In June 2017, the International Maritime Organization (IMO) released a Maritime Safety Committee (MSC) resolution that addresses Maritime Cyber Risk Management in Safety Management Systems (MSC-FAL.1/Circ. 3). This resolution affirms that “an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”. The resolution also encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
- The Maritime Transportation Security Act (MTSA)
- International Standards Organization (ISO) series 27001 – “Specifications for Information Security Management Systems (ISMS)”
- The IMO Guidance MSC-FAL – Cir 3; Guidelines on Maritime Cyber Risk Management
- IMO Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems
- The IMO Directive – “The Guidelines on Cyber Security Onboard Ships”
- Maritime Cyber Security Center – Importance of Cyber Security in Maritime Operations
Peregrine can support multiple roles
- As a Trusted Advisor, to assess and validate individual flagged shipping companies and vessel’s compliance requirements.
- By supporting country flagged shipping companies and vessel owners to certify their ships and train their staff.
- To act as a third-party assessor, conducting compliance and risk assessments.
- To conduct audits both virtually and physically onboard ships.
- To provide continuous monitoring solutions, post certification.
Our process consists of the following for phases:
- Phase 1 – Pre-Assessment Activities
- Phase 2 – Ship Assessment
- Phase 3 – Vulnerability Review/Report
- Phase 4 – Produce Debrief
Our process methodology incorporates the five functions included in the NIST Risk Management Framework. These functions are defined below:
- Identify – Inventory Ship Systems/Assets/Data, Define Personnel Roles, Conduct Risk Assessment to Identify Threats and Vulnerabilities
- Protect – Access Control, Awareness & Training,
- Data Security, Processes/Procedures, Maintenance Plus Drills/Exercises
- Detect – Anomalies/Events, Continuous Monitoring
and Detection Processes.
- Respond – Response Planning, Communications Analysis and Mitigation
- Recover – Backup/Restoration of Cyber Systems Necessary for Ship Operations, Capture Lessons Learned and Update Plans