The Guidelines on Cyber Security Onboard Ships
Ships are increasingly using systems that rely on digitisation, integration, and automation, which calls for cyber risk management on board. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together - and more frequently connected to the internet.
This brings the greater risk of unauthorised access or malicious attacks to ships' systems and networks. Risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media.
The safety, environmental and commercial consequences of not being prepared for a cyber incident may be significant. Responding to the increased cyber threat, a group of international shipping organisations, with support from a wide range of stakeholders (please refer to annex 4 for more details), have developed these guidelines, which are designed to assist companies develop resilient approaches to cyber security onboard ships.
Approaches to cyber security will be company- and ship-specific, but should be guided by appropriate standards and the requirements of relevant national regulations. The guidelines provide a risk-based approach to identifying and responding to cyber threats. An important aspect is that relevant personnel should have training in identifying the typical modus operandi of cyber attacks.
The International Maritime Organization (IMO) has developed guidelines1 that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. The Guidelines on Cyber Security Onboard Ships are aligned with the IMO guidelines and provide practical recommendations on maritime cyber risk management covering both cyber security and cyber safety.
The aim of this document is to offer guidance to shipowners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships. The guidelines are not intended to provide a basis for and should not be interpreted as calling for auditing or vetting the individual approach to cyber security taken by companies and ships.