IMO’s requirements for integrating cyber risk into onboard safety management systems come into force 1 January, 2021. Here’s what you as a shipowner or manager need to know – and do.
As 2021 draws near, cybersecurity continues to be a fundamental operational imperative in the maritime sector. This reality is well established by now.
2021 also brings on another hot topic in shipping: the new IMO rules taking effect on 1 January. From this date onward, cyber risk management must be incorporated into existing safety management systems under the ISM Code and ISPS Code – as discussed in our previous article on the subject.
What does thin mean in practice?
To be more precise, exactly what happens on 1 January 2021?
Deadline: The first Document of Compliance after 1 January
Apart from tons of fireworks lighting up nighttime skies worldwide, industry-wise, nothing much in particular is going to happen as the clock strikes midnight on 31 December this year. Technically, the new decade officially starts.
In other words, you won’t have to prepare for some single-event ‘seismic shift’, as was the case with Y2K 21 years ago. (The Y2K threat was in fact real; it was prevented because those behind the scenes took it seriously.)
In terms of IMO 2021, what actually happens on 1 january is this: On the first annual verification of your shipping company’s Document of Compliance (DOC), cybersecurity will be part of the safety management audit.
This means that no later than the next annual DOC verification after 01.01.2021, you must demonstrate that appropriate measures for handling cyber risk are an integral part of your safety management system.
The next question then becomes: What measures must you as a DOC holder take to ensure your safety management system is deemed ‘cybersecurity compliant’ by a classification society?
Read more: IMO 2021 is coming fast – which boxes do Dualog’s solutions tick?
Applying the NIST Framework to ensure IMO compliance
Class notation approaches vary among the many different classification societies, but in essence, their cybersecurity compliance requirements are all covered by the NIST Framework.
The cybersecurity framework offers a basic blueprint for developing a cyber risk management programme. How do you put it into practice across your fleet, in order to comply with IMO 2021?
Existing guidance available tends to be somewhat vague, so we’ll try to be as brief and to the point as possible. Here’s what you need to do to comply with IMO 2021.
The framework’s five functional elements are not sequential – all should be concurrent and continuous in practice:
1. Identify
Develop an understanding of your ICT environment to manage cybersecurity risk to onboard and offshore systems, assets, data, Operation Technology (OT) and Information Technology (IT), and equipment.
You need to have full visibility into your digital and physical assets, their interconnections, and defined roles and responsibilities. Moreover, you need to understand your current risks and exposure and put policies and procedures into place to manage those risks.
2. Protect
Develop and implement the appropriate safeguards to block, limit or contain the impact of a potential cybersecurity incident. Your organisation must control access to digital and physical assets, provide awareness education and training and put processes into place to secure data. Furthermore, you must deploy multi-layered protective software solutions to ensure that onboard systems are designed and configured to be resilient to cyber-attacks.
3. Detect
Implement the appropriate measures to ensure that any cybersecurity incident will be discovered as soon as possible. Set up an extra layer of defence to your IT ecosystem through continuous monitoring solutions that detect and prevent anomalous activity and other threats to operational continuity.
In terms of IMO 2021 compliance, all the classification societies require you to have a DNS filtering mechanism as part of your cybersecurity management regime.
4. Respond
Should a cyber incident occur, your shipping company must have the ability to contain the impact. To comply, you must craft a response plan, define communication lines among the appropriate parties, collect and analyse information about the incident, perform all required activities to eradicate the incident, and incorporate lessons learned into revised response strategies.
5. Recover
Develop and implement effective recovery actions to restore any IT and OT systems that were impaired or disrupted due to a cybersecurity incident. Your shipping company must have a recovery plan in place (available in hard copy onboard and ashore), be able to coordinate restoration activities with external experts, and incorporate lessons learned into your updated recovery strategy.
Define a prioritised list of action points that can be used to carry out the recovery activity needed to restore IT and OT to an operational state.
Keep calm and carry on preparing for IMO 2021
Effective cyber risk management needs to start at the senior management level. To be prepared for 1 January 2021, continue to embed a culture of cyber risk awareness into all levels of your organisation. As the first Document of Compliance hits, you must have ensured a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
Summary
The ISM Code, supported by the IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant protection, detection, response and recovery measures across all functions of their safety management system – by the first annual verification of a company’s Document of Compliance after 1 January, 2021.
Cybersecurity will be a mandatory focus area in the 2021 annual DOC audits. To be ready for management systems audits in 2021 and comply with IMO cyber requirements, your shipping company must develop a cyber risk management programme based around five steps: identifying risk, protecting assets, detecting anomalies, responding to incidents, and recovering from attacks.
Source: Dualog by Andrea Giglietti, Customer Experience
