10 steps to IMO compliance and beyond
Cyberprism’s group technical director, Keith Chappell, outlines why prudent cyber risk management is an act of maturity, while avoiding a race to the bottom…
Having been a little disturbed by some of the questions posed to the panel at a recent cyber security online conference in relation to IMO 2021 compliance (MSC428(98)), I thought it worth writing something that helps vessel operators understand what is required. As a vendor of products and services this may appear strange, but we must recognise budgets are finite and in a sea of sales people selling the latest gadget or service it’s important to understand that spend should only be made to address a risk and not because a sales person puts a compelling argument for their product.
I believe whether on board or ashore, Cyber Security and Information Assurance (CSIA) should be a process of continuous improvement and not a need to be compliant with any particular standard or regulation. Striving for compliance (with any standard or regulation) is simply joining the race to the bottom; IMO is no different and sets a relatively low bar that can be easily and cheaply surpassed.
Time is, though, running out; at the time of writing there are five months to meet the January deadline. However, it’s not too late. The hardest part is making a start, especially if the finishing line is not visible yet. For simplicity we advocate a 10-step plan, effectively an on-ramp to CSIA, delivering IMO compliance along the way but continuing onwards, evolving and improving your organisation’s CSIA posture.
Let’s briefly remind ourselves of the IMO requirements (paraphrased below): -
• Cyber security measures must be adopted in the company’s Health, Safety & Environment, Security & Equality/HSES&Q Policy Statement
• Risk assessments of all OT and IT systems on board and ashore
• Policy in place for the uses of removable data storage
• Policy and procedure in place regarding network communications and Wi-Fi for vessel crews
• Policy and procedure in place for monitoring and updating navigation and communication systems
• Policy in place regarding authorisation criteria for remote connections
• Inventory of all IT/OT systems
• Internet access policy in place outlining restrictions relating to operations currently being performed on board
• Contingency plans for emergency response developed and in place.
With this in mind let’s discuss the first three steps to be taken:
Ensure the business is brought into the process. CSIA must be led from the top. Don’t have a technical conversation with the business seniors; the conversation must be pitched at the right level for this audience. The discussion should be around business risk. The business seniors should understand that the business already manages risk; CSIAis just another risk that needs managing and it may be possible to manage and evidence the management using systems already in place (the SMS for example).
The hardest conversation is usually around getting a workable understanding of acceptable risk. Often this is a more difficult conversation than securing an appropriate budget. The budget conversation can often be delayed until a better understanding of risk is made but understanding risk appetite and what level of residual risk may be acceptable is vital (this is not stipulated by the IMO and will vary by business activity and size).
Record the risk appetite in the cyber risk policy. It is also useful for the board to provide guidance as to the company’s position on cyber risk, cyber risk inherited risk from suppliers and other third parties and any parameters in regard to acceptable levels of business interruption/inconvenience in the policy document. The document should also give consideration to the relative importance of gathering forensic evidence versus the urgency of return to normal operation of the vessel.
These conversations can be difficult and may be aided by securing a board-level briefing from a CSIA expert who can relate to the board.
Take the time to plan a timeline that will help others understand the process and provide a ready means of demonstrating progress to business seniors (a basic KPI). Where possible, assign responsibilities and communication routes; time is short, and time spent in planning should help to avoid duplicated effort and communication misunderstandings.
Agree and define the scope as early as possible, and ensure everybody understands it. Be it one vessel, all vessels or vessels and shore bases, don’t get trapped thinking you will do a pilot on a single vessel, when the business seniors think you are addressing the whole fleet ... it happens!
It’s also worth considering that surveying multiple vessels, while time consuming and potentially daunting, will identify many risks that are not only common to multiple vessels, but have common risk calculations and remediation strategies.
Find time to ensure enough resource is available. Staging vessels one after another (where time allows) will allow knowledge gained from early surveys to be re-used on later vessels, and templates for asset and risk registers will mature and may be suitable for completion by others. Again, the plan is key, for large fleets addressing a vessel of each class early, then applying the knowledge as further surveys are undertaken does appear to be the most efficient approach.
Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.