BUILDING TRUST. SHAPING SAFETY
share-icon SHARE

Technical Notices

ISM Code | Cyber Risk Management into the ISM Code

Share Post

General

 
Ships are increasingly using systems that rely on digitisation, integration, and automation, which calls for cyber risk management on board.

As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together– and more frequently connected to the internet.

This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks.

Risks may also occur from personnel accessing systems onboard, for example by introducing malware via removable media.

IMO initiatives

 
In June 2017, the IMO’s Maritime Safety Committee (MSC) took a significant step forward in combating the threats posed by cyber risks to the safety and security of personnel ashore and on ships.

In June 2016, the MSC had introduced “high level recommendations for maritime cyber risk management” in the form of interim guidelines. These were designed to provide overarching direction for the shipping industry, and all its stakeholders, in the management of the risks posed by both unintentional and malicious acts against the cyber infrastructure of an organisation. 

This year the MSC agreed to adopt a resolution incorporating Maritime Cyber Risk Management into the ISM Code, thereby raising the profile and importance of protecting ships, crews and cargos from the threats of accidental cyber-related incidents and premediated cyber-attacks.

The MSC are encouraging all members to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance (DOC) after 1st January 2021. Consequently, the requirement to ensure that cyber risk management is taken into account in accordance with the objectives and functional requirements of the ISM Code, will be mandatory in just over 3 years.

Cyber security and safety management

 
Cyber security and safety management Cyber safety is as significant as cyber security. Both have equal potential to affect the safety of onboard personnel, ships, and cargo. Cyber security is concerned with the protection of IT, OT and data from unauthorized access, manipulation and disruption. Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT.
 
Cyber safety incidents can arise as the result of:

  • A cyber security incident, which affects the availability and integrity of OT, for example corruption of chart data held in an Electronic Chart Display and Information System (ECDIS)
  • A failure occurring during software maintenance and patching
  • Loss of or manipulation of external sensor data, critical for the operation of a ship.

 
This includes but is not limited to Global Navigation Satellite Systems (GNSS).

Whilst the causes of a cyber safety incident may be different from a cyber security incident, an effective response to both is based upon training and awareness of appropriate company policies and procedures.

So, this document aims to provide essential guidance on managing cyber safety and cyber security risks.

Open the Technical Notice in pdf
Download