Cybersecurity In The Maritime Environment

  • Home
  • Blog
  • Cybersecurity In The Maritime Environment
Cybersecurity In The Maritime Environment

Cybersecurity In The Maritime Environment


The U.S. Coast Guard (USCG) and International Maritime Organization (IMO) recently promulgated technical guidance relative to Cyber Risk Management for the maritime industry. USCG NVIC 01-20 was published last year “to provide clarity regarding existing requirements under the law”. Recent IMO publications “encourage administrations to ensure that cyber risks are appropriately addressed in existing safety management systems as defined in the ISM Code. 

What is the objective? 

As per guidelines on maritime cyber risk management, “the goal of maritime cyber risk management is to support safe and secure shipping while maximizing operational resiliency to cyber risks.” 

What is required by IMO?  

IMO Resolution MSC.428(98) provides high-level recommendations for maritime cyber risk management that can be incorporated into existing risk management processes and are complementary to the safety and security management practices established by this Organization. The IMO deadline to develop a Cyber Risk Management Program is before January 1, 2021 or by the first annual verification of the company’s Document of Compliance after January 1, 2021.

USCG requirements for IMO 2021

What is required by USCG?  

USCG NVIC 01-20 were published to provide facility owners/operators clarity regarding existing requirements under MTSA 2002. It is intended to be an informative guide to updating FFSAs and FSPs, taking into account computer system and network vulnerabilities. ALCOAST ACN 040/20 states that “beginning 10/01/2021, facilities should submit cyber FSA and FSP/ASP amendments or annexes by the facility’s annual audit date”.

What is Convergence? 

There are considerable similarities between safety and cyber risk management practices, and the two clearly impact each other in today’s digitally connected world. This concept is defined as convergence; in bringing together disparate operational areas. SPP is a convergence leader with over 150 years of both cyber and safety management experience.

Where to Begin? 

As discussed during the SPP webinar, addressing cyber risks can be aligned with what has become a defacto framework- ie:  the NIST CSF.  The framework helps an organization to consider where to prioritize efforts. This framework refers to the five functional categories: 

Identify –   Protect – Detect – Respond – Recover 

The following suggestions are based on correlating and merging the IMO resolution, IMO guidelines, ISM code, and industry guidelines referred to by the IMO. The resulting information is then organized in the following method to facilitate ease of understanding, identification of an organization’s current cybersecurity posture, and the ability to identify gaps and implement safeguards at a high-level. 

  1. Assess Cyber Risks – Identify cyber risks to ships and operations
  2. Design a Secure Cyber Architecture – Design a cyber risk management framework
  3. Protect Vessels and Operations – Implement safeguards to ensure resiliency

Partner with SPP if you need help getting started or a partner who can identify where gaps exist and mitigation solutions.

Since 2005 Strategic Planning Partners has been helping organizations secure their most critical assets and operations. Clients of all sizes and industries including maritime, critical infrastructure, transportation, healthcare and financial services have relied on SPP in achieving operational resiliency required in today’s landscape.