The IMO has identified cyber security as a risk to be addressed in safety management systems and the handling of the risks are to be verified in audits from 1 January 2021 onwards. This statutory news summarises IMO’s main recommendations.
Relevant for ship owners and managers as well as yards and manufactures.
The IMO decision to be handled:
As the maritime community is becoming increasingly connected and vessel operators are growing dependent on digital solutions for optimization of operations. Cyber security is key to ensuring safe operation of vessels; and safeguarding people, cargo and the environment.
The IMO has adopted a Resolution MSC 428(98) , “AFFIRMING that an approved safety management system should take into account cyber risk management in accordance with the objectives and f a Resolution MSC 428(98)unctional requirements of the ISM Code.” Companies must, no later than the first annual verification of their Document of Compliance (DOC) after 1 January 2021, demonstrate that cyber security is an integral part of the safety management system.
In support of the Resolution, the IMO has issued a guideline on maritime cyber security management. We recommend that all DOC holders carefully consider the guidance given. When doing so we draw your attention to the IMO’s guidance, stating that:
- Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.
- These Guidelines recommend a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices.
DOC holders must assess their safety management systems’ effectiveness for handling cyber security and develop appropriate measures.. DNV GL will as Recognized Organization (RO) stick to requirements from the ISM Code and from the flag states.
Through the DNV GL Fit for Purpose delivery model for management systems services, we will speak to our customers, assess their needs and apply an audit focus, as appropriate, on cyber security.
Advice from DNV GL’s cyber security experts:
DNV GL’s Class and Maritime Advisory units have special cyber security expertise and provide services to make customers’ systems more robust to outside threats. These services, delivered separately from our work as RO, will support handling your needs effectively. It must be noted that the DOC holder will remain responsible for having measures needed to ensure ongoing compliance and meeting objectives in the ISM Code and that decisions on compliance will remain with the formal statutory audits (DOC and SMC). Noting that DOC holders must develop measures fitting their needs, DNV GL recommends considering the following Plan-Do-Check-Act cycle:
- Identify cyber security objectives o Make an inventory of systems and software
- Execute cyber risk assessment and identify improvement needs with prioritization
- Integrate cyber security policies and procedures into the SMS o Define and update roles and responsibilities for cyber security
- Execute cyber security training (general awareness and role based)
- Roll out network segregation and hardening of systems
- Evaluate effectiveness of reaching objectives o Analyse cyber incident and event reports, data monitoring, etc.
- Execute internal audits and have management and master’s reviews with cyber security on the agenda
- Execute corrective and preventive actions to the whole fleet o Ensure ongoing compliance and strive for continuous improvement
More information on DNV GL’s services to build and verify cyber security resilience is provided in the references below, including a link to DNV GL cyber security class notations which address the cyber security of a vessel’s main functions and the owner’s operational needs, in reference to the upcoming IMO resolution MSC.428(98).
Cyber security will be a mandatory focus area in the 2021 annual DOC audits. DNV GL suggests companies use the opportunity to consider cyber security for its digital solutions, making sure cyber security will be implemented and ready for management systems audits in 2021.
For full text of IMO documents see:
Further information from DNV GL:
- DNV GL maritime cyber security topic page
- DNV GL cyber secure class notation service page
- Cyber security testing service page
Several flag states also have cyber security information on their web sites.