Maritime Cyber Risk Management
In June 2017, the International Maritime Organization (IMO) released a Maritime Safety Committee (MSC) resolution that addresses Maritime Cyber Risk Management in Safety Management Systems (MSC-FAL.1/Circ. 3). This resolution affirms that “an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”. The resolution also encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
Guidance for Peregrine’s Cyber Risk Assessment process includes, but is not limited to:
- The Maritime Transportation Security Act (MTSA)
- International Standards Organization (ISO) series 27001 – “Specifications for Information Security Management Systems (ISMS)”
- The IMO Guidance MSC-FAL – Cir 3; Guidelines on Maritime Cyber Risk Management
- IMO Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems
- The IMO Directive – “The Guidelines on Cyber Security Onboard Ships”
- Maritime Cyber Security Center – Importance of Cyber Security in Maritime Operations
Peregrine can support multiple roles
- As a Trusted Advisor, to assess and validate individual flagged shipping companies and vessel’s compliance requirements.
- By supporting country flagged shipping companies and vessel owners to certify their ships and train their staff.
- To act as a third-party assessor, conducting compliance and risk assessments.
- To conduct audits both virtually and physically onboard ships.
- To provide continuous monitoring solutions, post certification.
Peregrine is uniquely situated to support this effort as we have been conducting over 25 vulnerability assessments (VA) focused on control systems (CS) for the Department of Defense (DoD) over the last four years. This was done under two contracts from OASD EI&E, Platform Resilience Mission Assurance (C5-17-0005) and UAV Cyber Study (HQ0034-14-C-0209).
Our Subject Matter Experts (SMEs) have supported recent shipboard cyber assessments in Alaska and are currently contracted with the National Science Foundation (NSF) to provide IMO Cybersecurity compliance services to their Academic Research Fleet of 18 ships. The tasks for our contract with the NSF include Security Assessments/Audits, Penetration Tests, Policies and Procedures Support, Risk Management Support and Training/Education Support.
Peregrine is certified by the International Standards Certifications Committee for ISO 9001/27001 and we are writing the DoD Facility Related Control System (FRCS) Cybersecurity Methodology and the FRCS Classification Guide.
Risk Assessment Process
Peregrine has developed a process to meet this IMO cyber security mandate deadline and ensure customer compliance. Our process meets the MSC-FAL.1/Circ. 3 guidelines and can quickly and efficiently meet the needs of our maritime clients. Peregrine has partnered with Microsoft and will use their Azure Defender for IoT to assist in asset discovery, threat detection, and vulnerability analysis.
Our process consists of the following for phases:
- Phase 1 – Pre-Assessment Activities
- Phase 2 – Ship Assessment
- Phase 3 – Vulnerability Review/Report
- Phase 4 – Produce Debrief
Our process methodology incorporates the five functions included in the NIST Risk Management Framework. These functions are defined below:
- Identify – Inventory Ship Systems/Assets/Data, Define Personnel Roles, Conduct Risk Assessment to Identify Threats and Vulnerabilities
- Protect – Access Control, Awareness & Training,
- Data Security, Processes/Procedures, Maintenance Plus Drills/Exercises
- Detect – Anomalies/Events, Continuous Monitoring
and Detection Processes.
- Respond – Response Planning, Communications Analysis and Mitigation
- Recover – Backup/Restoration of Cyber Systems Necessary for Ship Operations, Capture Lessons Learned and Update Plans