ISM – Cyber Security – mandatory for Ships and Commercial Yachts >500GT

The end of the year is fast approaching and so are two separate actions required by Managers/Operators before the 01 Jan 2021 – ISM Maritime Cyber Risk Management and the Inventory of Hazardous Materials (IHM) which you can read in this article.

 

In 2017, the IMO issued MSC-FAL.1/Circ.3 ‘Guidelines on maritime cyber risk management’ for enhanced cyber security. These guidelines provide high-level recommendations to safeguard shipping from current and emerging cyber threats and vulnerabilities, including functional elements that support effective cyber risk management.

 

The IMO’s Maritime Safety Committee then adopted these guidelines through Resolution MSC.428(98) ‘Maritime Cyber Risk Management in Safety Management Systems’. This resolution encourages the Flag Administrations to ensure that cyber risks are appropriately addressed in existing safety management systems [as defined in the International Safety Management (ISM) Code] no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.

 

The following five points summarise the goal and the approach from the IMO:

 

  • Cyber risk management should be a top down approach and should embed a culture of cyber risk awareness into all levels of the organisation.
  • A risk-based approach should be adopted with a comprehensive assessment culminating in a cyber risk management plan.
  • The 5 NIST Cyber Security Framework domains should be considered as part of the response to the Risk Management Review (Identify, Protect, Detect, Respond and Recover).
  • All operational systems should be included, and the process and effectiveness reviewed regularly.
  • A plan to communicate awareness throughout the organisation should be implemented.

 

What immediate steps can be taken onboard today to reduce cyber risks?

 

  1. Educate and Training of staff
  2. Protect USB ports
  3. Segmentation of IT/OT systems
  4. Protection of email and internet facing systems
  5. Remote data access and connections

 

For more information, or for assistance in the matters please don’t hesitate to contact us here.