The U.S. Coast Guard (USCG) and International Maritime Organization (IMO) recently promulgated technical guidance relative to Cyber Risk Management for the maritime industry. USCG NVIC 01-20 was published last year “to provide clarity regarding existing requirements under the law”. Recent IMO publications “encourage administrations to ensure that cyber risks are appropriately addressed in existing safety management systems as defined in the ISM Code.
As per guidelines on maritime cyber risk management, “the goal of maritime cyber risk management is to support safe and secure shipping while maximizing operational resiliency to cyber risks.”
IMO Resolution MSC.428(98) provides high-level recommendations for maritime cyber risk management that can be incorporated into existing risk management processes and are complementary to the safety and security management practices established by this Organization. The IMO deadline to develop a Cyber Risk Management Program is before January 1, 2021 or by the first annual verification of the company’s Document of Compliance after January 1, 2021.
USCG NVIC 01-20 were published to provide facility owners/operators clarity regarding existing requirements under MTSA 2002. It is intended to be an informative guide to updating FFSAs and FSPs, taking into account computer system and network vulnerabilities. ALCOAST ACN 040/20 states that “beginning 10/01/2021, facilities should submit cyber FSA and FSP/ASP amendments or annexes by the facility’s annual audit date”.
There are considerable similarities between safety and cyber risk management practices, and the two clearly impact each other in today’s digitally connected world. This concept is defined as convergence; in bringing together disparate operational areas. SPP is a convergence leader with over 150 years of both cyber and safety management experience.
As discussed during the SPP webinar, addressing cyber risks can be aligned with what has become a defacto framework- ie: the NIST CSF. The framework helps an organization to consider where to prioritize efforts. This framework refers to the five functional categories:
The following suggestions are based on correlating and merging the IMO resolution, IMO guidelines, ISM code, and industry guidelines referred to by the IMO. The resulting information is then organized in the following method to facilitate ease of understanding, identification of an organization’s current cybersecurity posture, and the ability to identify gaps and implement safeguards at a high-level.
Since 2005 Strategic Planning Partners has been helping organizations secure their most critical assets and operations. Clients of all sizes and industries including maritime, critical infrastructure, transportation, healthcare and financial services have relied on SPP in achieving operational resiliency required in today’s landscape.