ANNEX 3 CYBER RISK MANAGEMENT AND THE SAFETY MANAGEMENT SYSTEM
IMO Resolution MSC.428(98) makes clear that an approved SMS should take into account cyber risk management (CRM) when meeting the objectives and functional requirements of the ISM Code. The guidance provided in the Guidelines on maritime cyber risk management (MSC-FAL.1/Circ.3) provides high level recommendations regarding the elements of an appropriate approach to implementing cyber risk management. The guidance in this annex is designed to provide the minimum measures that all companies should consider implementing so as to address cyber risk to include reference to the risk posed by unmitigated cyber risks.
An updated safety and environment protection policy should demonstrate:
● a commitment to manage cyber risks as part of the overall approach to safety management (including safety culture) and protection of the environment
● an understanding that CRM has both safety and security aspects, but the emphasis is on managing the safety risks introduced by OT, IT and networks
● an understanding that without appropriate technical and procedural risk protection and control measures, OT is vulnerable to disruption affecting the safe operation of a ship and protection of the environment.
Nothing in the updated policy should suggest that CRM is given any more or less attention than any other risks identified by the company.
ISM Code: 3.3
In general, IT personnel should understand potential vulnerabilities in computer-based systems and know the appropriate technical and procedural protection measures to help ensure the availability and integrity of systems and data. Operational and technical personnel should generally understand the safety and environmental impacts of disruption to critical systems21 onboard ships and are responsible for the SMS.
Allocation of responsibility and authority may need to be updated to enable CRM. This should include:
● allocation of responsibilities and authorities which encourage cooperation between IT personnel (which may be provided by a third party) and the company's operational and technical personnel
● incorporating compliance with cyber risk management policies and procedures into the existing responsibility and authority of the Master.
ISM Code: 6.5
Cyber awareness training is not a mandatory requirement. Notwithstanding this, training is a protection and control measure that forms the basis of CRM. It helps to ensure that personnel understand how their actions will influence the effectiveness of the company's approach to CRM. Existing company procedures for identifying training requirements should be used to assess the benefits and need for:
● all company personnel to receive basic cyber awareness training in support of the company's CRM policies and procedures
● company personnel, who have been assigned CRM duties, to receive a type and level of cyber training appropriate to their responsibility and authority.
19 Identify, Protect, Detect, Respond and Recover as described in the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3).
20 Functional element from the Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3).
21 For the purpose of this annex, “critical systems” means the OT, IT, software and data the sudden operational failure or unavailability of which is
identified by the company as having the potential to result in hazardous situations.
ANNEX 3 CYBER RISK MANAGEMENT AND THE SAFETY MANAGEMENT SYSTEM A3.2 Protect
A3.1.2 Identify systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
Action Remarks failure of which may result in hazardous situations.
An approved SMS will already identify the equipment and technical systems (including OT and IT), and capabilities, which may cause hazardous situations if they become unavailable or unreliable. The impacts should already have been documented in an approved SMS.
However, an approved SMS, which incorporates CRM will also need to address data in the context of sudden operational failure. Loss of availability or integrity of data used by critical systems can have the same impact on safety and protection of the environment as the system becoming unavailable or unreliable for some other reason. Consequently, it is recommended that the list of equipment and technical systems, should be supplemented by a list of the data used by those systems and its source(s).
A3.2 Protect
A3.2.1 Implement risk control measures
Action Remarks
ISM Code: 1.2.2.2
the Guidelines: Ch.6 & Annex 1 Assess all identified risks to ships, personnel and the environment and establish appropriate safeguards.
The full scope of risk control measures implemented by the company should be determined by a risk assessment, taking into account the information provided in these guidelines.
As a baseline, the following measures should be considered before a risk assessment is undertaken. The baseline consists of the technical and procedural measures, which should be implemented in all companies to the extent appropriate. These measures are:
● Hardware inventory – Develop and maintain a register of all critical system hardware on board, including authorized and unauthorized devices on company controlled networks.
The SMS should include procedures for maintaining this inventory throughout the operational life of the ship.
● Software inventory – Develop and maintain a register of all authorized and unauthorized software running on company-controlled hardware onboard, including version and update status. The SMS should be updated to include procedures for:
• maintaining this inventory when hardware controlled by the company is replaced
• maintaining this inventory when software controlled by the company is updated or changed
• authorizing the installation of new or upgraded software on hardware controlled by the company
• prevention of installation of unauthorized software, and deletion of such software if identified
• software maintenance.
● Map data flows – Map data flows between critical systems and other
equipment/technical systems on board and ashore, including those provided by third parties. Vulnerabilities identified during this process should be recorded and securely retained by the company. The SMS should be updated to include procedures for:
• maintaining the map of data flows to reflect changes in hardware, software and/or connectivity
• identifying and responding to vulnerabilities introduced when new data flows are created following the installation of new hardware
• reviewing the need for connectivity between critical systems and other OT and IT systems. Such a review should be based on the principle that systems should only be connected where there is a need for the safe and efficient operation of the ship, or to enable planned maintenance
• controlling the use of removable media, access points and the creation of ad-hoc or uncontrolled data flows. This may be achieved by restrictions on the use of removable media and disabling USB and similar ports on critical systems.
● Implement secure configurations for all hardware controlled by the company – This should include documenting and maintaining commonly accepted security configuration standards for all authorized hardware and software. The SMS should include policies on
ANNEX 3 CYBER RISK MANAGEMENT AND THE SAFETY MANAGEMENT SYSTEM A3.2 Protect
the allocation and use of administrative privileges by ship and shore-based personnel, and third parties. However, it is not recommended that the details of secure
configurations are included in the SMS. This information should be retained separately and securely by the company.
● Audit logs – Security logs should be maintained and periodically reviewed. Security logging should be enabled on all critical systems with this capability. The SMS should be updated to include procedures for:
• policies and procedures for the maintenance of security logs and periodic review by competent personnel as part of the operational maintenance routine
• procedures for the collation and retention of security logs by the company, if appropriate.
● Awareness and training – See line 3 above.
● Physical security – The physical security of the ship is enhanced by compliance with the security measures addressed in the ship security plan (SSP) required by the ISPS Code.
Measures should be taken to restrict access and prevent unauthorized access to critical system network infrastructure onboard.
An approved SMS should already address procedures, plans and instructions for key shipboard operations concerning the safety of the personnel, ship and protection of the environment. In general, these plans should be unaffected by the incorporation of CRM into the SMS. This is because the effect of the loss of availability of OT, or loss of integrity of the data used or provided by such systems, is the same as if the OT was unavailable or unreliable for some other reason.
Notwithstanding this, consideration should be given to developing instructions on the actions to be taken if disruption to critical systems is suspected. This could include procedures for reverting to back-up or alternative arrangements as a precaution whilst any suspected disruption is investigated.
Procedures for periodically checking the integrity of information provided by OT to operators should be considered for inclusion in operational maintenance routines.
ISM Code: 8.1 systems required for the safe operation of ships and protection of the environment. In general, these plans should be unaffected by the incorporation of cyber risk management into safety management systems. This is because the effect of common shipboard emergencies should be independent of the root cause. For example, a fire may be caused by equipment malfunctioning because of a software failure or inappropriate maintenance or operation of the equipment.
Notwithstanding the above, consideration should be given to the development of a cyber incident module in the integrated system of shipboard emergency plans for significant disruption to the availability of OT or the data used by them. The purpose of the module could be to provide information on the actions to be taken in the event of a simultaneous disruption to multiple OT systems required for the safe operation of the ship and protection of the environment. In this more complex situation, additional information on appropriate immediate actions to be taken in response may be necessary.
ANNEX 3 CYBER RISK MANAGEMENT AND THE SAFETY MANAGEMENT SYSTEM A3.3 Detect
A3.3 Detect
A3.3.1 Develop and implement activities necessary to detect a cyber-event in a timely manner.
Action Remarks
An approved SMS should already address procedures relating to non-conformities. When incorporating CRM into the SMS, company reporting requirements for non-conformities may need to be updated to include cyber related conformities. Examples of such non-conformities and cyber incidents:
● unauthorised access to network infrastructure
● unauthorized or inappropriate use of administrator privileges
● suspicious network activity
● unauthorised access to critical systems
● unauthorised use of removable media
● unauthorised connection of personal devices
● failure to comply with software maintenance procedures
● failure to apply malware and network protection updates
● loss or disruption to the availability of critical systems
● loss or disruption to the availability of data required by critical systems.
A3.4 Respond
A3.4.1 Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations and/or services impaired due to a cyber-event.
Action Remarks
ISM Code: 3.3 the Guidelines: 8.2
Ensure that adequate resources and shore-based support are available to support the DPA in responding to the loss of critical systems.
An approved SMS should already be supported by adequate resources to support the DPA.
However, the incorporation of CRM into the SMS should require that this resourcing includes appropriate IT expertise. This resource could come from within the company but may also be provided by a third party. In providing the adequate resources, the following should be considered:
● company or third party technical support should be familiar with onboard IT and OT infrastructure and systems
● any internal response team or external cyber emergency response team (CERT) should be available to provide timely support to the DPA
● provision of an alternative means of communication between the ship and the DPA, which should be able to function independently of all other shipboard systems, if and when the need arises
● internal audits should confirm that adequate resources, including third parties when appropriate, are available to provide support in a timely manner to support the DPA.
ISM Code: 9.2
An approved SMS should already include procedures for responding to non-conformities. In general, these should not be affected by the incorporation of CRM in SMS. However, the procedures should help ensure that consideration of non-conformities and corrective actions involves the personnel with responsibility and authority for CRM. This should help ensure that corrective actions, including measures to prevent recurrence, are appropriate and effective.
ANNEX 3 CYBER RISK MANAGEMENT AND THE SAFETY MANAGEMENT SYSTEM
An approved SMS should already include procedures for operational maintenance routines to promote the reliability of equipment on board. A SMS, which incorporates CRM, should outline procedures for:
● Software maintenance as a part of operational maintenance routines – Such procedures should ensure that application of software updates, including security patches, are applied and tested in a timely manner, by a competent person.
● Authorizing remote access, if necessary and appropriate, to critical systems for software or other maintenance tasks – This should include authorizing access in general
(including verification that service providers have taken appropriate protective measures themselves) and for each specific remote access session.
● Preventing the application of software updates by service providers using uncontrolled or infected removable media.
● Periodic inspection of the information provided by critical systems to operators and confirmation of the accuracy of this information when critical systems are in a known state.
● Controlled use of administrator privileges to limit software maintenance tasks to competent personnel.
A3.5 Recovery
A3.5.1 Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber incident.
Action Remarks
ISM Code: 10.4
the Guidelines: 2.4, Ch.6 & 8.3 Include creation and
maintenance of back-ups into the ship's operational maintenance routine.
An approved SMS should already include procedures for maintaining and testing back-up arrangements for shipboard equipment. Notwithstanding this, it may not address procedures for maintaining and storing offline back-ups for data and systems required for the safe operation of the ship and protection of the environment.
A SMS, which incorporates CRM, should include procedures for:
● checking back-up arrangements for critical systems, if not covered by existing procedures
● checking alternative modes of operation for critical systems, if not covered by existing procedures
● creating or obtaining back-ups, including clean images for OT to enable recovery from a cyber incident
● maintaining back-ups of data required for critical systems to operate safely
● offline storage of back-ups and clean images, if appropriate
● periodic testing of back-ups and back-up procedures.