The Triton


Secure at Sea: Is your vessel ready for IMO’s Cyber Security compliance?


Secure@Sea: by Corey D. Ranslem

Cyber security threats continue to be one of the top threats facing governments, businesses, and private individuals around the globe with attacks increasing exponentially on vessels and the maritime industry.

State and non-state actors perpetrate these attacks constantly around the clock and around the globe. Over the past few years, we have discussed cyber security-related issues in this column and their effect on the maritime industry. The IMO (International Maritime Organization) has put cyber security regulations in place for compliance by 2021. Many experts believe these will be the first of many regulations for the maritime industry when it comes to cyber security.

There are two specific documents the IMO has put forward regarding cyber security. The first document is MSC-FAL.1/Circ.3; Guidelines on maritime cyber risk management. This document is a guide on the basics of cyber risk management. 

The Maritime Safety Committee (MSC), at its 98th session in June 2017, adopted Resolution MSC.428(98). This specifically addresses maritime cyber risk management as part of the vessel’s Safety Management System (SMS). The resolution encourages flag administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after Jan. 1, 2021. This means that vessels that have an active ISM plan must address cyber security within that plan by their first flag inspection after Jan. 1, 2021. There are tools and reference documents the IMO cites to help vessels develop the cyber management plan as part of their ISM.

Specifically, there are three reference documents the IMO recommends when putting together the cyber security part of an ISM plan. The first document was put together by a coalition of maritime organizations called Guidelines on Cyber Security. The second reference document is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is the ISO/IEC 27001 standard on information technology, security techniques, and information security management systems. The final guidance document is published by the U.S. National Institute of Standards and Technology (NIST) called The Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework). There is a lot of information within each of these reference documents.

The primary focus of cyber security programs is to put measures in place to protect both OT (Operational Technology) and IT (Integrated Technology) onboard a vessel. OT is defined as a system we use in our normal day-to-day operations such as navigation equipment, radar, GPS, etc. IT is the system that integrates those devices and connects them eventually to the internet. 

Putting an effective shipboard cyber security plan in place is more difficult than land-based operations and requires coordination between multiple devices and support organizations. IT and OT technology being deployed onboard large yachts continues to expand as new software technology is being developed and launched to reduce onboard workloads.

The reference document most maritime organizations, flag states and vessels use to develop their cyber security program is the NIST framework. This framework has five basic parts: identify, protect, detect, respond, and recover. This framework is easy to develop into a basic cyber security plan for a vessel. 

In part two of this column, I will explore the framework and some of the basic parts that should be included in an ISM plan as part of a vessel’s overall SMS.

Corey D. Ranslem is CEO at International Maritime Security Associates ( With more than 24 years of combined Coast Guard and maritime industry experience, he aims to enhance the way mariners handle security threats and risk management. Comments are welcome below.

Related Posts

  • Secure at Sea: Yachts, yards may be liable for inadequate network security
  • Secure at Sea: Coronavirus poses security risk to yachts
  • Secure at Sea: Guide helps set up cyber security plan
  • Share This Post

    Leave a comment

    Your email address will not be published. Required fields are marked *

    Please answer the question below to leave a comment. * Time limit is exhausted. Please reload CAPTCHA.

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Editor’s Picks

    MarineMax acquires NJ

    MarineMax acquires NJ

    Clearwater, Florida-based MarineMax has acquired Fort Lauderdale-based brokerage firm Northrop & Johnson, a 71-year-old company that …

    RPM Diesel owner dies

    RPM Diesel owner dies

    By Lucy Chabot Reed Joe Rubano, owner of Fort Lauderdale-based RPM Diesel Engine Co. and Diesel Services of America, died at his home …

    Living with a sub: A yacht captain’s reflections as a sub pilot

    Living with a sub: A yacht captain’s reflections as a sub pilot

    By Lucy Chabot Reed Capt. Les Annan didn’t think his musings about working and living with a submarine would generate much interest. …

    Fire destroys Sunseeker in Bahamas

    Fire destroys Sunseeker in Bahamas

    M/Y Vanish, a Sunseeker thought to be about 65 feet, caught fire and was destroyed today at Valentines Marina on Harbour Island in the …