The approach to cybersecurity in the maritime sector has gained special importance. In this post, you will find information about the cybersecurity current requirements for vessels in operation.
by Concha Gonzalez, March 2023
Cybersecurity requirements you should consider
There are several international and national regulations, guides and best practices that apply to cybersecurity for vessels in operation:
- International Maritime Organization (IMO): International Ship and Port Facility Security (ISPS) and Resolution MSC.428(98)
- Oil Companies International Marine Forum: TMSA (Tanker Management and Self-assessment)
- European Union: Network and Information Systems (NIS) Directive
- ISO/IEC: 27000 family of standards
- National regulations, such as the United States has the Maritime Transportation Security Act (MTSA), which requires vessels and maritime facilities to implement security measures, including cybersecurity.
Obviously, it is important for vessel owners, operators, and crew members to understand these regulations to minimize the risk of cyberattacks and protect the safety of the vessel and its passengers.
International Maritime Organization (IMO)
IMO is a specialized agency of the United Nations responsible for regulating international shipping. In brief, IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all UN state members.
In the early 1900s, IMO issued the International Convention for the Safety of Life at Sea (SOLAS). SOLAS has been ammended and evolved to what is now known as SOLAS 1974. Later, IMO issued the International Safety Management (ISM) Code in 1998. ISM was put into force as a chapter of SOLAS. Recently, the ISM Code had served as the foundation upon which IMO Member States have issued the International Ship and Port Facility Security (ISPS), adopted the Resolution MSC.428(98) and built the 2021 guidelines for cyber risk management.
The International Ship and Port Facility Security (ISPS) Code is mandatory for vessels in operation. On the whole, ISPS Code is a set of mandatory security requirements developed by the International Maritime Organization (IMO) to enhance the security of ships and port facilities against terrorism and other security threats.
Under the ISPS Code, all ships over 500 gross tonnage engaged in international voyages, and all port facilities serving such ships, are required to develop, implement and maintain a security plan that meets the requirements of the Code. This includes identifying potential security threats, implementing security measures to address those threats, and establishing procedures for responding to security incidents. The ISPS Code was adopted by the International Maritime Organization (IMO) in December 2002, and it entered into force on July 1, 2004.
While the ISPS Code does not specifically address cybersecurity, it does include measures that can help to mitigate cyber risks.
- Security assessments. This way, ships and port facilities have to conduct security assessments to identify potential cyber threats and vulnerabilities.
- Security plans. Ships and port facilities have to develop and implement security plans that address identified risks.
- Personnel training. The ISPS Code requires that personnel involved in ship and port operations receive appropriate training in security awareness and response measures. This training should include cybersecurity awareness and response procedures.
- Access control. Access to ships and port facilities must be controlled and monitored; including access to IT systems and networks.
- Incident reporting. Cybersecurity incidents must be reported and investigated.
- International cooperation. The ISPS Code emphasizes the importance of international cooperation in addressing security threats; sharing information and best practices related to cybersecurity.
Consequently, ship operators and port facilities have to address several issues. Among them, they have to appoint a designated security officer (DSO) or a port facility security officer (PFSO); who will be responsible for implementing a security plan.
IMO Resolution MSC.428(98)
IMO Resolution MSC.428(98) provides guidance on implementing cybersecurity measures on ships and ports. Often, compliance to IMO Resolution MSC.428(98) is required by flag states and classification societies. Since Resolution MSC 428(98) affirms that an approved safety management system should take into account cyber risk management in accordance with the objectives of the ISM Code; companies must demonstrate that cyber security is an integral part of the safety management system.
In brief, Resolution MSC.428(98) outlines various recommendations for addressing cybersecurity risks. Among these recomendations, are conducting risk assessments, developing contingency plans, and implementing security measures like firewalls and access controls.
Moreover, IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system. Even more, IMO promoted countries to address requirement no later than January 1, 2021. In order to achieve that goal, IMO developed a guideline on maritime cyber security management.
TMSA stands for Tanker Management and Self-Assessment, a best practice guide for tanker operators and owners developed by the Oil Companies International Marine Forum (OCIMF). Although TMSA is not mandatory for vessels in operation, it is widely used and recommended in the shipping industry. Its main goal is to improve safety and environmental performance from tanker operators and owners.
Despite TMSA provides detailed guidance on many aspects of tanker operations; it does not specifically address cybersecurity in great detail. However, TMSA requires having a robust safety management system (SMS) in place including cybersecurity.
Summing up, a strong SMS should include policies, procedures, and training programs. Thus, all personnel involved in tanker operations are aware of the potential cybersecurity risks and how to mitigate them. In addition, TMSA recommends that tanker operators and owners conduct
- regular risk assessments
- implement access controls
- monitor and testing systems from the cybersecurity point of view
- develop and implement a risk management plan
European Union Network and Information Systems (NIS) Directive
The European Union (EU) Network and Information Systems (NIS) Directive is a cybersecurity regulation that aims to improve the security of network and information systems across the EU. In this case, the directive requires companies implement measures to protect their systems from cyber-attacks and ensure the continuity of their services. NIS directive applies to companies operating in critical sectors; such as energy, transportation, and healthcare.
NIS entered into force in August 2016. By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from 18 October 2024.
In the maritime sector, the NIS Directive applies to certain port operators and maritime transportation service providers; including:
- Navigation and vessel traffic services, such as those provided by vessel traffic service (VTS) centers and port operations centers.
- Pilotage services, which are provided to assist vessels in navigating safely in and out of ports and other waterways.
- Vessel towage services, which are provided to assist vessels in maneuvering in and out of ports and other waterways.
- Berthing and unberthing services, which involve the safe and efficient docking and undocking of vessels.
- Cargo handling and storage services, such as those provided by container terminals and other cargo handling facilities.
NIS Directive applies to operators of essential services that exceed certain thresholds, such as the number of employees or the volume of services provided. The exact threshold values may vary between EU Member States, as each Member State is responsible for setting their own threshold values within certain parameters.
For example, in Spain the EU Network and Information Systems (NIS) Directive is transposed into law through the Law on the Security of Networks and Information Systems (Ley de Seguridad de las Redes y Sistemas de Información, or LSSICE, Real Decreto-ley 12/2018 and Real Decreto 43/2021)
ISO/IEC 27000 family of standards
ISO/IEC 27001 is a widely recognized international standard for information security management systems (ISMS). It provides a framework for managing and protecting sensitive information using a risk-based approach. Although this standard is not mandatory for vessels in operation, the fact is that some organizations and charterers require it as a condition of doing business.
How can shipowners and ship operators demonstrate compliance to IMO regulations?
Shipowners demonstrate compliance with cybersecurity IMO regulations obtaining a certificate. A flag state or a recognized organization authorized by the flag state are the responsibles for issuing these certificates. Usually, certificates are valid for five years. Then, certificates should be renewed. The recognized organizations that can issue the cybersecurity certificate are called Recognized Security Organizations (RSOs).
Some of the well-known RSOs include: DNV GL, Lloyd’s Register, Bureau Veritas, American Bureau of Shipping (ABS) or Nippon Kaiji Kyokai (ClassNK).
First step for obtaining certification, is a cybersecurity audit. This audit includes reviews and verification of
- the ship’s cybersecurity plan
- access control measures
- system backups and recovery plans
- cybersecurity training programs for personnel
- cyber risk assessment
- cybersecurity measures to address identified vulnerabilities and threats
Vessels operating without cybersecurity certificate
Ships that do not have a valid cybersecurity certificate, when it is mandatory, may face restrictions on their ability to navigate in certain waters or access certain ports. Even it may result in penalties and fines.
Furthermore, many countries have implemented cybersecurity regulations that require ships to have a valid cybersecurity certificate to enter their ports. For example, the United States Coast Guard (USCG) has issued a Marine Safety Information Bulletin (MSIB) that requires all ships arriving at US ports to have a valid cybersecurity certificate. Failure to comply with this requirement may result in a delay in port access or denial of entry.
In addition, shipping companies that operate ships without valid cybersecurity certificates may face reputational damage and loss of business. Many cargo owners and charterers require proof of compliance with the ISPS Code and other cybersecurity regulations before agreeing to transport their cargo on a ship.
Costs of cybersecurity certification
The cost of obtaining a cybersecurity certificate for a vessel in operation can vary depending on a number of factors. The size and type of the ship as well as the complexity of the ship’s systems are among them.
Certainly, the cost of obtaining a cybersecurity certificate for a vessel can range from a few thousand dollars to tens of thousands of dollars. Usually, this cost includes the fees charged by the RSO (Recognized Security Organization) as well as additional costs associated with upgrading the ship’s systems or implementing cybersecurity measures. In addition to the initial cost, there may be ongoing costs associated with maintaining compliance and renewing the certificate.
Suppliers of cybersecurity consulting, intelligence, training, and auditing services
Suppliers of maritime cybersecurity consulting, intelligence, training, and auditing services must ensure that their clients meet the cybersecurity standards and requirements set by the maritime industry.
As an experienced maritime service supplier, Aeromarine can provide services such as
- Cybersecurity Audits on board as well as at headquarters
- Continuous fleet cybersecurity monitoring and controlling
- Cybersafety consultancy and intellegence, offering services such as Managed Detection and Response, Thread Hunting or Ramsonware Resilience
These services can boost your company compliance to regulations, standards or best practices. This way, you will focus your in-depth cybersecurity planning efforts to maintain the security of the systems in your organization and on your fleet.
If you need more information, contact us