The International Maritime Cyber Security Organisation (IMCSO) has released its cybersecurity testing methodology for vessels seeking to assess risk and join the Cyber Risk Registry.
The methodology aims to provide IMCSO-accredited cyber consultants and the senior maritime personnel they will be assessing with standardised testing by outlining test scope and the language to be used to ensure tests are planned, executed and reported effectively.
IMCSO CEO, Campbell Murray, said there was currently no standard in the maritime sector for governing the quality of cyber risk assessments. “This methodology will set a precedent by providing a set of criteria that assessors must observe when on engagement and against which maritime security can be measured.
“It is a very big step forward in normalising both expectations and requirements in the maritime space.”
The methodology stipulates the conditions under which the cybersecurity assessments will be carried out. It acts as a legal and practical guide for cybersecurity practitioners, who must adhere to the standards as a condition of their inclusion on the approved suppliers list, otherwise known as the Certified Supplier Registry, held by the IMCSO.
The captain and crew undergoing the assessment will also be required to abide by the methodology and undergo pre-assessment training to become cyber-ready to better understand the process and its findings.
Testing will assess security across ten categories under the umbrella term of Operational Technology (OT), that is, the hardware and software needed to monitor and control the ship’s physical processes. These include navigation, propulsion, electrical systems, communication, safety systems, cargo handling, environmental systems, maintenance systems, human factors, and regulatory and compliance issues.
The assessment may be carried out at sea, onshore or a combination of the two.
Murray said it could often be difficult for shipping companies to objectively assess their OT suppliers. “Third parties and the shipping companies share a dependency, with joint goals and integrated operations. Yet, with supply chain attacks on the rise, they represent a real risk to operations.
“This can strain the relationship but by applying a systematic approach through a standardised risk assessment, the company can rely upon the process to vet the cybersecurity posture of their suppliers for them.”
Reports will take a practical approach, with clear recommendations made in response to any security issues or vulnerabilities. Outputs will be standardised under the methodology using qualitative metrics and this consistency will ensure that the results for each vessel are comparable.
The results will be used to profile the cyber risk of the vessel, the status of which will be recorded in the Cyber Risk Registry.
