Introduction IMO cyber risk guide

The Maritime Safety Committee of the IMO International Maritime Organization adopted in May 2016  the cyber risk guide “ Interim guidelines on maritime cyber risk management”.

With the publication of this voluntary guide, IMO formally recognizes the existence of cyber security risks in the maritime sector understanding as such those events in information technologies that can lead to security and operational impacts in shipping companies and ships.

Risk management is critical to the safe operation of shipping. In practice so far, it has been focused primarily on physical security (IMO ISPS Code) and safe operations (IMO ISM code).

However, the reliance on information technology in shipping operations is increasing both in shipping companies and their ships.

As an example, some relevant systems on ships that might be compromised by a cyber-attack are navigation systems on the bridge, ship communications, cargo management, propulsion control and management systems.

Taking into account this changing context and in order to protect the maritime sector from emerging cyber-risks, IMO considers  necessary the incorporation of cybersecurity risks into the risk management framework of companies and ships.

For cybersecurity risk management, IMO proposes a framework based in five functional elements: Identify, Protect, Detect, Respond and Recover. These functional elements should be implemented and executed continuously and concurrently.

The IMO guide refers to the requirements of the member states, maritime administrations and recognized industry best practices including:

  • Guidelines on cybersecurity onboard ships by BIMCO, CLIA, ICS, INTERCARGO e INTERTANKO.
  • Information technologies security management ISO 27001.
  • NIST Cybersecurity framework NIST CSF.

 

IMO cyber risk guide and BIMCO

In the first place, IMO mentions the BIMCO guide. This guide was published in January 2016 and provides, in my opinion, the first systematic approach to cybersecurity risk management onboard ships by implementing four processes: understand cyber threats, evaluate cyber risk, reduce cyber risk and develop contingency plans.

The BIMCO guide indicates a selection of controls that are considered particularly relevant for cybersecurity on board ships:

  • Limitation and control of network ports, protocols and services.
  • Configuring network devices such as firewalls, routers and switches.
  • Secure configuration of hardware and software
  • Protecting web browsing and email.
  • Satellite and radio communications.
  • Defences against malware.
  • Data recovery capability.
  • Wireless Access control.
  • Application software security (patch management).
  • Secure network design.
  • Physical security.
  • Boundary defence.

The BIMCO guide also indicates procedural controls that refer to plans and procedures for the use of the systems on board by the crew. Some examples mentioned are training and awareness, software maintenance and upgrades, and anti-virus updates and use of administrator privileges.

 

IMO cyber risk guide and ISO27000

The IMO guide also mentions the ISO 27001 cybersecurity management standard. ISO 27000 cybersecurity standards are applicable to all types of organizations and are recognized guidelines in the field of cybersecurity. The ISO27001-Annex A of cybersecurity objectives and controls has a history of over 20 years that began with the publication of the BS7799 standard in 1995 and it is published currently as ISO 27002.

The  cybersecurity controls described in ISO27002 are not specifically focused on Critical Infrastructure Protection or on the Maritime Industry. However, the controls described are useful and, with appropriate focus on cyber risk, may be applied by any organization.

 

IMO cyber risk guide and NIST CSF

Finally, the IMO guide mentions the NIST Cybersecurity Framework CSF.

The NIST CSF guide was published in 2014 by the US National Institute of Standards and Technology and it is open for consultation and application. In my opinion, it presents a very appropriate approach for managing cyber security in Critical Infrastructure Protection and therefore applicable with adequate  changes to the shipping sector. In fact, the five functional elements presented by the IMO for risk management “Identify, Protect, Detect, Respond, Recover” are those indicated in the NIST CSF guide.

The goal of NIST cybersecurity framework of CSF is to assist organizations in the following aspects:

  • Describe their current cybersecurity posture.
  • Describe their target state for cybersecurity.
  • Identify and prioritize opportunities for improvement within a continuous and repeatable process.
  • Assess progress toward the target state.
  • Communicate among internal and external stakeholders about cybersecurity risk.

In NIST CSF, for each of the five functional elements of the IMO guide we can find categories and sub-categories of cyber security controls. Each control is identified by a code; for example, control PR.MA-1 “Maintenance and repair of organizational assets is performed and logged in a timely manner” is within the PR “Protect” functional element, control category MA “Maintenance” and sub-category “1”.

IMO cyber risk guide - NIST CSF Functions and categories

NIST CSF Functions and categories

Below, I show some examples of NIST CSF controls (sub-categories) for each of the five IMO and NIST functional elements:

  • Identify. ID.AM-1: Physical devices and systems within the organization are inventoried, ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and  business value.
  • Protect. PR.AC-2: Physical access to assets is managed and protected, PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.
  • Detect. DE.CM-1: The network is monitored to detect potential cybersecurity events, DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
  • Respond. RS.RP-1: Response plan is executed during or after an event, RS.CO-1: Personnel know their roles and order of operations when a response is needed.
  • Recover. RC.RP-1: Recovery plan is executed during or after an event, RC.IM-1: Recovery plans incorporate lessons learned.

 

Conclusion

In my opinion, the publication of the IMO cyber risk guide is a formal  recognition by this organization of the existence of cyber-risks in the maritime sector and a wake-up call to companies in the sector, especially shipping organizations and ship operators, to incorporate cyber risk management practices.

Although the IMO guide as such is generic and presents high-level recommendations, it makes reference to best practices such as BIMCO, ISO27001 and NIST CSF that maritime industry companies should consult and begin to incorporate into their risk management processes.

 

References: