In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The resolution stated that an approved SMS should consider cyber risk management in accordance with the objectives and functional requirements of the (International Safety Management) ISM Code.
It further encourages administrations to ensure that cyber risks are appropriately addressed in SMS no later than the first annual verification of the company’s Document of Compliance (DoC) after 1 January 2021. As per IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk management into all levels and departments of an organization and ensure a holistic and flexible cyber risk governance regime, which is in continuous operation and constantly evaluated through effective feedback mechanisms.
US National Institute of Standards and Technology (NIST)
In addition to the IMO resolution, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 is also used as a reference. The NIST Cybersecurity Framework assists companies with their approach to risk assessments by helping them understand an effective approach to manage potential cyber risks both internally and externally.
As a result of applying the Framework, a “profile” is developed, which can help to identify and prioritize actions for reducing cyber risks. The profile can also be used as a tool for aligning policy, business, and technology decisions to manage the risks.
The NIST recently released a preliminary draft of its Cybersecurity Framework Profile for Ransomware Risk Management.
International Association of classification Societies (IACS)
The International Association for Classification Societies (IACS) has issued a “Recommendation on Cyber Resilience (No. 166)”. This recommendation consolidates IACS’ previous 12 recommendations related to cyber resilience (Nos. 153 to 164) and applies to the use of computer-based systems, which provide control, alarm, monitoring, safety or internal communication functions that are subject to the requirements of a classification society.
We at Varuna Marine Can help!
Our fully managed cybersecurity solution comes with owner’s dashboard as shown here. The dashboard captures all cyber security-related KPIs and ensures compliance at all times. Our team of Cyber Security experts will carry out an annual and biannual soft and hard audit to ensure a full test of readiness against any external cyber attack.
Our approach to Cyber Security Compliance in line with MSC.428 (98) and consist of the below modular solution:
1. Onboard vessel and Shore office Network mapping
This helps us to visualise all end points on the Network and apply control measures. Network map also allows to implement network segregation to separate critical business and operational network from non-critical networks. Additionally, firewall and explicit and implicit trust between networks are implemented basis the network map.
2. IT and OT Inventory
This together with Network maps helps us to conceptualise the cyber security policy.
3. Drafting Cyber Security Policy
After studying the Network maps, IT and OT inventory , role definition of personnel within the organisation.
4. Staff Training module
Customised to the organisational needs for the crew and office staff will be clearly defined in relation to the risk identified and recommended control measure.
5. Loading the inventory, network map, training module and all policy in our Dashboard
Where the company cyber security officer and vessel cyber security office can view and control all KPIs in one user friendly dashboard.
6. Active Network Monitoring
This is a modular solution that is provided for owner requiring real time network monitoring for early detection and remedial action for cyber threat.
24/7 Cyber Security call-in line and ticketing-based system available to avail.