The IMO has identified cyber security as a risk to be addressed in safety management systems, and the handling of risks is to be verified in audits from 1 January 2021 onwards. This statutory news summarises experiences so far, provides advice on handling and offers a Quick Check.
Relevant for ship owners and managers as well as yards, design offices and suppliers.
The handling of cyber risk through safety management systems continues to vary. Some Document of Compliance (DoC) holders seem to have a good start, while others have not even started. Investing in time and resources is important to implement an effective system.
DNV GL has developed an SMS Cyber Security Quick Check supporting maritime cyber risk handling through the ISM Code. We recommend all ship owners and DoC holders to perform this check, as it gives an overview of topics that have been addressed in 2020, including:
- Commitment from the top and throughout the organization
- Safety and environmental protection policy addressing cyber security
- Comprehensive cyber risk management to identify threats, assess potential consequences of compromised IT and OT systems, and establish appropriate safeguards
- Measures to cover normal operation and emergency situations
- Roles, tasks and responsibilities for company staff and onboard crew
- Continuous improvement of safety management skills of personnel onshore and on board ships, including preparing for emergencies also in light of cyber security
- Cyber safety and cyber security maintenance of systems and data
- Identification of vulnerabilities and weaknesses as well as continuous execution of improvements
DNV GL has collected valuable information from some of our ISM auditors, and a summary of their feedback is provided below.
Cyber challenges reported by DNV GL auditors:
Main advice from our auditors and cyber security experts:
The DNV GL SMS Cyber Security Quick Check is a simple way to facilitate the handling of cyber security and support DoC holders with SMS measures on cyber security that fit their needs.
To be prepared for 2021 audits, consider IMO MSC-FAL.1/Circ.3 and note:
No two organizations are the same, and SMS measures must fit the needs of DoC holders. Companies operating ships with limited cyber-related systems may find MSC-FAL.1/ Circ.3 sufficient, while those with complex cyber-related systems may require a greater level of care and seek additional resources through reputable partners. DNV GL has services and experts ready to help.
- SMS Cyber Security Quick Check provided by DNV GL
- Cyber Security topic page
- Statutory News “Cyber security to be covered in SMS from 1 January 2021 – are you prepared?” (2 June 2020)