11/3/2016: The shipboard application of cyber risk management

Editor’s note: October is nationally recognized as National Cybersecurity Awareness Month. Throughout the month, Maritime Commons will feature a series of posts detailing cyber risk management in the maritime domain, focusing on governance, resiliency and defending critical infrastructure.

Last week’s blog continued the dialogue on cybersecurity awareness with a focused discussion on cybersecurity defense. This week, the focus is on the practical implementation of Cyber Risk Management (CRM) onboard commercial vessels.

Although cyber-dependent technologies have evolved rapidly over the past decade, risk management has been a bedrock of the shipping industry for over a century.  The international shipping community — under the auspices of the International Maritime Organization (IMO) — developed MSC.1/Circ.1526 Interim Guidelines On Maritime Cyber Risk Management to provide information and recommendations on how to address Cyber Risk Management.

These guidelines implement the five functional elements detailed in the “Cybersecurity Framework” developed by the National Institute of Standards and Technology. These functional elements are not sequential – all should be concurrent and continuous in practice. The ultimate goal is to imbed these elements into the culture of the company at all levels from the ship’s crew and port workers to the senior executives of the company in the same way that the industry has embraced a safety-culture through the implementation of Safety Management Systems.

Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.

Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber event and ensure continuity of shipping operations.

Detect: Develop and implement activities necessary to detect a cyber event in a timely manner.

Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.

Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber event.

A resilient CRM program can be developed by implementing these measures and providing training to employees at all levels of your company on a routine basis. More details on the use of these guidelines can be found in many industry publications including class society Recommended Practices as well as industry association publications such as the “The Guidelines on Cyber Safety and Security Onboard Ships” produced by BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO.

This concludes cyber series 2016: You are encouraged to continue the discussion by contacting the US Coast Guard Office of Design and Engineering Standards or the Office of Port and Facility Compliance.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Comments

comments

Tags: ,