Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges

Importancia y uso:

5.1 ISM Code Requirement—In 1989, IMO adopted guidelines on management for the safe operation of ships and pollution prevention that is now the International Safety Management (ISM) Code that was made mandatory for ships trading on international waters through the International Convention for the Safety of Life at Sea, 1974 (SOLAS). In 1995, the IMO Assembly adopted the guidelines on implementation of the ISM Code by administrations by Resolution A.788(19). These guidelines were revised and adopted as Resolution A.913(22) in 2001. The guidelines were further revised and adopted as Resolution A.1022(26) in 2009 and entered into force on 1 July 2010.

5.1.1 ISM Code Purpose—The ISM Code is designed to improve the safety of international shipping and reduce pollution by encouraging self-regulation and oversight for identifying safety issues, taking corrective action, and promoting overall organization safety culture. The ISM Code establishes an international standard for the safe management and operation of ships and for the implementation of a SMS operating internationally.

5.1.2 ISM Code Intent—The intent of the ISM Code is to support and encourage the development of a safety culture in shipping by moving away from a culture of “unthinking” compliance with external rules toward a culture of “thinking” self-regulation of safety and the development of a “safety culture” that identifies safety issues and concerns and promotes proactive corrective actions. The safety culture involves moving to a culture of self-regulation with every individual from the top to the bottom empowered to ownership, responsibility, and action for improving and addressing safety.

5.2 Additional Applications—In addition to the ISM Code requirements, Flag States, industry organizations, and companies have initiated mandatory and nonmandatory SMS. All of these systems are being instituted to improve operational safety, identify safety issues, promote implementation of corrective actions, and improve overall organizational safety culture.

5.2.1 Application/Use of Guide—The intention of this guide is to leverage mandatory or voluntary safety management systems already in place to identify and address proactively cybersecurity issues that is a critical and ever-increasing safety concern in maritime operations. The intent of this guide is to provide items for consideration, recommendations, and contribute to the thought process for incorporating cyber elements into existing SMSs by providing information, structure, and elements for consideration in working through the process.

5.2.2 Limitation of Guide—This guide is not all encompassing but provides a foundation for starting the process by leveraging existing resource to address cybersecurity issues beginning with basic cyber hygiene and running all the way through nefarious intentional cyberattacks. This guide is interned to serve the entire maritime community but will be most beneficial to resource constrained organizations that may not have significant infrastructure or resources or both to secure comprehensive cybersecurity services and solutions.

5.2.3 Focus Topics for Applying the Guide—Considerations that are covered in the guide include management of change, cyber risk assessment, development of mitigation strategies, implementation, training, documentation, auditing, as well as examples of template language that can be leverage in SMS applications.

Subcomité:

F25.07

Volúmen:

01.08

Número ICS:

35.030 (IT Security), 35.240.60 (IT applications in transport)

Palabras clave:

cyber attack; cyber risk; cyber safety; cybersecurity; cyber vulnerability; International Safety Management (ISM) Code; maritime industry; safety management systems; SMS;