The clock is ticking for compliance with IMO’s 2021 cyber security regulations.

Maritime organisations have long focused on safety and the management of risks, however, bringing cyber threats into play can often be challenging as these are usually harder to quantify, understand and relate to the physical world. Some lessons can be brought across from other industries and frameworks, including that of the National Institute of Standards and Technology (NIST), which can be very helpful in aligning thinking and practice to cyber risks. But there are unique considerations that need to be factored in when applying a robust risk management process to cyber risks within marine and offshore organisations.

In 2017, the IMO issued MSC-FAL.1/Circ.3 ‘Guidelines on maritime cyber risk management’. These guidelines provide high-level recommendations to safeguard shipping from current and emerging cyber threats and vulnerabilities, including functional elements that support effective cyber risk management. The IMO’s Maritime Safety Committee then adopted these guidelines through Resolution MSC.428(98) ‘Maritime Cyber Risk Management in Safety Management Systems’. This resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the International Safety Management (ISM) Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.

The following five points summarise the goal and the approach from the IMO:

1. Effective cyber risk management should start at senior management level and should embed a culture of cyber risk awareness into all levels of the organisation.
2. A risk-based approach should be adopted with a comprehensive assessment to compare an organisation’s current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritised cyber risk management plan.
3. The 5 NIST Cyber Security Framework domains should be considered as part of the response to the Risk Management Review (Identify, Protect, Detect, Respond and Recover).
4. All operational systems should be included, and the process and effectiveness reviewed regularly.
5. A plan to communicate awareness throughout the organisation should be implemented.

The IMO resolution is not just about completing a risk register or risk management plan. Organisations will need to be able to demonstrate over time that they can execute that plan and address the risks in a way that improves the security of their operations. Currently, shipowners and operators are looking for assurance that what they are doing will meet the intent of the IMO’s resolution and be accepted when the time of audit comes. As the guidance allows for many ways for organisations to meet this resolution, it can be hard to know what will be accepted at an audit. Consistency in governance over time will be important.

There are some tactical actions required before 1 January 2021:

1. Prepare and ensure cyber risks are identified and understood within your operations.
   For example, what would a ransomware attack on your business do to you? How would you recover? What business impacts would this cause? Or, what would the introduction of malware on a contractor’s USB stick into key operational technology equipment onboard a vessel do to your ship or fleets ability to operate?

2. Document a risk treatment and management plan for these risks.
   Understand the risks that cyber events can introduce to your business. This will enable you to implement and prioritise actions and controls that directly affect the most significant cyber risks you are facing.

3. Prepare and demonstrate this at the next ISM DOC Audit (post January 2021).
   The IMO guidance is comprehensive, so your response needs to be in proportion to the size of your organisation, the scale of your operations and the cyber risks your business faces. This first audit will be the start of a journey in which cyber risks become better known and appropriate actions and controls are matured over time.

To conclude, complying with the IMO’s 2021 cyber security regulations is not just about defining an initial management plan – organisations will need to ensure that the plan is executed, risks are addressed, and their governance strategy is evolved. LRQA and Nettitude are working hard to support our clients on this journey.

Karen Bolton is the CEO of Nettitude (a LRQA company)