IT Network Infrastructure

Practical Guide to IMO 2021 Cybersecurity Compliance

Maritime Cybersecurity Attacks

A week does not go by that we do not hear about some type of maritime cybersecurity attacks on vessels, marine facilities and companies, or critical infrastructure. I have been working in the maritime industry for 26 years and there is not a company or organization that I know that hasn’t been the victim of some type of cyberattack or attempted attack.  Most attacks are opportunistic, and the attackers usually try to take smaller amounts of money to avoid law enforcement scrutiny.  Regardless of your operations, if you are a marine business, port authority or vessel you will most likely be the victim of an attempted attack or an actual attack.

IMO Regulations

The IMO has been talking about maritime cybersecurity attacks for over five years now.  The current IMO 2021 regulations were originally discussed and put in place back in 2017.   Nothing moves quickly at the IMO.  The Maritime Safety Committee or MSC, at its 98th session in June 2017, adopted Resolution MSC.428(98).  This specifically addresses maritime cyber risk management as part of the vessel’s Safety Management System (SMS). The resolution encourages flag administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.  This means that vessels that have an active ISM plan must address cyber security within that plan by their first flag inspection after January 1, 2021. 

There are tools and reference documents the IMO cites to help vessels develop the cyber management plan as part of their ISM. Many experts believe these will be the first of many regulations for the maritime industry when it comes to cyber security. The MSC FAL.1/Circ.3 Guidelines on maritime cyber risk management. The BIMCO document that was put together by a coalition of organizations; called Guidelines on Cyber Security.  Another reference document was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27001 standard on Information technology, security techniques, and information security management systems.  The final guidance document is published by the United States National Institute of Standards and Technology (NIST) called The Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).   There is a lot of information within each one of these documents along with a slew of guidance documents from your flag state and country of operations. 

How IMSA Can Help You

All these reference documents are great, but most people don’t have the time to search through all of them to find what needs to be done.  We have done that for you here at IMSA.  Our company specializes in maritime security solutions and cybersecurity solutions for IMO 2021 compliance.  We have an easy program we have put together for our vessel and shore side clients to help cost effectively protect your networks while bringing you in compliance with IMO 2021 regulations. The primary focus of a cyber security programs is to put measures in place to protect both OT (Operational Technology) and IT (Integrated Technology) onboard the vessel. OT is defined as a system we use in our normal day to day operations, like navigation equipment, radar, GPS, etc., and IT is the system that integrates those devices and connects them eventually to the internet.   

We have an easy four step process we use for each client.  First, we conduct a vulnerability assessment of the shipboard or company IT systems to determine the vulnerabilities.  Second, we work with you to put a plan in place to address any major vulnerabilities along with a cybersecurity plan.  Third we provide the necessary language for your ISM plan to satisfy your flag state requirements. The fourth step is sometimes overlooked and that is crew or company training.  An easy to implement training program for existing employees/crew and new team members will help ensure the human factor is in sync with your technology solutions.