Maritime Cyber Risk Management*
MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems
In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems (SMS). This resolution requires the SMS to consider cyber risk management in accordance with the objectives and functional requirements of the International Safety Management (ISM) Code. In particular, the IMO Resolution encourages administrations to ensure that cyber risks are appropriately addressed in the SMS. In the same year, IMO also approved Guidelines on Maritime Cyber Risk Management set out in MSC-FAL.1/Circ.3. These in turn reference the Guidelines on Cyber Security Onboard Ships produced and maintained by BIMCO and others which explain how cyber risks should be managed in a shipping context.
Today, Classification Societies play an increasingly important role in demonstrating that a vessel has met or exceeded the goals of IMO Resolution MSC.428(98). Examples include DNV’s three Cyber Secure class qualifiers assigned through the allocation of Security Profiles; Lloyds Register’s Cyber Security ShipRight Procedures, which evaluate “Design & Build Procedures” or “Operational Procedures” to assign one of four Capability Levels; and the American Bureau of Shipping’s range of Cybersafety Notations.
The Role of CIRM Members
Cyber resilience is best approached through the use of Defence in Depth – involving physical, technical and procedural defences. Manufacturers, system integrators and service companies can work in partnership with vessel operators to manage cyber risks through the delivery of cyber-secure systems – this will include design, deployment, operation and maintenance, a resilient supply chain, and a secure and resilient company infrastructure. Organisations with a commitment to embedding a culture of cyber-awareness within their organisation ensure that cyber risks are managed appropriately. They continually review and develop their procedures and ensure that their cyber maturity continually develops to match emerging threats.
At the design stage, ship owners and operators need support from equipment manufacturers and system integrators for their assessment of the cyber risk exposure of a vessel. This support helps develop appropriate protection and mitigation strategies in order to reduce both the likelihood of vulnerabilities being exploited, and the impact of any such exploit, to an acceptable level. Members can provide support for the cyber security assessments through a range of services, including the provision of information such as network architecture diagrams, associated data flows and protocols and support to vessels undergoing vulnerability assessment by cyber security experts.
- Vessels should have a cyber-Incident Response plan in place to respond effectively to security incidents. Appropriately designed equipment facilitates the regular back-up of all operational data to allow quick and effective restoration after an incident. Service companies can act as part of the Incident Response plan, with the goal of ensuring the vessel returns safe and secure operation as quickly as possible.
Companies are now signing up to the CIRM Cyber Risk Code of Practice. This voluntary Code can be used by producers of both shipboard Information Technology (IT) and Operational Technology (OT) equipment, system integrators, service suppliers and Communications Service Providers. It sets out cyber security best practice for vendors of marine electronic equipment and services. This best practice is derived from both the marine and other industries. The Code presents a set of guiding principles that vendors may use towards the establishment of a provable chain of trust for a secure digital maritime environment.
Independent certifications to national and international standards are also available. As an example, in the UK the Cyber Essentials Plus certification is available from National Cyber Security Centre (NCSC) approved accreditors.
Assessing the Risk
As mentioned above, vessel operators seek assistance from manufacturers and system integrators when conducting their risk assessments. The guidelines published by BIMCO et al. offer a tool for cyber-risk assessment. The tool uses a matrix, reproduced here, to calculate the risk of a cyber-security event through assessment of its Likelihood and Impact. The Likelihood of a cyber-security event happening is determined by the product of the threat and the vulnerability. Thus, if either of these two factors is close to non-existent, so will the Likelihood be. If the initial risk calculated is above what is acceptable, the risk will need to be further mitigated for the residual risk to reach an acceptable level.
The Threats identified, and the factors used, will depend on a range of issues including:
- The exact nature of the system under consideration
- The environment in which it is installed
- The physical layout of the vessel
- The vessel’s operating procedures
Thus, approaches to cyber risk management need to be both company and vessel specific with assessment of the Threats and Mitigations being tailored to reflect company procedures and the specific systems carried on board.
IEC TC 80 Standards
At the more technical level, IEC TC80 is developing a range of standards to support cyber security for maritime navigation and radiocommunication equipment and systems.
The best known of these is perhaps IEC 61162-460 “Ethernet interconnection – Safety and security”. It describes itself as an “add-on” to IEC 61162-450 where higher safety and security standards are needed, for example due to higher exposure to external threats or to improve network integrity. Although the standard is primarily aimed at certifying a network, individual equipment certified to IEC 61162-460, such as Gateways, is now available on the market. A standard only recently published is IEC 63154 “Cybersecurity”. This takes a complementary approach by assuming navigation and radio-communication equipment is installed in a physically restricted area with specific security and access measures implemented. It then seeks to provide mitigation against the remaining cyber vulnerabilities for equipment installed in such areas.
By mid-2022, IEC 63173-2 “Secure communication between ship and shore (SECOM)” will have been published. Whilst designed for IHO S-100 based products, it has a potentially wider scope and provides APIs for data exchange using a wide range of information services such as chart updates, navigational warnings, updated ETA information and route optimisation services.
Business requirements for improved operational efficiency, economy and safety increasingly result in a need for the integration of on-board systems. It’s important that this integration considers cyber security, ensuring that the Information Security goals of Confidentiality, Integrity and Availability are not compromised. This is where Security by Design is important, ensuring that cyber security is considered from the earliest stages of the definition of the system architecture.
SperrySphere is Sperry Marine’s family of digital ship support, navigation and vessel performance solutions that is built around increased connectivity and a ship-based and shore-side platform infrastructure. From safe navigation, regulatory compliance, vessel performance and risk mitigation to remote access, maintenance & assistance, this platform enables safer, greener and more efficient vessel operations. SperrySphere’s Connected ECDIS and the SperrySphere Workstation, together with the Secure Maritime Gateway, can be used as part of a cyber-risk mitigation strategy to counter the risks associated with USB transfer when transferring electronic charts to the ECDIS and when exchanging routes with the ECDIS.
- IMO MSC-FAL.1/Circ.3 – Guidelines On Maritime Cyber Risk Management
- IMO Resolution MSC.428(98) – Maritime Cyber Risk Management In Safety Management Systems
- The Guidelines on Cyber Security Onboard Ships – BIMCO et al.
- Cyber Security Workbook for On Board Ship Use – BIMCO, ICS and Witherby Publishing Group
- DCSA Implementation Guide for Cyber Security on Vessels – The Digital Container Shipping Association
- IEC 61162-460:2018 – Digital interfaces: Ethernet interconnection – Safety and security
- IEC 63154:2021 – Cybersecurity
*This article has just been published in CIRM’s In-House magazine.