ASTM F3449-20

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: F3449 − 20 An American National Standard
Standard Guide for
Inclusion of Cyber Risks into Maritime Safety Management
Systems in Accordance with IMO Resolution MSC.428(98)—
Cyber Risks and Challenges
This standard is issued under the fixed designation F3449; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope 2. Referenced Documents
1.1 This guide is designed to provide the maritime industry 2
2.1 2.1 ISO Standards:
guidance, information, and options for incorporating cyber
ISO 9001:2015 Quality Management Systems —
elements into safety management systems (SMS) in accor-
Requirements, Section 7.5, Documented Information
dance with the International Safety Management (ISM) Code
ISO/IEC 27000:2018 Information Technology — Security
and other national (United States) and international require-
Techniques—InformationSecurityManagementSystems
ments.
— Overview and Vocabulary
1.2 This guide will support U.S. maritime operating com- 3
2.2 USCG Guidance and Policy:
panies but is a guide only and does not recommend a specific
NVIC 05-17 Guidelines for Addressing Cyber Risks at
course of action. However, this guide is to be used to improve
Maritime Transportation Security Act (MTSA) Regulated
cyber safety, address vulnerability, recommend and outline
Facilities
training, and raise knowledge and awareness of cyber threats
USCG CG-5P Policy Letter 08-16 Reporting Suspicious
by leveraging documented, auditable SMS mechanisms.
Activity and Breaches of Security
1.3 The purpose of this guide is to offer guidance,
2.3 Other Standards:
information, and options based on a consensus of opinions but
46 CFR Subchapter M Towing Vessels
not to establish a standard practice. Each organization shall 5
BIMCO The Guidelines on Cybersecurity Onboard Ships
evaluate their SMS, their information management systems at
IMO Resolution MSC.428(98) Maritime Cyber Risk Man-
sea and ashore, and the level of cyber risk that exists within the 6
agement in Safety Management Systems
organization to determine the best methods of compliance with
The International Safety Management (ISM) Code Chapter
the cybersecurity requirements of the ISM Code or other legal
IX of the International Convention for the Safety of Life
or self-imposed requirements or both. 7
at Seal (SOLAS)
1.4 This standard does not purport to address all of the
MSC-FAL.1/Circ.3 Interim Guidelines on Maritime Cyber
safety concerns, if any, associated with its use. It is the
Risk Management
responsibility of the user of this standard to establish appro-
priate safety, health, and environmental practices and deter-
mine the applicability of regulatory limitations prior to use.
Available fromAmerican National Standards Institute (ANSI), 25 W. 43rd St.,
1.5 This international standard was developed in accor-
4th Floor, New York, NY 10036, http://www.ansi.org.
dance with internationally recognized principles on standard- Available from the U.S. Coast Guard (USCG), U.S. Coast Guard Headquarters,
2703 Martin Luther King Jr Ave Se Stop 7318, Washington, DC 20593, https://
ization established in the Decision on Principles for the
www.dco.uscg.mil.
Development of International Standards, Guides and Recom-
Available from U.S. Government Printing Office, Superintendent of
mendations issued by the World Trade Organization Technical
Documents, 732 N. Capitol St., NW, Washington, DC 20401-0001, http://
www.access.gpo.gov.
Barriers to Trade (TBT) Committee.
Available from https://iumi.com/news/news/bimco-the-guidelines-on-cyber-
security-onboard-ships.
1 6
This guide is under the jurisdiction of ASTM Committee F25 on Ships and Available from the International Maritime Organization, http://www.imo.org/
Marine Technology and is the direct responsibility of Subcommittee F25.07 on en/OurWork/Security/Guide_to_Maritime_Security/Documents/
General Requirements. Resolution%20MSC.428(98).pdf.
Current edition approved June 1, 2020. Published July 2020. DOI: 10.1520/ Available from International Maritime Organization (IMO), 4, Albert
F3449-20. Embankment, London SE1 7SR, United Kingdom, http://www.imo.org.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
F3449 − 20
3. Terminology 3.1.19 cybersafety, n—guidelines and standards for
computerized, automated, and autonomous systems that ensure
3.1 Definitions:
those systems are designed, built, operated, and maintained so
3.1.1 access control, n—practice of selective limiting of the
astoallowonlypredictable,repeatablebehaviors,especiallyin
ability and means to communicate with or otherwise interact
those areas of operation or maintenance that can affect human,
with a system, use system resources to handle information,
system, enterprise, or environmental safety.
gain knowledge of the information the system contains, or
control system components and functions. 3.1.20 cybersecurity, n—activity or process, ability or
capability, or state whereby information and communication
3.1.2 antivirus software, n—software utility that detects,
systems and the information contained therein are protected
prevents,andremovesviruses,worms,andothermalwarefrom
from and defended against damage, unauthorized use or
a computer.
modification, or exploitation.
3.1.3 application programming interface, API, n—set of
3.1.21 cyber vulnerability, n—flaw in a system that can
routines, protocols, and tools for building software and appli-
leave it open to attack.
cations.
3.1.4 archive, n—long-term physically separated storage. 3.1.22 data, n—quantities, characters, or symbols on which
operations are performed by a computer being stored and
3.1.5 authentication,n—securitymeasuredesignedtoestab-
transmitted in the form of electrical signals and recorded on
lish the validity of a transmission, message, or originator or a
magnetic, optical, or mechanical recording media.
means of verifying an individual’s authorization to receive
specific categories of information.
3.1.23 data assurance, n—perception or an assessment of
data’s fitness and integrity to serve its purpose in a given
3.1.6 availability, n—ensuring timely and reliable access to
context.
and use of information.
3.1.24 detection processes, n—methods of detecting intru-
3.1.7 backup, n—copy of files and programs made to
sions into computers and networks.
facilitate recovery, if necessary.
3.1.8 binding, v—process of associating two related ele- 3.1.25 encryption, n—conversion of electronic data into
ments of information. another form called ciphertext, which cannot be easily under-
stood by anyone except authorized parties.
3.1.9 botnet, n—number of internet-connected computers
communicating with other similar machines in which compo-
3.1.26 exposure, n—measure of a system at risk that is
nents located on networked computers communicate and
available for inadvertent or malicious access.
coordinate their actions by command and control or passing
3.1.27 firewall, n—logical or physical break designed to
messages to one another.
prevent unauthorized access to information technology (IT)
3.1.10 capability, n—ability to execute a specified course of
infrastructure and information.
action.
3.1.28 file transfer protocol, FTP, n—standard network
3.1.11 certificate, n—digital representation of information
protocol used to transfer computer files between a client and
that, at least: (1) identifies the certification authority issuing it,
server on a computer network.
(2) names or identifies its subscriber, (3) contains the subscrib-
3.1.29 flaw, n—unintended opening or access point in any
er’s public key, (4) identifies its operational period, and (5)is
software.
digitally signed by the certification authority issuing it.
3.1.30 human system, n—interaction and contact between a
3.1.12 client (application), n—system entity, usually a com-
human user and a computer system.
puter process acting on behalf of a human user, that makes use
of a service provided by a server.
3.1.31 hypertext transfer protocol, HTTP, n—primary tech-
nology protocol on the web that allows linking and browsing.
3.1.13 communications, n—means for a vessel to commu-
nicate with another ship or an onshore facility.
3.1.32 hypertext transfer protocol over secure socket layer,
3.1.14 compression, n—reduction in the number of bits HTTPS, n—protocoltotransfertoencrypteddataovertheweb.
needed to store or transmit data.
3.1.33 information security management system, ISMS,
3.1.15 confidentiality, n—preserving authorized restrictions
n—set of policies with information security management or
on information access and disclosure, including means for IT-related risks.
protecting personal privacy and proprietary information.
3.1.34 information technology, IT, n—equipment or inter-
3.1.16 cyberattack, n—any type of offensive maneuver that
connectedsystemorsubsystemofequipmentthatisusedinthe
targets computer information systems, infrastructures, com-
automatic acquisition, storage, manipulation, management,
puter networks, or personal computer devices.
movement, control, display, switching, interchange,
transmission, or reception of data or information.
3.1.17 cyber intrusion, n—unauthorized access to your
computer/service/or data is called intrusion.
3.1.35 inside threat, n—entity with authorized access that
3.1.18 cyber risk, n—potential of an undesirable or unfavor- has the potential to harm an information system through
able outcome resulting from a given cyber action, activity, or destruction, disclosure, modification of data, and/or denial of
inaction, or combination thereof. service.
F3449 − 20
3.1.36 integrity, n—guarding against improper information information system through destruction, disclosure, modifica-
modification or destruction and ensuring information non- tion of data, or denial of service, or combination thereof.
repudiation and authenticity.
3.1.49.1 Discussion—Such an e-mail may also request that
3.1.37 International Safety Management (ISM) Code,
an individual visit a fake website using a hyperlink included in
n—required international regulation in the marine industry and
the e-mail.
a vital component of the SOLAS Convention (Safety of Life at
3.1.50 phishing, v—sending e-mails to a large number of
Sea)requiringacompany’soperatingvesselstosubmitasafety
potential targets asking for particular pieces of sensitive or
management system (SMS) for audit and subsequent approval
confidential information.
by Flag Administration or Recognized Organization (RO).
3.1.51 programmable logic controller, PLC, n—digitalcom-
3.1.38 International Maritime Organization, IMO,
puter used for automation of industrial electromechanical
n—specialized agency of the United Nations responsible for
processes.
regulating international shipping, primarily focused on ensur-
3.1.52 public key infrastructure, PKI, n—framework estab-
ing and improving safety, security, and environmental steward-
lished to issue, maintain, and revoke public key certificates.
ship.
3.1.53 ransomware, n—malware that encrypts data on sys-
3.1.39 internet of things, IoT, n—internetworking of physi-
tems until the distributor decrypts the information.
caldevices,suchasvessels,vehicles,buildingsandotheritems
3.1.54 remote desktop protocol, RDP, n—proprietary proto-
embedded with electronics, software, sensors, actuators, and
col developed by Microsoft that provides a user with a
network connectivity that enable these objects to collect and
graphical interface to connect to another computer over a
exchange data.
network connection.
3.1.40 intrusion detection system, IDS, n—device or soft-
3.1.55 resilience, n—characteristic that enables a system to
ware application that monitors a network or systems for
resist disruption and adapt to minimize the impact of disrup-
malicious activity or policy violations.
tions.
3.1.41 local area network, LAN, n—computer network that
3.1.56 Resolution MSC.428(98), n—encourages administra-
interconnects computers within a particular area and does not
tions to ensure that cyber risks are appropriately addressed in
connect to the internet; this applies to onboard ship networks.
existing safety management systems (as defined in the ISM
3.1.42 machinery control systems, MCS, n—IT systems that
Code) no later than the first annual verification of the compa-
report operating parameters or control operation of equipment,
ny’s Document of Compliance after 1 January 2021.
which commonly use programmable logic controllers (for
3.1.57 risk, n—potential or threat of undesired conse-
example, fuel tank level indicators or throttle control systems).
quences occurring to personnel, assets, or the environment as a
3.1.43 management of change, n—systematic way to deal
result of vulnerabilities in systems, staff, or assets.
with change within an organization to deal effectively with the
3.1.58 risk assessment, n—process that collects information
change and capitalize on change opportunities.
and assigns values to risks for informing priorities, developing
3.1.44 network, n—infrastructure that allows computers to
or comparing courses of action, and informing decision mak-
exchange data by wireless or cable wireless network interac-
ing.
tions.
3.1.59 risk management, n—process of identifying,
3.1.45 network topology diagram, n—shows how the ele- analyzing, assessing, and communicating risk and accepting,
ments of a computer network are arranged. avoiding, transferring, or controlling it to an acceptable level
considering associated costs and benefits of any actions taken.
3.1.46 non-repudiation, n—assurance that the sender is
3.1.60 risk matrix, n—matrix that is used during risk assess-
provided with proof of delivery and the recipient is provided
ment to define the level of risk by considering the category of
withproofofthesender’sidentitysothatneithercanlaterdeny
probability or likelihood against the category of consequence
having processed the data.
severity.
3.1.47 operational technology, OT, n—information system
3.1.61 router, n—device that forwards data from one net-
used to control industrial processes such as manufacturing,
work to another network regardless of physical location.
product handling, production, and distribution.
3.1.62 Safety Management System, SMS, n—comprehensive
3.1.47.1 Discussion—Industrial control systems include su-
management system designed to manage safety elements in the
pervisory control and data acquisition (SCADA) systems used
workplace.
tocontrolgeographicallydispersedassetsaswellasdistributed
3.1.63 scanning, v—procedure for identifying active hosts
control systems (DCSs) and smaller control systems using
orpotentialpointsofexploitorbothonanetworkeitherforthe
programmable logic controllers to control localized processes.
purpose of attacking them or network security assessment.
3.1.48 original equipment manufacturer, OEM,
n—company that makes parts or subsystems that are used in 3.1.64 sensitive information, n—any digital data that can be
another company’s end product.
classified as private or corporate not meant for public access.
3.1.49 outside threat, n—unauthorized entity from outside 3.1.65 server, n—system entity that provides a service in
the domain perimeter that has the potential to harm an response to requests from clients.
F3449 − 20
3.1.66 social engineering, n—nontechnical technique used those processes or procedures that are created effectively
by potential cyber attackers to manipulate insider individuals mitigate that risk to the greatest extent possible.
into breaking security procedures, typically, but not
4.5 Addressing cyber risks is not a one-time process but
exclusively, through interaction by means of social media.
shall be continual and ongoing. As one risk is identified and
3.1.67 social media, n—computer-mediated online tools mitigated, another is sure to develop. It is up to each company
that allow people, companies, and other organizations, includ-
or organization to manage this risk continually and ensure that
ing nonprofit organizations and governments, to create, share,
their personnel; systems (IT and mechanical); and developed
or exchange information, career interests, ideas, and pictures/
training, processes, and procedures are robust enough to
videos in virtual communities and networks.
protect the information, operating systems, and equipment
from coming to harm through cyberattack.
3.1.68 software, n—set of instructions and its associated
documentations that tells a computer what to do or how to
5. Significance and Use
perform a task.
5.1 ISM Code Requirement—In 1989, IMO adopted guide-
3.1.69 Subchapter M, n—U.S. Coast Guard (USCG) regu-
lines on management for the safe operation of ships and
lations that legally define rules for the inspection, standards,
pollution prevention that is now the International Safety
and safety policies of towing vessels.
Management (ISM) Code that was made mandatory for ships
3.1.70 Transportation Worker Identification Credential,
trading on international waters through the International Con-
TWIC, n—provides a tamper-resistant biometric credential to
vention for the Safety of Life at Sea, 1974 (SOLAS). In 1995,
maritime workers requiring unescorted access to secure areas
the IMO Assembly adopted the guidelines on implementation
of port facilities, outer continental shelf facilities, and vessels
of the ISM Code by administrations by Resolution A.788(19).
regulated under the Maritime Transportation Security Act of
These guidelines were revised and adopted as Resolution
2002 (MTSA) and all USCG credentialed merchant mariners.
A.913(22) in 2001. The guidelines were further revised and
3.1.71 water holing, v—establishing a fake website or com- adopted as Resolution A.1022(26) in 2009 and entered into
promising a genuine site to exploit visitors.
force on 1 July 2010.
5.1.1 ISM Code Purpose—The ISM Code is designed to
3.1.72 wide area network, WAN, n—network that can cross
improve the safety of international shipping and reduce pollu-
regional, national, or international boundaries.
tion by encouraging self-regulation and oversight for identify-
3.1.73 wi-fi, n—all short-range communications that use
ing safety issues, taking corrective action, and promoting
electromagnetic spectrum to send and receive information
overall organization safety culture. The ISM Code establishes
without wires.
an international standard for the safe management and opera-
3.1.74 zeroize, v—method of erasing electronically stored
tion of ships and for the implementation of a SMS operating
databyalteringthecontentsofthedatastoragesoastoprevent
internationally.
the recovery of the data.
5.1.2 ISM Code Intent—The intent of the ISM Code is to
support and encourage the development of a safety culture in
4. Summary of Guide
shipping by moving away from a culture of “unthinking”
compliance with external rules toward a culture of “thinking”
4.1 The need to protect information and data has grown
self-regulation of safety and the development of a “safety
proportionally with the expansion of IT and the reliance of
culture”thatidentifiessafetyissuesandconcernsandpromotes
organizations on the use of IT in the course of their business
proactive corrective actions. The safety culture involves mov-
activities. This is as true for the maritime industry as with any
ing to a culture of self-regulation with every individual from
other industry.
the top to the bottom empowered to ownership, responsibility,
4.2 Within the maritime industry, regulators, ship operators,
and action for improving and addressing safety.
ship crews, ports, and the general public have recognized the
5.2 Additional Applications—In addition to the ISM Code
risk associated with a cybersecurity incident. The safety of the
requirements, Flag States, industry organizations, and compa-
ship,crew,cargo,andenvironmentcanbesignificantlyaffected
nies have initiated mandatory and nonmandatory SMS. All of
in the event of a damaging cyberattack, not to mention the
these systems are being instituted to improve operational
possible loss of revenue, cargoes, and personal or proprietary
safety, identify safety issues, promote implementation of cor-
information that can result from a cyber intrusion.
rective actions, and improve overall organizational safety
4.3 The IMO has recognized the risk and, through the
culture.
adoption of Resolution MSC.428(98), created a requirement
5.2.1 Application/Use of Guide—The intention of this guide
that a company’s SMS appropriately address cyber risks. This
is to leverage mandatory or voluntary safety management
is required of all companies by 1 January 2021.
systems already in place to identify and address proactively
4.4 This guide has been created to provide guidelines that a cybersecurity issues that is a critical and ever-increasing safety
company can use to evaluate the cyber risk appropriate to the concern in maritime operations. The intent of this guide is to
company, implement mitigation processes or procedures, train provide items for consideration, recommendations, and con-
employees on those processes and procedures, document the tribute to the thought process for incorporating cyber elements
training, and audit the system to ensure that the risk has been into existing SMSs by providing information, structure, and
adequately addressed, the personnel are properly trained, and elements for consideration in working through the process.
F3449 − 20
5.2.2 Limitation of Guide—This guide is not all encompass- 6.1.2.2 It is important to identify what resources will be
ing but provides a foundation for starting the process by required to implement the change within the shoreside organi-
leveraging existing resource to address cybersecurity issues zation and what resources will be required to implement the
beginning with basic cyber hygiene and running all the way change onboard the vessels and ensure that they are readily
through nefarious intentional cyberattacks. This guide is in- available. For change to be successful, the requirements should
terned to serve the entire maritime community but will be most be identified and mitigation strategies and support put in place
beneficial to resource constrained organizations that may not before implementation.
have significant infrastructure or resources or both to secure
6.1.2.3 The management of change process should be used
comprehensive cybersecurity services and solutions.
to shed light on the who, what, where, when, and how the
5.2.3 Focus Topics for Applying the Guide—Considerations
change is to be implemented. Consideration should be given to
that are covered in the guide include management of change,
questions such as, will more personnel be required when the
cyber risk assessment, development of mitigation strategies,
change is implemented, will those new personnel need to be IT
implementation, training, documentation, auditing, as well as
certified, will those onboard the ships have an adequate
examples of template language that can be leverage in SMS
understanding of both the intention and process for the change,
applications.
how will this change affect the operation of the systems
onboard the ship, how will it affect the shoreside network, will
6. Procedure
it change the method information is communicated between
6.1 Management of Change—There are two kinds of
ship and shore, what security risks will be resolved, will any
change: change that is forced on an organization and change
new risks be created as a result of change, and so forth. The
that is planned and managed. The way to ensure that change is
foregoing is not a complete list of what should be considered
planned and managed is to identify those processes, activities,
but provides examples of what should be considered when
outside influences, and so forth that will cause change within
implementing the change.
your organization and ensure that appropriate risk assessments,
6.1.3 Ensure Full Enterprise Understanding of the Need for
policies, procedures, mitigations, and training are developed.
Change:
6.1.1 Importance of Identifying the Intended and Unin-
6.1.3.1 It shall be emphasized that all personnel who will be
tended Results of Change:
affected by any changes to processes and procedures to
6.1.1.1 Changes being considered shall be thoroughly
implement cybersecurity procedures within the SMS should
evaluated for both the intended and unintended results of the
have a full understanding of why the change is necessary, what
change. If adding procedures, then the addition of the new
is their role in regard to the change, and how will it affect their
proceduresshallbeevaluatedtoensurethattheydonotconflict
workprocesses.Thisisasimportantforthoseashoreasitisfor
withotherproceduresorinstructions,theyachievetheintended
those onboard.
result, they are clearly written and are unambiguous, and they
6.1.3.2 Without a full understanding of the need to imple-
do not cause other, unintended, changes to the system or
ment cybersecurity procedures, human nature being what it is,
process. One shall also evaluate the consequences of personnel
personnel may not have full buy in, may consider the change
notfullyengagedinthenewproceduresorprocessesorwhodo
one more thing that is being forced upon them against their
not fully implement the change as required.
will, may not fully implement or comply with the process, and
6.1.1.2 Things to consider include, but are not limited to,
will not take ownership of the process in relation to their
how the change will affect the workload of the personnel
assigned job.
required to carry out the new process or procedures, that the
6.1.3.3 As such, any planning for implementation of cyber-
change will not require extensive training or any training
security procedures into an SMS should include some type of
required is identified and readily available before the change,
familiarizationandtraining.Thisshouldbescaledinrelationto
that the change will not require support that is not easily
an individual’s position, ashore and onboard, and their respon-
available to the vessel at its normal ports of call, or that any
sibility in regard to implementation and operation of the new
support required is readily available to the vessel.
procedures and processes. But all personnel affected should
6.1.1.3 In addition, the personnel selected to act on the
have some familiarization with the why of the implementation
change shall be evaluated to ensure that they have or can be
and how it will affect them and the importance of compliance.
provided the requisite level of knowledge to allow them to be
6.1.4 Reporting and Documenting the Management of
successful when complying with the changed conditions. For
Change Process:
example, a change that requires certain types of network
6.1.4.1 As the implementation of cybersecurity processes
certification or knowledge to implement properly would not be
into an SMS are changes to the basic structure of the SMS and
appropriate if assigned to vessel crewmembers whose primary
will affect the way the SMS is operated, complied with, and
duties and knowledge base do not include network configura-
audited, the management of change process should be docu-
tion or LAN management.
mented as evidence that the implementation of the cybersecu-
6.1.2 Identify How Change Will Affect Entire Enterprise
rity procedures was investigated by the organization, the effect
Ashore and at Sea:
on the organization was examined, and the proper implemen-
6.1.2.1 As described in 6.1.1, any change contemplated
tation process was determined.
shall be evaluated to ensure that the implementers have a full
understanding of how the change will affect shoreside opera- 6.1.4.2 In addition, as this is a change to the SMS, it should
tions as well as the operation of ships’ systems. be reported during the management review process to ensure
F3449 − 20
that senior management is aware of the change and its effects definition of assumptions and boundary of the systems to be
on the organization. This will also be useful during the audit protected. An example of the process is described in Fig. 1.
process as it will document that the organization has properly
6.2.2.1 As a mandatory prerequisite, the organization shall
and appropriately managed the change to the SMS to ensure
determine its valuable assets to be protected.Typically, a list of
compliance by all levels of the organization.
critical data, intellectual property, hardware, and software
6.2 Cybersecurity Risk Assessment: technologies related to the people, processes, regulatory
6.2.1 Introduction:
requirements, and responsibilities (asset and risk owners) of
6.2.1.1 The purpose of the cybersecurity risk assessment is
the organization are essential to define, in detail, as the initial
to identify an organization’s cyber posture. This will provide
activities to prepare for risk assessment. This should be
organizations with a comprehensive understanding of the
documented to understand systemic risk on a vessel, related
probability of cybersecurity threat occurring and the impact on
operations, processes, or combination thereof, that interact
the organization in the event a specific threat occurs. The
with the critical hardware and software technologies.There are
determination of risks will allow organizations to evaluate
toolsorsoftwarethancanbeusedforthispreparationstageand
existing safeguards and make cost-effective decisions on the
the methodology should follow a common risk assessment
extent of applying controls to protect the organization effec-
process. Furthermore, the creation of an overall network or
tively from cyber risks and threats malicious, unintended,
topology diagram describing interconnection of the systems
internal, and external.
and their connections into the public or third-party network is
6.2.1.2 As the landscape of cyber threats is continuously
helpful.Fig.1clarifiessystemconnectivityandhowtoidentify
evolving and numbers of cyberattacks are increasing rapidly
cyberrisksaswellasvisualizetheeffectofsystemsegregation.
across all industries, the IMO recognized the urgent need to
6.2.2.2 Risk can be understood as likelihood times conse-
raise awareness across the maritime industry by adopting
quence. A risk assessment should determine:
Resolution MSC.428(98) supported with MSC-FAL.1/Circ.3
(1) What can go wrong,
on guidelines on maritime cyber risk management.
6.2.2 Preparation before Risk Assessment—Initially, the (2) How likely is it, and
cyber risk assessment process should be defined, including (3) What are the impacts.
FIG. 1 Example of Cyber Risk Assessment Process
F3449 − 20
6.2.2.3 For the organization to determine current cyber risk (2) Integrity—Guarding against improper information
and how to manage cyber risks on a long-term perspective, the modification or destruction and ensuring information non-
organization should define consequence and likelihood rank- repudiation and authenticity. Tools to support data integrity
ings and assessment methodologies as well as risk acceptance include backups, archiving, and using data-correcting codes.
criteria. These should include the following aspects: (3) Availability—Ensuringtimelyandreliableaccesstoand
(1) The consequence in terms of how people, environment, useofinformation.Usephysicalprotectionsandcomputational
and property could be affected; redundancies that can serve as backups in the case of failures.
(2) The likelihood (probability) of an undesirable cyberse- 6.2.4.2 The factors are assessed by means of relevant
curity event; and questionsaimingatrecordingtheworstpossiblescenarios.The
(3) The risk acceptance with definition of non-acceptable, likelihood analysis determines the occurrence of the possible
as low as reasonably practicable (ALARP), and acceptable events considering each of three factors: confidentiality,
risks. integrity, and availability. The methodology of this analysis
6.2.2.4 Furthermore, risk options (accepted, avoided, should consider the identified threats, vulnerabilities, and
transferred, or mitigated) and process should be defined as per foreseen safeguards. A valid approximation of this is to assess
the decision of the organization. the “ease of access” to the systems. Combination of the
6.2.2.5 Table 1 and Table 2 are examples of probability and likelihood with the consequence of a successful cyberattack
impact tables that can be used to develop a risk matrix (Table will determine the level of the cybersecurity risk of the specific
3). asset.
6.2.3 Risk Identification: 6.2.5 Risk Evaluation—At the end of the risk assessment,
6.2.3.1 Based on the inventory of identified assets, related the organization shall decide on appropriate actions and the
threats and vulnerabilities should be identified. For this need for risk control measures.The response should be aligned
purpose, threats and vulnerabilities catalogues as listed in the with the criteria that were set at the beginning of the risk
BIMCO guidelines could be used. Other relevant reference assessment. The organization should decide which risks could
resources include previous incidents and lessons learned, be accepted, avoided (for example by change of the process),
external reports and publications from recognized and trusted or transferred (for example to a third party). Risks not covered
sources, and as well from identified IT and OT hardware and by the initially foreseen controls need to be mitigated and,
software descriptions and network diagrams. therefore, covered with risk treatment plans describing appro-
6.2.3.2 Once the related threats and vulnerabilities are priate mitigation actions (see 6.3 for further information). Risk
identified, the organization needs to analyze the current mitigation strategies and controls are discussed in 6.4. The
infrastructure, system setup, and software configuration to NIST Special Publication 800-30 provides additional infor-
identify existing controls. These controls include three dimen- mation on risk determination, contains representative threat
sions: events, and templates for developing risk tables.
(1) People (for example, awareness training, responsibili-
6.3 Development of Mitigation Strategies:
ties and tasks, and cyber incident drills),
6.3.1 General Guidelines on the Development of Mitigation
(2) Processes (for example, cybersecurity policy and soft-
Strategies:
ware configuration procedures), and
6.3.1.1 With knowledge of the ship manager, ship operator,
(3) Technologies (for example, firewalls, antivirus,
and ship’s assets and systems that have critical roles or impacts
encryption, and IDS).
on the ship and crew, the owner or operator can develop
6.2.4 Risk Analysis:
strategies to mitigate risks in a prioritized way.
6.2.4.1 After risks have been identified, they need to be
6.3.1.2 The cyber-enabled systems onboard will be catego-
assessed with consequence and likelihood analysis. Assess-
rizedformanagementandpotentialsafetyimpactsbasedonthe
ment of consequences should evaluate the three main prin-
riskassessmentandfailuremodesandeffectsanalysis(FMEA)
ciples of the “CIA” model for information cybersecurity:
performed previously. The most important aspects of these
confidentiality, integrity, and availability.
systems include the asset management requirements, including
(1) Confidentiality—Preserving authorized restrictions on
software and hardware under positive control, and the antici-
information access and disclosure, including means for pro-
pated impacts of any failures of these systems, especially in
tecting personal privacy and proprietary information. Tools to
regard to safety of crew, systems, ship, or environment.
avoid unauthorized disclosure include encryption, access
6.3.1.3 When organized into a cyber-enabled asset manage-
control, and physical security.
ment system, the owner or operator will find it much easier to
look across assets to prioritize efforts and resource use.
Expected prioritization of risks only, however, can be per-
TABLE 1 Threat Occurrence Ranking
formed with a simple risk management matrix as generated
(What is the probability the threat will occur?)
from the risk assessment.
Value Probability
6.3.2 Determining the Need for Mitigation:
Very low Remote (10 %)
Low Unlikely (30 %)
Medium Likely (50 %)
NIST Special Publication 800-30, Guide for Conduction Risk Assessments–In-
High Highly likely (70 %)
Very high Near certainty (90 %) formation Security, Special Publication 800-30 rev 1, September 2012, https://
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.
F3449 − 20
TABLE 2 Threat Impact Ranking
(If the threat occurs, what is the impact?)
Value Impact Description
Very low Threat could be expected to have a negligible adverse effect on operations, assets, individuals, or other organizations.
Low Threat could be expected to have a limited adverse effect on operations, assets, individuals, or other organizations. Examples of
limited adverse effects are: a degradation in mission capability to an extent that the organization is able to perform its primary
functions at noticeably reduced effectiveness, minor damage to assets, minor financial loss, and minor harm to individuals.
Medium Threat could be expected to have a serious adverse effect on operations, assets, individuals, or other organizations. Examples of
serious adverse effects are: a significant degradation in capability to an extent and duration that the organization is able to
perform its primary functions at significantly reduced effectiveness, significant damage to assets, significant financial loss,
significant harm to individuals not involving loss of life, or serious life-threatening injuries.
High Threat could be expected to have a severe or catastrophic adverse effect on operations, assets, individuals, or other
organizations. Examples of severe or catastrophic adverse effects are: the organization is not able to perform one or more of its
primary functions, major damage to assets, major financial loss, or loss of life or serious life-threatening injuries to individuals.
Very high Threat could be expected to have multiple severe or catastrophic adverse effects on operations, assets, individuals, or other
organizations.
TABLE 3 Risk Matrix
6.3.2.1 The risk assessment as performed will contain a termmitigationefforts;lower-impactrisksmaybemitigatedon
prioritized list of cyber interactions between operation and IT a longer timeframe, or they may be transferred, as by an
systems, hardware and software, rank ordered for both impor- insurance policy, or they may be accepted.The overall strategy
tance to ship and safety considerations. Starting with the depends entirely on the owner or operator and the degree of
highest-impact risks to the systems, the mitigation strategy willingness to accept risks to systems and, thus, to ship
may address allocation of resources, staff, and training for best functions or crew.
and most economical results. Top priorities are those discrep- 6.3.3.2 Resource allocation for cyber-enabled and automa-
ancies or risks that may have the most powerful impacts on tion system risks depends on the types of risks described, but
ship or crew. a common focus of every risk is monitoring for indicators of
6.3.2.2 When the risks are considered, risks to ship mission occurrence and training for personnel to recognize instantiated
or ship major functions shall shape the treatment planning for riskstocontroltheeventswhenoccurringandrecoverfromthe
individual system issues. The risk matrix may be decomposed incidents. Crews are the best and most capable source of risk
into trees of related risks starting with mission or major reduction and risk control. With proper training and open
functionrisksattheroot,openingintosystemsofsystemsrisks communications encouraged by safety management and risk
thatcanaffectmission,thenfurtherbrokendowntocomponent management systems, trained and aware personnel are the best
systems, and finally to individual components within systems. resource an owner or operator can have against risks.
6.3.3 Use of Available Resources: 6.3.4 Determining When to Use Outside Experts/
6.3.3.1 Decisions about risks that the owner or operator will Consultants:
accept shall be considered in the mitigation strategies. High- 6.3.4.1 As risks are recognized, prioritized, planned,
likelihood, high-impact risks are obvious candidates for short- mitigated, and monitored, there may be risks that exceed crew
F3449 − 20
capabilities to understand or manage. Technical content, risk cybersecurity implementation strategy should also focus on
indicators, and risk interrelationships may require additional internal processes and security mechanisms that minimize risk
expertise or assistance from outside the owner’s business from within.
organization. 6.4.1.3 Even with diligent effort and a methodical approach,
most organizations will be subject to cyber intrusion. With an
6.3.4.2 Expert assistance is available for risk consulting
appreciationofthisreality,acompanyshouldfocusasmuchon
from any number of sources: classification societies, industry
recovery and minimizing harm to the company’s business
consultants, specialist maritime companies, and government
reputation as they do warding off attacks.
agencies may all have roles to play in helping an organization
6.4.2 Company-Wide Implementation Specifics:
address, mitigate, and monitor risks. It is the owner or
6.4.2.1 Keeping Risk Low: Creating a Corporate Culture
operator’s responsibility to decide when to call for assistance
that Engenders Good Cyber Hygiene—Strong cybersecurity
and determine the level of assistance required.
starts with an understanding of vulnerabilities and an appre-
6.4 Implementation of Cybersecurity Strategy:
ciation of the consequences of a breach by all personnel from
6.4.1 General Implementation Guidance:
senior executives to crew members. The SMS can include
6.4.1.1 A comprehensive cybersecurity implementation
regular, mandated drills and training around topics such as
strategy should include all the following elements:
identifying phishing e-mails, onboard computer policies, and
• An overall goal to keep risk as low as possible;
wi-fi connection policies. A record of these events should be
• The creation of a top-down corporate culture that engen-
logged with information as to the date and time, attendees, and
ders good cyber hygiene;
topics discussed.
• Delegation of cyber-related job responsibilities with
6.4.2.2 Delegation of Cyber-Related Job Responsibilities
visibility and transparency to senior management;
and Personnel Accountability—The SMS should identify
• A personnel accountability and rehearsed response strat-
cyber-related roles and responsibilities for various team
egy to include executives and senior management, company
members,includingmariners,designatedcyberpersonsashore,
spokesmen, masters, designated persons ashore, IT, and poten-
port captains, and related positions.
tial third-party vendors;
6.4.2.3 Centralized Identity Management—TheSMSshould
• The ability to detect programmatically that a cyber
create standardized policies governing access to systems and
incident is occurring;
devices used both shoreside and aboard vessels. These policies
• Protection of both onboard and shoreside assets;
should be followed by any system or device installed, and the
• Isolation of systems where possible/practical;
information should be discussed with all employees,
• Centralized identity management;
contractors, and vendors involved.
• Technical protection mechanisms;
6.4.2.4 Business Process Engineering with an Awareness of
• Physical protection mechanisms;
Cyber Risk:
• Business process engineering with an awareness of cyber
(1) The workflow of business transactions from the vessel
risk;
to the shore/customers should consider all areas of vulnerabil-
•Staffandcrewtraining,onarepetitivebasis,withdetailed
ity and optimized to reduce risk. These areas can include:
records and logs of training;
• The use of computer systems to record business trans-
• A
...