OCIMF along with other stakeholders of industry has issued Version 5 on The Guidelines on Cyber Security onboard Ships. Annex V of this information paper gives the detailed list of all organisation involved in development of this revised guidelines.
The purpose of these guidelines is to improve the safety and security of seafarers, the environment, the cargo and the ships. The guidelines aim to assist in the development of a proper cyber risk management strategy in accordance with relevant regulations and best practises on board a ship with a focus on work processes, equipment, training, incident response and recovery management.
Shipping relies heavily on digital solutions for the completion of everyday tasks. The rapid developments within information technology, data availability, the speed of processing and data transfer present shipowners and other players in the maritime industry with increased possibilities for operational optimisation, cost savings, safety improvements and a more sustainable business.
However, these developments to a large extent rely on increased connectivity, often via internet
between servers, IT systems and OT systems, which increases the attack surface of potential
cyber vulnerabilities.
These guidelines explain why and how cyber risks should be managed in a shipping context. The
supporting documentation required to conduct a risk assessment is listed and the risk assessment
process is outlined with an explanation of the part played by each component of cyber risk. This
publication highlights the importance of evaluating the likelihood and threat in addition to the
impact and vulnerabilities when conducting a cyber risk assessment. Finally, this publication offers
advice on how to respond to and recover from cyber incidents. Approaches to cyber risk management will be company and ship specific but should be guided by
the requirements of relevant national, international and flag state regulations and guidelines. In
2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime
Cyber Risk Management in Safety Management System (SMS). The resolution stated that an
approved SMS should consider cyber risk management in accordance with the objectives and
functional requirements of the (International Safety Management) ISM Code. It further
encourages administrations to ensure that cyber risks are appropriately addressed in SMS no later
than the first annual verification of the company’s Document of Compliance (DoC) after 1 January The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk management into all levels and departments of an organisation and ensure a holistic and flexible cyber risk governance regime, which is in continuous operation and constantly evaluated through effective feedback mechanisms.
The International Association for Classification Societies (IACS) has developed revisions 1 of Unified Requirements E26 (“Cyber Resilience of Ships”) and E27 (“Cyber Resilience of On-Board Systems and Equipment”) which apply to newbuilds and which apply from 1 July 2024
Courtesy: OCIMF/Information Paper