IMO’s new Cyber Risk Management regulations MSC 428(98), are due to come into effect no later than the first annual verification of the Company’s Document of Compliance after 1 January 2021.
The guidelines provided by IMO are very high level (see MSC-FAL.1/Circ.3 and Resolution MSC.428(98)), so other organizations recognized by IMO made more comprehensive guidelines.
See Guidelines on Cyber Security on board Ships issued by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, OCIMF, IUMI and WORLD SHIPPING COUNCIL.
ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cyber security (the NIST Framework).
For detailed guidance on cyber risk management, users of these Guidelines should also refer to Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices. A link to the above information on IMO’s website here http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Pages/Cyber-security.aspx
A9X developed Cyber Detective (ACD) software specifically to assist with vessels compliance with MSC 428(98). ACD can address many of the requirements for ICT hardware and software onboard the vessels for compliance. ACD compares of 300 plus cyber security rules from NIST and other government guidelines with your IT systems to audit compliance. As per IMO’s high level guidelines our software adheres to their stated functional elements that support effective cyber risk management: Identify, Detect, Protect, Respond and Recover. For various Cyber Risk Management Guidance documents , please visit our RESOURCES page.
What ACD doesn’t do is provide a Cyber Risk Management Policy and integrate into your vessels SMS, or provide Cyber Security Training to your crew / staff. Also protecting vessels OT (operational technical) hardware needs to be assessed on a case by case basis, as we understand many vessels don’t have their OT hardware connected to the internet and either use USB thumb drives to transfer updates manually, or don’t update the software at all.
A9X are happy to work with customers and provide any advice we can to help them with their cyber security compliance. Being a software house, we also have the ability to customize solutions for you to make your systems and IT security management more efficient.