The International Maritime Organisation and Cybersecurity

International Maritime Organisation Cybersecurity – the IMO is a dedicated agency of the United Nations charged with regulating aspects of safety, security and the prevention of atmospheric pollution caused by international shipping operations.

The organisation met for the first time in 1959, and has developed regulations for the industry since. One of the more recent regulations was derived from Resolution MSC 428(98), which requires ship owners and managers to assess cyber risk and implement mitigating measures across all areas of their Safety Management Systems (SMSs).

The regulations are due to come into effect on the 1^st January 2021, and as a consequence impose a range of obligations upon industry operators. Key in these is the mandated adoption of risk-based cybersecurity practices, within SMSs.

In acknowledging why it is the case that safety mechanisms will accommodate security, including cybersecurity (e.g. because SMSs preceded their security counterpart equivalents, are established in regulation and are now common practice), it’s an interesting point in itself. It is not necessarily a practice that has been explicit in a critical mass of other industries, as some safety functions often seem resistant to cross-functional collaboration (with security).

In an ideal world, both would be closely integrated, including through: risk management practices; committees; training; budgets and resourcing, and of course, perceived importance.

Policy Governance Conundrums?

Further, the new regulations may present policy governance integration challenges for industry participants, or at least cause them to have to undertake a process of policy harmonisation. In Australia, for instance, the Maritime Transport and Offshore Facilities Security Act 2003 compels ‘Maritime Industry Participants’ (MIPs) to, among other things, develop security assessments and plans, detail heightened threat procedures, implement security zones and engage only formally recognised Maritime Security Guards (MSGs).

There are also overlapping obligations defined within Australia’s Security of Critical Infrastructure Act 2018 and Regulations. For an Australian maritime operator this legisation represents three layers of, at minimum, closely related obligations.

The Australian Maritime Transport and Offshore Facilities Security Regulations 2003 make no mention of safety or SMSs in this context, suggesting that security functions are regarded as a key part of organisational capability, but implying at least flexibility, or perhaps independence from, safety functions. There may be several arguments against this assertion, and it is granted that nothing precludes safety and security from working together to satisfy legislative obligations (or indeed achieve positive safety and security outcomes).

Guidelines on Maritime Cyber Risk Management

Returning to Resolution MSC 428(98), and cybersecurity in particular, Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) are intended to “… provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.”

These guidelines encourage operators/MIPs to leverage practices detailed within:

• Guidelines on Cyber Security Onboard Ships, which was produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI (Link).
• ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) (Link).
• The United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework) (Link).

The Risk, Controls and Cybersecurity Obligations

As any seasoned security practitioner will appreciate, and notwithstanding a concerted focus on controls (as opposed to risk) in some standards, security risk management (SRM) is the keystone to effective security planning.

It is noteworthy that the ‘controls versus risk’ issue is subject to ongoing discussion within the cybersecurity practice area, as CISOs and others in the trade grapple to merge potentially competing considerations in a logical and coordinated manner. This is part of the reason for the emergence of ‘maturity’ assessments, versus the older conformance-based/one-size-should-fit-all approach.

That aside, the IMO regulations require operators/MIPs to (among other things):

• Define a cyber security policy that is predicated upon the identification and protection of at-risk systems (onboard and ashore).
• Undertake a cybersecurity risk assessment that identifies threats and vulnerabilities, and the impact that a realised event could have.
• Develop policies and procedures for cybersecurity risk management, which are tailored to vessels and other critical equipment.

A Model for The International Maritime Organisation and Cybersecurity

Unsurprisingly, the NIST Framework in particular is an excellent mechanism for addressing cybersecurity risks (and identifying appropriate controls). The (low-resolution) image below illustrates Industry Risk’s comprehensive model, which incorporates the best of NIST and other notable cybersecurity regimens.

Image: Industry Risk Model for Cybersecurity

The model assumes that organisations tailor/scale their approach on the basis of a cybersecurity risk assessment (and ongoing monitoring and review of such an assessment). Combined with our SRM platform (https://sectara.com), maritime, and indeed operators/participants in any industry, can ensure both risk tolerances and regulatory compliance obligations are observed.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk is Australia’s shining light in solutions for security risk and business resilience. We welcome opportunities to assist entities in getting to a security baseline, then acting as guide in more advanced (proactive) endeavours.