Why IMO enforcement is necessary?
With advanced cyber threats aiming at the maritime industry, safeguards must be put in place to secure 90 percent of global trade. Companies must not only establish and incorporate cyber risk management as part of the safety management system (SMS) for vessels in their fleet, but they must also do so consistently to eliminate inconsistencies across the industry. The IMO Resolution is intended to standardize and record procedures that will minimize the number of cybersecurity accidents on ships, and it discusses personnel, procedure, and technology in the safety management system from a cybersecurity viewpoint. MSC-FAL.1/Circ.3, which is included in the IMO Resolution, provides recommendatory guidance on maritime cyber risk management.
In addition to all other international or industry guidelines and best practices, it contains information on additional recommendations and standards that those in the maritime industry should follow. ISO/IEC 27001 is a technology-neutral, vendor-neutral information security management standard that prescribes the characteristics of an effective information security management system.
BIMCO, CLIA, the International Chamber of Shipping (ICS), INTERCARGO, INTERMANAGER, INTERTANKO, the International Union of Marine Insurance (IUMI), OCIMF, and the World Shipping Council are among the organizations that endorse The Guidelines on Cyber Security Onboard Ships. This detailed guide guides shipowners and operators on procedures and actions to keep the ship in good working order.
What are the IMO cybersecurity regulations?
The International Maritime Organization (IMO) published MSC-FAL.1/Circ.3 “Guidelines on maritime cyber risk management” in 2017. These guidelines include practical elements that promote effective cyber risk management as well as high-level recommendations to protect shipping from existing and emerging cyber threats and vulnerabilities. These guidelines were then adopted by the IMO’s Maritime Safety Committee through Resolution MSC.428 (98) ‘Maritime Cyber Risk Management in Safety Management Systems’. This resolution encourages administrations to ensure that cyber threats are properly addressed in current safety management systems (as specified in the International Safety Management (ISM) Code) by the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.
The IMO’s aim and strategy are summarized in the following five points:
- Effective cyber risk management should begin at the top of the organization, with a culture of cyber risk awareness instilled at all levels.
- To compare an organization’s current and desired cyber risk management postures, a risk-based approach with a systematic evaluation should be used. In a prioritized cyber risk management strategy, such a comparison can reveal holes that can be resolved to achieve risk management objectives.
- The five domains of the NIST Cyber Security System (Identify, Secure, Track, React, and Recover) should be considered as part of the Risk Management Analysis response.
- All operating processes should be considered, and the mechanism and its efficacy should be evaluated on a regular basis.
- It is important to execute a strategy to raise awareness within the company.
IMO recommended frameworks:
NIST Cybersecurity Framework:
It is a document led by academia, the public and private sectors, and focused on international standards. It covers all types of risk management, describes the entire scope of cybersecurity, and provides the following functional elements that enable successful cyber risk management:
Identify:
The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Protect:
The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
Detect:
The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.
Respond:
The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
Recover:
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.
ISO/IEC 27001 Information Security Management:
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS). They allow any entity to maintain the protection of assets such as financial data, intellectual property, employee information, and information entrusted by third parties.
ISO/IEC 27001 requires that management:
- Analyze the organization’s information security concerns in a systematic manner, taking account of the threats, vulnerabilities, and impacts.
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
- Adopt an overall management framework to ensure that the organization’s information security controls continue to meet its needs on a daily basis.