Members may recall that in June 2017, International Maritime Organization (IMO) at its 98th session of Maritime Safety Committee (MSC) adopted resolution MSC 428 (98), which encourages national administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
We are not too far from 1 January 2021, and members may receive more detailed information on this from their flag states. Recently United States Coast Guard (USCG) issued information on how they will proceed on ensuring compliance to this resolution.
USCG has instructed their Marine Inspectors (MI) and Port State Control Officers (PSCO) on how to evaluate an SMS and what actions to take in the event of a non-compliance.
The USCG expects that all companies with U.S. flagged ships and foreign flagged ships that call on ports in the U.S. ensure cyber risk management is appropriately addressed in their SMS. In this connection, USCG will include cyber risk assessment in their PSC inspection post 1 January 2021.
If objective evidence is found that the ship failed to implement its SMS with respect to cyber risk management, the following actions may be taken by the PSCO.
If cyber risk management has not been incorporated into the ship’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency may be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
When objective evidence indicates that the ship failed to implement its SMS with respect to cyber risk management, a deficiency for both the operational deficiency and an ISM deficiency may be issued with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), the PSCO may issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
In this regard, members are advised to take timely action in ensuring cyber risks are addressed in their SMS and properly implemented on board ships.
Members are also advised that MSC-FAL.1/Circ.3, contains guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The Guidelines also include functional elements that support effective cyber risk management.
BIMCO has worked on this subject with other industry partners and produced Guidelines on cyber security onboard ships which is now in its version 3.A new version will soon be out. The Annex 2 of these guidelines may be of specific interest to shipowners as it matches the ISM code with specific cyber risk aspects mentioned in these guidelines.
Furthermore, BIMCO has also published Cyber Security Workbook for On Board Ship Use which is a practical workbook on identifying cyber risks and how to respond in case of a cyber-attack.
Links to the above-mentioned documents
USCG Office of Commercial Vessel Compliance (CG-CVC) Mission Management System (MMS) Work Instruction (WI)
MSC Res. 428(98)
BIMCO guidelines on cyber security onboard ships
BIMCO Cyber security workbook for on board ship use