IMO Guidelines On Maritime Cyber Risk Management

The International Maritime Organization (“IMO”) acknowledges that the increasing prevalence of cyberattacks on ships constitutes an inherent risk to the safety of vessels, crewmembers,  passengers, cargo, and the marine environment.  Both the IMO Maritime Safety Committee and Facilitation Committee have focused their attention on the urgent need to raise awareness of the need to (1)  identify vulnerable systems, and (2) create procedures to thwart and recover from malicious cyberattacks.  

On June 16, 2017, IMO adopted Resolution MSC.428(98) Guidelines on Maritime Cyber Risk Management (Guidelines). Annex 10 to Resolution MSC.428.(98) IMO encourages stakeholders and Administrations to incorporate a protocol for cyber risk management into all safety management systems in accord with the requirements of the ISM Code no later than January 1, 2021.[1]

            The shipping industry increasingly relies upon transmissions of electronic data for vessel bridge and propulsion systems, cargo operations, transportation of passengers, and communications with shore-based facilities.[2]  IMO concedes that cyber-technology is essential to the commercial shipping industry. Malicious cyberattacks, ransomware, or even accidents caused by human error or outdated software have the capacity to disable ships, creating dangerous events  and potentially catastrophic economic losses. In fact, ironically, IMO’s own website was the victim of a crippling cyberattack last September and was inoperable for nearly 48 hours. [3]

            The Guidelines consist of “high-level recommendations for maritime cyber risk management” [4]  and target all shipping company organizations.  IMO’s stated underlying purpose of the Guidelines is to promote safe and secure management practices of the shipping industry.

            The Guidelines  define cyber risk management as the process of “identifying, analyzing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders.”[5]  IMO recommends that the following elements should be incorporated into a risk management plan:

  • Designate individuals responsible for cyber-risk management.
  • Identify vulnerable systems and data that create a danger to the ship, crew and passengers.
  • Creation of a timely detection plan to quickly identify a cyber-event.
  • Development of a response plan.
  • Development of a recovery plan for ship operations that are impacted. 

Finally, IMO recognizes that an understanding of cyber risks is critical to implementing a viable plan to  avoid cyber attacks and follow a recovery protocol to promote safe shipping. To that end, IMO recommends that Member Governments and Stakeholders may also consult the best practices and additional guidance standards developed by other organizations, including, but not limited to:

  • “Guidelines on Cyber Security Onboard Ships” supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO OCIMF, and IUMI.
  • The United States “National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity” (NIST Framework).[6]

Clearly, these guidelines cannot eliminate the threat of cyberattacks, but heighten awareness of the vulnerable systems in the shipping industry and provide suggested best practices for minimizing danger when attacks occur.

[1] ANNEX 10;  I:\MSC\98\MSC 98-23-Add-1.docx.

[2] The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA) PL 115-278 is a recently formed agency of the Department of Homeland Security and protects the integrity of critical shore-based infrastructure such as ports and maritime terminals in the U.S. In September, CISA in conjunction with MS-ISAC published a Joint Ransomware Guide to avert cyberattacks. 


[4] ANNEX, MSC-FAL.1/Circ.3 Annex, page 1.

[5] ANNEX, MSC-FAL.1/Circ.3 Annex, page 3, 3. Elements of Cyber Management.

[6] ANNEX, Page 4, MSC-FAL. 1/Circ.3

Share this post:

Comments on "IMO Guidelines On Maritime Cyber Risk Management "

Comments 0-0 of 0

Please login to comment