IMO CYBERSECURITY READINESS SERVICES
How to prepare for IMO 2021?
Nettitude’s ‘IMO Readiness Service’ reviews the current status and future plans for organisations needing to meet the IMO resolution (MSC.428(98)) to ensure that cyber risks are identified and understood.
Nettitude will provide an independent review of the current understanding, preparation, capabilities and readiness to meet the IMO cybersecurity guidelines. The review will be largely conducted on shore with head office staff and although some interviews with vessel crews may be required.
Guidance and consultancy will be given to improve, mature and address any gaps found. This service provides a fast and efficient way to understand the current readiness for the audits post Jan 2021.
What has the IMO stated?
The IMO has published guidelines for maritime cyber risk management and recommend that stakeholders need to take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities relating to the digitisation, integration and automation of processes and systems in shipping.
The IMO sets out the goal of maritime cyber risk management as being:
“To support safe and secure shipping, which is operationally resilient to cyber risks”.Nettitude provide a professional service that helps clients to understand if they are meeting this requirement, in which we can offer advice and guidance on what your next move should be.
What Are The IMO Cybersecurity Compliance Requirements?
In June 2017, the IMO released the resolution MSC.428(98) that:
1. Affirms that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code;
2. Encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems, no later than the first annual verification of the company’s Document of Compliance after 1 January 2021;
3. Acknowledges the necessary precautions that could be needed to preserve the confidentiality of certain aspects of cyber risk management;
4. Requests Member States to bring this resolution to the attention of all stakeholders.
The IMO also released IMO MSC-FAL.1/Circ.3, in which it recommends that:
1. Effective cyber risk management should start at the senior management level and should embed a culture of cyber risk awareness into all levels of the organisation.
2. A risk-based approach should be adopted with a comprehensive assessment to compare an organisation’s current, and desired, cyber risk management postures. Such a comparison may reveal gaps that can be addressed to achieve risk management objectives through a prioritised cyber risk management plan.
3. The 5 NIST Cyber Security Framework domains should be considered as part of the response to the risk management review (Identify, Protect, Detect, Respond and Recover).
4. All operational systems should be included and the process and effectiveness reviewed regularly.
5. A plan to communicate awareness throughout the organisation should be implemented.
What Does It Mean To Be IMO Compliant?
Implementing IMO cybersecurity guidelines will be mandatory in the 2021 annual DOC audits. IMO is not prescriptive in how these recommendations should be implemented, but refers to best practice from NIST, BIMCO and ISO/IEC 27001, as sources of additional guidance and standards. Maritime organisations are free to choose whatever path is best suited to them.
Nettitude can help you to satisfy the IMO requirements through professional services based on deep knowledge and experience on NIST, ISO/IEC and all the marine specific regulatory frameworks.
What Is An IMO Readiness Service?
For those that really need somewhere to start, an IMO readiness assessment helps review the current situation and establish the key immediate priorities.
The scope of work can also include assisting you in producing a cyber risk methodology, completing a cyber risk assessment and developing cyber risk treatment plans.
How Do I Meet The IMO Cybersecurity Guidelines?
You should consider both short term and longer term actions to manage the cyber risks you face.
What do you need to do?
Minimum/Short Term Requirements:
1. Prepare and ensure cyber risks are identified and understood within your operations
2. Document a risk treatment and management plan for these risks
3. Prepare and demonstrate this at the next ISM DOC Audit (post Jan 2021)
Best Practice/Long Term Requirements:
1. Consider implications for the shipboard ISM and ISPS audits
2. Put in place effective cyber capabilities based on the threats faced
3. Build a relevant, pragmatic and suitable cyber strategy for the future
It is important to highlight that the IMO resolution is NOT just about completing a risk register/management plan – Organisations should over time execute on that plan and address the risks.
An IMO Readiness Assessment can also help prepare and clarify the best route and journey to follow for your organisation in developing a more mature cybersecurity strategy and approach. Nettitude can assist in many areas to help this be as pragmatic, impactful and relevant as possible.
Nettitude is perfectly placed to act as a trusted partner for Marine and Offshore organisations as they build a robust cybersecurity strategy. Nettitude provides a complete suite of maritime cybersecurity services to help clients identify, protect, detect, respond and recover from cyber threats in the Marine and Offshore industries.
We know both the marine and offshore specific operational technology systems that drive performance and the information technology platforms.
We understand the threat landscape and the changing regulations faced by the Marine and Offshore industries and we know how to deliver a cost-effective solution while reducing our clients’ vulnerability to cyber threats. Our work helps to ensure that marine and offshore organisations’ assets and processes are secure, safe, sustainable and compliant with the applicable regulations.
Ready to take action? Speak to our expert IMO team.
The Stages Of a Red Team Exercise
A red team exercise will be delivered in the following stages:
- STAGE 1 – Planning and Risk Workshop
- STAGE 2 – Covert Testing Period
- STAGE 3 – Detection and Response Assessment
- STAGE 4 – Strategic and Tactical Recommendations
Get a free quote