant vessels such as bulk carriers, container ships, tankers, etc. should aim at the entry level Cyber secure. Newbuilding and more complex vessels may consider to use higher requirements. As support for the initial qualifier selection, we have made an app (Link) on the Cyber secure class notation web page  (Link)

How does the Cyber secure class notation relate to IMO's cyber security resolution?

Answer:
Answer:

The DNV GL entry level Cyber secure class notation(Link) reflects DNV GL ship classification's interpretation of the IMO MSC.428(98) cyber requirements.

How is ship design requirements and procedures managed to reflect the different responsibilities of a newbuilding divided between the owner and the yard?

Answer:
Answer:

The technical cyber security design requirements need to be fulfilled by the yard and the system suppliers, and will result in an Cyber secure class notation DNV GL-RU-SHIP-Pt6-Ch5-Sec21 (Link).

To keep the class notation during the sailing phase, the operator/manager will need to show that procedures and policies in line with requirements to a cyber secure management system are complied with DNVGL-RU-SHIP-Pt7-Ch1-Sec6-41 (July 2020) (Link)

How will the Cyber secure class notation be followed-up during the sailing phase?

Answer:
Answer:

To keep the class notation during the sailing phase, the operator/manager will need to show that procedures and policies in line with requirements to a cyber secure management system are complied with, DNVGL-RU-SHIP-Pt7-Ch1-Sec6-41 (July 2020)(Link)

Has the cyber security notation been adopted by IACS as a whole or is this option currently only offered individually by RO's?

Answer:
Answer:

Since Class rules are according to the relevant class society, the Cyber secure class notation is for DNV GL rules. However, we have chosen to base our rules on a recognised IEC standard to make it universally applicable. There is also work within IACS to align cyber requirements, and this will probably align the overall structure, but the different societies will decide by themselves how they implement and enforce it in their rules.

Can the Cyber secure class notation be applied to non-DNVGL classed vessels?

Answer:
Answer:

Yes, the DNV GL Cyber secure rules can also be applied to non-DNV GL classed vessels. The vessel will then get a Certificate of Compliance towards the rules instead of a Class notation. Other scheme for following up during the sailing phase also needs to be established.

What ship systems does the Cyber secure class notation consider?

Answer:
Answer:

Our Cyber secure class notations address by default the software-based systems needed to maintain essential vessel services.

The following systems are included in scope:

- Systems related to vessel propulsion

- Systems related to vessel steering

- Systems related to vessel watertight integrity

- Systems related to vessel fire detection and mitigation

- Systems related to vessel ballasting

- Systems related to thruster(s) not part of propulsion (if applicable)

- Systems related power generation

- Auxiliary systems related to propulsion, steering and power generation

- Navigation systems

- Communication systems

If desired, additional control systems may also be added to scope, see Cyber secure(+) below.

How is the (+) notation of the Cyber secure class notation intended to be used?

Answer:
Answer:

The (+) notation is intended to allow for flexibility when it comes to the systems and security requirements being applied for the class notation. The base qualifier without (+) has the 10 essential and important ship functions as scope (propulsion, steering, power generation, ballasting, fire, auxiliary thrusters, essential auxiliary equipment, navigation and communication).

You can use (+) qualifier to add a system to scope, i.e. add cargo systems or drilling systems. It can also be used to increase security controls for any of the 10 systems in scope, i.e. Cyber secure (+) where e.g. the navigation systems furfill security profile 1 instead of security profile 0 (as for the remaining Cyber secure systems).

What is special about a component that has a Cyber security type approval and how does it relate to vessels with the cyber secure class notation?

Answer:
Answer:

A system which has a Cyber security type approval has been verified to have capabilities which fulfil the cyber secure rules at a given security profile.

If a Cyber secure type approved systems is used in a Cyber secure class project, the project effort will be reduced, and only the configuration of that system as well as the integration, not the capabilities, needs to be verified.

For what systems/components is the Cyber secure type approval program intended?

Answer:
Answer:

The Cyber security type approval program (Link) (DNVGL-CP-0231) is intended to verify the cyber security capabilities of software based ship systems such as control and bridge systems. It can also be applied to any other system intended to fulfil a ship function onboard a vessel.

Moreover, it can also be used to verify the capabilities of a cyber security protection solutions as to verify which cyber secure requirements can be protected using the solutions. E.g. a removable media scanning station can fulfil some requirements towards removable media usage and malicious code when used in combination with certain procedures.

Can we use the Cyber secure type approval solution to certify non-vessel control and bridge systems such as cyber security protection solutions?

Answer:
Answer:

Yes, it can also be used to verify the capabilities of a cyber security protection solutions as to verify which cyber secure requirements can be protected using the solutions. E.g. a removable media scanning station can fulfil some requirements towards removable media usage and malicious code when used in combination with certain procedures

The detail of such a request needs to be considered on a case by case basis, and you should contact via the Cyber security type approval page (link to Cyber security type approval page) to get an offer for this support.

As a shipyard, what preparations do we need to take for upcoming newbuilding when it comes to cyber security?

Answer:
Answer:

Please see "Yards" tab (Link) of our DNV GL web site.

Are there any special considerations for autonomous and remote-controlled vessels?

Answer:
Answer:

There are on-going discussions on autonomous and remotely operated vessels both nationally and internationally. The importance of cyber security is of course increasing with the degree of autonomous and remote operations. The ISM Code and responsibilities of the DoC holder when operating autonomously or remotely has been a part of the ongoing discussions. This has not be landed, but indications are that these will remain the same and with that cyber security must also be handled in the SMS for Companies operating autonomous or remotely-supported vessels.

Cyber risk assessment

Should Cyber Security risk be included only in the ISM risk assessment or also in the ISPS risk assessment?

Answer:
Answer:

The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. When that is said cyber risk may also impact security (ISPS) and working and living conditions (MLC) so we encourage also needs related to these to be considered. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.

Is there a specific cyber risk assessment form to be used?

Answer:
Answer:

We recommend you use existing systematics for risk assessment (process, rating scales and risk matrix). If you find that the existing solution does not fit needs, then consider alternatives. Special care should be taken to address all potential consequence impact categories (confidentiality, integrity and confidentiality) to systems and data. For the statutory work there is no risk assessment guidance.

Is it not difficult to analyse the likelihood and consequence of cyber risk scenarios when there is little records of incidents?

Answer:
Answer:

True, therefore alternative approaches are relevant for estimating the likelihood of an cyber incident. These include "Ease of Access" (see DNV GL-RP-0496 and Cybersecure Class Notation) as well as threat modelling based on the capacity, motivation of the attacker and the level of vulnerability of the equipment.

What risk rating scales and matrix should be used for cyber risks?

Answer:
Answer:

We recommend to use the same risk matrix and likelihood/consequence rating scales as for all safety/environmental risks onboard. This way the comparison between cyber related risks and non-cyber related risks will be possible and a more holistic approach enables more efficient (cost-benefit) risk treatment. However, the way how to assess the risk will differ, the consequence of the loss of Confidentiality, Integrity and Availability should be assessed and the lack of statistical data for the likelihood assessment require another approach to determine the expected frequency of incidents.

If you already have a comprehensive Risk Management program, would you still recommend to ingest Cybersecurity in the Safety Management systems?

Answer:
Answer:

The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.

In your opinion what onboard system is more prone to be attacked?

Answer:
Answer:

The more connectivity a system has the higher likelihood it will be that this system will suffer from a cyber security incident. Furthermore, targeted attacks are likelier towards systems/data of high value.

Organisation

Is there any minimum requirements recommendation for the company to appoint on board Cyber Security Officer?

Answer:
Answer:

There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.

Do we have to be able to prove that the crew members are aware about the vessels cyber security?

Answer:
Answer:

Yes, in order to handle cyber security and cyber risk, we do expect you to have effective measures through your safety management system ensuring compliance on board. With the use of personal equipment by most, we do expect that all on board will be involved and have to be aware to some degree. In addition there will have to be crew members with special responsibilities for cyber security on board and to some degree that will also have to include the others. Where to draw the lines and set up the organization must be a part of the revision of the SMS which you must consider also noting the outcome of the performed risk assessment.

What are the tasks of the personnel ashore? What needs to be done regularly? Is there a guideline?

Answer:
Answer:

The tasks and responsibilities ashore and on board related to Safety Management is well defined in the ISM Code and should be defined in the vessels Safety Management System. A review of this in light of Cyber Security would be appropriate. .

There is a great stress on Officers' understanding of Cyber risks. However, should the design of the systems not be such that they are idiot proof. Is this not an achievable situation to lower the operational risk burden on the Ship's Officers.

Answer:
Answer:

The burden on officers is an ongoing concern and the IMO has a goal to consider the impact on operations and those on board when adopting new instruments and requirements. The plan has been to limit when possible. The requirements keep coming and we do expect them to continue to do so. Dialogues with authorities and representative organizations are recommended. When it comes to organization of work on board and Manning we reference IMO Resolution A1047(28) and the MLC Regulation 2.7 para 1. "Each [flag State] shall require that all ships that fly its flag have a sufficient number of seafarers employed on board to ensure that ships are operated safely, efficiently and with due regard to security under all conditions, taking into account concerns about seafarer fatigue and the particular nature and conditions of the voyage."

A "idiot proof" system is in most cases not achievable due to lack of practicability or costs. The most efficient way to protect the vessel is to provide aware crew, practicable policies/procedures and secure technology.

As there are many times no IT educated personnel onboard, how would the cyber security role and responsibilities be assigned to the crew onboard?

Answer:
Answer:

It is up to the DoC holder to implement measures needed to ensure compliance with requirements. Ensuring that people involved in the safety management activities have the necessary competence and support are also responsibilities for the DoC Holder. We do recommend that DoC Holders consider which positions are best placed to coordinate activities on board in addition to considering training and resources. In doing so we suggest you consider staff who already are responsible for critical equipment and/or systems where cyber security is deemed essential or staff who already hold key positions in the safety management system.

Is there any regulation for a ship cyber security officer (SCSO), his qualifications and trainings?

Answer:
Answer:

From the ISM/statutory perspective no. That said, there are requirements from ISM and the MLC that staff shall be qualified for their tasks. This allows the DoC Holders to develop and implement solutions (including through external providers) in order to handle their obligations.

Is IT recommended to have certified It personal onboard the ship all the time?

Answer:
Answer:

Depending on the operation and complexity of the vessel it could be. Also remote support of certified IT personal could be sufficient for standard cargo and simpler vessels.

Regarding the vessel is it mandatory to have an onboard responsible person for cyber security?

Answer:
Answer:

From the ISM Code it must be inferred that there has to be a person or persons on board responsible for handling the safety management systems measures on cyber security.

Is there any minimum requirements recommendation for the company to appoint on board Cyber Security Officer?

Answer:
Answer:

There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.

Incident management

How could shipping companies improve the experience share for incident related to cyber security?

Answer:
Answer:

Currently, we do not see as much sharing of cyber incidents as with other safety topics. However this is crucial for the industry and we recommend to share to increase overall industry resilience. This can be through sharing within smaller groups of companies working together, or through other stakeholders such as Intertanko, BIMCO, CSO Alliance, etc.

How can attacks effectively be monitored on onboard operational technology?

Answer:
Answer:

To monitor and detect cyber attacks on OT systems is a challenging task since they often do not have the capabilities in the system to detect malicious code and attacks. Compensating measures can be to perform regular antivirus scans of the system as part of planned maintenance and check security configuration or implement Intrusion Detection or Protection Systems (IDS/IPS) on the network.

Training

How often should the crew cyber security training be carried out?

Answer:
Answer:

The competency of involved staff ashore and on board is the primary defence against cyber risks and a primary source for utilizing opportunities for optimizing operations through digital solutions. We do encourage companies to consider this and to put in place needed measures to ensure staff have and maintain needed competence. Those involved in and those responsible for handling safety management measures must be trained in accordance with the ISM Code. In addition there are competence requirements in the Maritime Labour Convention, 3: 1. Seafarers shall not work on a ship unless they are trained or certified as competent or otherwise qualified to perform their duties.

How can you change safety culture to ensure cyber security compliance is not just another perceived paper exercise for ship's crew for compliance?

Answer:
Answer:

Ownership, responsibility and authority by top management for the safety management systems including showing the value of safety management systems and the importance of staff ashore and on board is crucial. Involving and investing in staff so that they can actively contribute in development, implementation, use and follow up in a systematic plan, do, check and act (PDCA) is also crucial. In short when we place and show the high value and potential of the management systems, then others will as well.

How can crew be trained to avoid cyber attack?

Answer:
Answer:

There are different possibilities available including the DNV GL/Gard Cyber Security Awareness Video, DNVGL/Seagull E-Learning, class room training, emergency response drills, phishing email exercises, posters, etc. Key is to provide continuous training for general awareness and how to operate in a secure manner both during normal and emergency operations. Efforts should be directed to both avoid and respond to cyber attacks. For more information please contact our Maritime Academy (Link)

Will it be required by seafarers to get a cyber security certificate?

Answer:
Answer:

There is no statutory requirement to have such certificates.

Do you have existing cyber security e-learning materials companies can use?

Answer:
Answer:
Yes, for more information please check our Maritime Academy(Link)


Furthermore, please also view our free cyber security awareness video(Link)

Testing

DNV GL offer ethical hacking to test the measures in place by a certain ship or company?

Answer:
Answer:

Yes, DNV GL has Certified Ethical Hackers who can support you in this task. (Link)