Critical Shipboard Systems

IMO 2021 Cyber Security Compliance; Are You Ready?

Cyber Security threats continue to be one of the top threats facing governments, businesses, and private individuals around the globe with attacks increasing exponentially on vessels and the maritime industry. We’ve discussed it numerous time on our VLOG (click here).  State and non-state actors perpetrate these attacks constantly around the clock and around the globe.  The IMO (International Maritime Organization) has put cyber security regulations in place for compliance by 2021. Many experts believe these will be the first of many regulations for the maritime industry when it comes to cyber security.

Cyber Regulations:

There are two specific documents the IMO has put forward regarding cyber security.  The first document is MSC-FAL.1/Circ.3; Guidelines on maritime cyber risk management. This document is a guide on the basics of cyber risk management.  The Maritime Safety Committee or MSC, at its 98th session in June 2017, adopted Resolution MSC.428(98).  This specifically addresses maritime cyber risk management as part of the vessel’s Safety Management System (SMS). The resolution encourages flag administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.  This means that vessel’s that have an active ISM plan must address cyber security within that plan by their first flag inspection after January 1, 2021.  There are tools and reference documents the IMO cites to help vessels develop the cyber management plan as part of their ISM.   

Cyber Security Plans

Specifically, there are three reference documents the IMO recommends when putting together the cyber security part of your ISM plan.  The first document was put together by a coalition of maritime organizations called Guidelines on Cyber Security.  The second reference document is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).  It is ISO/IEC 27001 standard on Information technology, security techniques, and information security management systems.  The final guidance document is published by the United States National Institute of Standards and Technology (NIST) called The Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework). 

The NIST framework is the primary basis for putting together a good plan to help mitigate cyber security related issues for your vessel, facility, or company.  The standard framework has five parts that are easy to apply to a cyber security related plan.  They include identify, protect, detect, respond, and recover

The first step is to identify all of your assets, your network set-up, OT/IT devices, any vulnerabilities with the network and devices, who has internal and external access along with any cyber security related procedures and how well those procedures are followed.  It is a good idea to have an outside organization come in and provide this type of assessment and it typically should not be very expensive.  It is always good to have an outside, unrelated organization complete this step and they can provide a non-biased opinion of how things look within your vessel or organization. 

Once you assess your networks you should then look at how that network along with all the devices, personnel, and infrastructure is protected.  Part of this will be done during the above assessment.  One of the major issues found outside of issues in physical security is personnel training.  Organizations spend hundreds of thousands of dollars and in some cases millions to protect their network infrastructure but fail to provide some basic training and recurring training to the people who use that network.

The third step involves putting in place the tools to detect any potential intrusions or malicious activity within the networks.  Many firewall devices, routers, and network devices have basic security that provides intrusion detection, however these detection tools need to be set-up and someone needs to look over the logs to determine what is and is not normal within that network. There are also advanced tools that can be used to monitor the networks along with the endpoint devices within that network for potential vulnerabilities.  If you can, it is more effective to work with an outside vendor to help provide this type of service.  Most small companies and vessels don’t have the capability to configure and monitor the output from the detection devices.

The last two steps involve post attacked related activities to get your vessel and business back operational.  The fourth step involves your response to an attack.  There are multiple types of attacks from simple to very complex and can involve individuals all the way up to state actors.  The complexity of the attack is not always determined by the attacker.  Part of the IMO regulations involve a response plan to a potential attack.  Every vessel, organization and facility should have a response plan in place to immediately deal with the attack and mitigate any long-term damage.  This includes having back-ups to critical data, secondary infrastructure to bring online, or alternate communication systems. This also includes the immediate mitigation activities to help prevent the further spread of the attack. 

The final step is recovery.  How does your vessel, facility, or organization get back to business, but also put in place steps to mitigate future attacks based on what happened? If you speak with a vessel, company, or facility that has been attacked they will tell you how they are doing things different to help protect them in the future.

There is always a lot to consider when it comes to cyber security and protecting vessels that move all over the world.  If a potential attacker perceives any type of difficulty in attempting to attack your system, they will most likely move onto another target (unless they are specifically targeting your vessel or owner).  The maritime industry has a number of vulnerabilities and threats along with some very unique challenges, however following a good plan and process will help protect your vessel similar to protecting your house with a security system and a sign in your front yard.