As part of October’s National Cybersecurity Awareness Month, the U.S. Coast Guard published a series of posts on its Maritime Commons blog detailing cyber risk management in the maritime domain. Posts focused on governance, resiliency and defending critical infrastructure, and the full series can be found here.
In the final post in the series, the Coast Guard turned to the practical implementation of cyber risk management onboard commercial vessels, and putting together a basic plan may be simpler than you think.

Although cyber-dependent technologies have evolved rapidly over the past decade, risk management has been a bedrock of the shipping industry for over a century. The international shipping community — under the auspices of the International Maritime Organization (IMO) — developed MSC.1/Circ.1526 Interim Guidelines On Maritime Cyber Risk Management to provide information and recommendations on how to address cyber risk management.

These guidelines implement the five functional elements detailed in the cybersecurity framework developed by the National Institute of Standards and Technology. These functional elements are not sequential – all should be concurrent and continuous in practice. The ultimate goal is to imbed these elements into the culture of the company at all levels from the ship’s crew and port workers to the senior executives of the company in the same way that the industry has embraced a safety-culture through the implementation of Safety Management Systems.

Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.

Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber event and ensure continuity of shipping operations.

Detect: Develop and implement activities necessary to detect a cyber event in a timely manner.

Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.

Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber event.

A resilient cyber risk management program can be developed by implementing these measures and providing training to employees at all levels of your company on a routine basis. More details on the use of these guidelines can be found in many industry publications including class society recommended practices as well as industry association publications such as the “The Guidelines on Cyber Safety and Security Onboard Ships” produced by BIMCO in coordination with other international maritime organizations.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.