ASTM F3449-20
(Guide)Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges
Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges
SIGNIFICANCE AND USE
5.1 ISM Code Requirement—In 1989, IMO adopted guidelines on management for the safe operation of ships and pollution prevention that is now the International Safety Management (ISM) Code that was made mandatory for ships trading on international waters through the International Convention for the Safety of Life at Sea, 1974 (SOLAS). In 1995, the IMO Assembly adopted the guidelines on implementation of the ISM Code by administrations by Resolution A.788(19). These guidelines were revised and adopted as Resolution A.913(22) in 2001. The guidelines were further revised and adopted as Resolution A.1022(26) in 2009 and entered into force on 1 July 2010.
5.1.1 ISM Code Purpose—The ISM Code is designed to improve the safety of international shipping and reduce pollution by encouraging self-regulation and oversight for identifying safety issues, taking corrective action, and promoting overall organization safety culture. The ISM Code establishes an international standard for the safe management and operation of ships and for the implementation of a SMS operating internationally.
5.1.2 ISM Code Intent—The intent of the ISM Code is to support and encourage the development of a safety culture in shipping by moving away from a culture of “unthinking” compliance with external rules toward a culture of “thinking” self-regulation of safety and the development of a “safety culture” that identifies safety issues and concerns and promotes proactive corrective actions. The safety culture involves moving to a culture of self-regulation with every individual from the top to the bottom empowered to ownership, responsibility, and action for improving and addressing safety.
5.2 Additional Applications—In addition to the ISM Code requirements, Flag States, industry organizations, and companies have initiated mandatory and nonmandatory SMS. All of these systems are being instituted to improve operational safety, identify safety issues, promote implementation of corrective actions, ...
SCOPE
1.1 This guide is designed to provide the maritime industry guidance, information, and options for incorporating cyber elements into safety management systems (SMS) in accordance with the International Safety Management (ISM) Code and other national (United States) and international requirements.
1.2 This guide will support U.S. maritime operating companies but is a guide only and does not recommend a specific course of action. However, this guide is to be used to improve cyber safety, address vulnerability, recommend and outline training, and raise knowledge and awareness of cyber threats by leveraging documented, auditable SMS mechanisms.
1.3 The purpose of this guide is to offer guidance, information, and options based on a consensus of opinions but not to establish a standard practice. Each organization shall evaluate their SMS, their information management systems at sea and ashore, and the level of cyber risk that exists within the organization to determine the best methods of compliance with the cybersecurity requirements of the ISM Code or other legal or self-imposed requirements or both.
1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.
1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
General Information
Standards Content (Sample)
This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: F3449 − 20 An American National Standard
Standard Guide for
Inclusion of Cyber Risks into Maritime Safety Management
Systems in Accordance with IMO Resolution MSC.428(98)—
1
Cyber Risks and Challenges
This standard is issued under the fixed designation F3449; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope 2. Referenced Documents
1.1 This guide is designed to provide the maritime industry 2
2.1 2.1 ISO Standards:
guidance, information, and options for incorporating cyber
ISO 9001:2015 Quality Management Systems —
elements into safety management systems (SMS) in accor-
Requirements, Section 7.5, Documented Information
dance with the International Safety Management (ISM) Code
ISO/IEC 27000:2018 Information Technology — Security
and other national (United States) and international require-
Techniques—InformationSecurityManagementSystems
ments.
— Overview and Vocabulary
1.2 This guide will support U.S. maritime operating com- 3
2.2 USCG Guidance and Policy:
panies but is a guide only and does not recommend a specific
NVIC 05-17 Guidelines for Addressing Cyber Risks at
course of action. However, this guide is to be used to improve
Maritime Transportation Security Act (MTSA) Regulated
cyber safety, address vulnerability, recommend and outline
Facilities
training, and raise knowledge and awareness of cyber threats
USCG CG-5P Policy Letter 08-16 Reporting Suspicious
by leveraging documented, auditable SMS mechanisms.
Activity and Breaches of Security
1.3 The purpose of this guide is to offer guidance,
2.3 Other Standards:
4
information, and options based on a consensus of opinions but
46 CFR Subchapter M Towing Vessels
not to establish a standard practice. Each organization shall 5
BIMCO The Guidelines on Cybersecurity Onboard Ships
evaluate their SMS, their information management systems at
IMO Resolution MSC.428(98) Maritime Cyber Risk Man-
sea and ashore, and the level of cyber risk that exists within the 6
agement in Safety Management Systems
organization to determine the best methods of compliance with
The International Safety Management (ISM) Code Chapter
the cybersecurity requirements of the ISM Code or other legal
IX of the International Convention for the Safety of Life
or self-imposed requirements or both. 7
at Seal (SOLAS)
1.4 This standard does not purport to address all of the
MSC-FAL.1/Circ.3 Interim Guidelines on Maritime Cyber
7
safety concerns, if any, associated with its use. It is the
Risk Management
responsibility of the user of this standard to establish appro-
priate safety, health, and environmental practices and deter-
mine the applicability of regulatory limitations prior to use.
2
Available fromAmerican National Standards Institute (ANSI), 25 W. 43rd St.,
1.5 This international standard was developed in accor-
4th Floor, New York, NY 10036, http://www.ansi.org.
3
dance with internationally recognized principles on standard- Available from the U.S. Coast Guard (USCG), U.S. Coast Guard Headquarters,
2703 Martin Luther King Jr Ave Se Stop 7318, Washington, DC 20593, https://
ization established in the Decision on Principles for the
www.dco.uscg.mil.
Development of International Standards, Guides and Recom-
4
Available from U.S. Government Printing Office, Superintendent of
mendations issued by the World Trade Organization Technical
Documents, 732 N. Capitol St., NW, Washington, DC 20401-0001, http://
www.access.gpo.gov.
Barriers to Trade (TBT) Committee.
5
Available from https://iumi.com/news/news/bimco-the-guidelines-on-cyber-
security-onboard-ships.
1 6
This guide is under the jurisdiction of ASTM Committee F25 on Ships and Available from the International Maritime Organization, http://www.imo.org/
Marine Technology and is the direct responsibility of Subcommittee F25.07 on en/OurWork/Security/Guide_to_Maritime_Security/Documents/
General Requirements. Resolution%20MSC.428(98).pdf.
7
Current edition approved June 1, 2020. Published July 2020. DOI: 10.1520/ Available from International Maritime Organization (IMO), 4, Albert
F3449-20. Embankment, London SE1 7SR, United Kingdom, http://www.imo.org.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
1
---------------------- Page: 1 ----------------------
F3449 − 20
3. Terminology 3.1.19 cybersafety, n—guidelines and standards for
computerized, automated, and autonomous systems that ensure
3.1
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.