June 18 marked the launch of the International Maritime Cyber Security Organisation (IMCSO), which aims to raise the standard of cybersecurity risk assessment across the maritime industry.
“Cybersecurity has been mandated by the International Maritime Organisation (IMO) which requires shipping companies to implement measures to protect their onboard safety management systems and to regularly audit them. However, the change in legislation has given rise to a new maritime cyber security industry that has proven to be variable in its approach to assessing systems and interpreting the standards,” explains Campbell Murray, ceo of the IMCSO.
He said that ship captains often do not have the time to escort cyber auditors for these assessments, something compounded by a variety of assessment methodologies used to provide risk and technical audit results to port authorities and insurers. This leads to needless complexity, overheads and delays. “It’s these issues that the IMCSO aims to address, by equipping the security industry to conduct these tests in an appropriate, safe and uniform manner, thus enabling the sector to benchmark compliance,” added Murray.
IMCSO has devised a certification programme for security consultants and a professional register, helping shipping organisations to confidently select experienced personnel. Alongside this, the IMCSO will also validate report outputs to ensure consistency with those reports then held on a central database and made accessible to the authorities and third parties that need to determine the risk status of a vessel.
The IMCSO Maritime Standard cyber certification scheme will provide training across four disciplines. Cyber professionals who take the examination can qualify as offensive security practitioners or maritime cyber security specialists, in addition to specific fields including secure by design and cloud security.
An authorised supplier registry will also be made available by the IMCSO and will act as a record of approved cyber security suppliers. Applicant organisations will need to meet certain certification and accreditation standards such as ISO 27001 and ISO 9001 as well as strict certification criteria. In addition to profiling the organisation, the register will also reference the individual qualifications of those they employ. Shipping companies can then search the database to look for personnel experienced in a specific domain and location.
A risk register database will be maintained by the IMCSO containing the results of ship assessments and audits. The IMCSO will also standardise report outputs preventing the confusion that can arise from using different methodologies. IMCSO said that a uniform approach will eliminate any ambiguity over report findings, making it much easier for the consumers of this information, such as port authorities and insurance providers, to consider a vessel’s cyber risk.
Moreover, the standardised vessel-by-vessel data will allow a sharable and searchable dataset to be built, which will enable the IMCSO to track trends in cyber risk. It will also be used to inform the IMO, shipbuilders, insurers, and management companies about such trends.
