NL 203/18 | Maritime Cyber Risk Management

Dec 21, 2018


Ships are increasingly using systems that rely on digitization, digitalization, integration, and automation. Cyber technologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment. 

As technology continues to develop, information technology and operational technology on board ships are being networked together and more frequently connected to the internet. Therefore the ships’ systems and networks maybe vulnerable to risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media. The vulnerabilities created by accessing, interconnecting or networking these systems can lead to cyber risks which should be addressed.

Vulnerable systems could include, but are not limited to:

.1 Bridge systems;

.2 Cargo handling and management systems;

.3 Propulsion and machinery management and power control systems;

.4 Access control systems;

.5 Passenger servicing and management systems;

.6 Passenger facing public networks;

.7 Administrative and crew welfare systems; and

.8 Communication systems

To mitigate the potential safety, environmental and commercial consequences of a cyber incident, the IMO and other international shipping organizations have participated in the development of guidelines designed to assist shipping companies in formulating their own approaches to cyber risk management on board ships:

  • IMO resolution MSC.1/Circ.1526 [ INTERIM GUIDELINES ON MARITIME CYBER RISK MANAGEMENT ] (which can be found here)
  • IMO Resolution MSC.428 (98) [ MARITIME CYBER RISK MANAGEMENT IN SAFETY MANAGEMENT SYSTEMS ] (which can be found here)
  • IMO MSC-FAL.1/Circ.3 [ GUIDELINES ON MARITIME CYBER RISK MANAGEMENT ] (which can be found here)
  • ISO/IEC 27001:2013 [Information technology -- Security techniques -- Information security management systems – Requirements ]
  • The Guidelines on Maritime Cyber Risk Management [Produced by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL ] (which can be found here

According to IMO Resolution MSC. 428 (98) on Maritime Cyber Risk Management, the objectives of the International Safety Management (ISM) Code include the provision of safe practices in ship operation and a safe working environment, the assessment of all identified risks to ships, personnel and the environment. In this scope, the Safety Management System (SMS) of the shipping companies should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code aiming to safeguard shipping from current and emerging cyber threats and vulnerabilities. Therefore, cyber risks should be appropriately addressed in the SMS no later than the first annual verification of the company’s Document of Compliance that occurs after 1 January 2021.

For that scope, the Interim Guidelines on Maritime Cyber Risk Management [ IMO resolution MSC.1/Circ.1526 ] provides recommendations that can be incorporated into existing risk management processes. The Guidelines also include functional elements that support effective cyber risk management.

The Guidelines on Cyber Security on board Ships (please click here), reflect a deeper experience with risk assessments of operational technology, such as navigational systems and engine controls, and provides more guidance for dealing with the cyber risks to the ship arising from parties in the supply chain. For detailed guidance on cyber risk management.

Flag Administrations will soon publish their own guidelines & requirements for encouraging ship-owners and operators to take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes and systems in shipping. Shipping companies should carefully develop plans and procedures for cyber risk management which should be seen as complementary to existing security and safety risk management requirements contained in the International Safety Management Code (ISM) Code and the International Ship and Port Facility Security (ISPS) Code.

December 21st , 2018 - PHRS Head Office