The Triton


Secure at Sea: Is your vessel ready for IMO’s Cyber Security compliance?


Secure@Sea: by Corey D. Ranslem

Cyber security threats continue to be one of the top threats facing governments, businesses, and private individuals around the globe with attacks increasing exponentially on vessels and the maritime industry.

State and non-state actors perpetrate these attacks constantly around the clock and around the globe. Over the past few years, we have discussed cyber security-related issues in this column and their effect on the maritime industry. The IMO (International Maritime Organization) has put cyber security regulations in place for compliance by 2021. Many experts believe these will be the first of many regulations for the maritime industry when it comes to cyber security.

There are two specific documents the IMO has put forward regarding cyber security. The first document is MSC-FAL.1/Circ.3; Guidelines on maritime cyber risk management. This document is a guide on the basics of cyber risk management. 

The Maritime Safety Committee (MSC), at its 98th session in June 2017, adopted Resolution MSC.428(98). This specifically addresses maritime cyber risk management as part of the vessel’s Safety Management System (SMS). The resolution encourages flag administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after Jan. 1, 2021. This means that vessels that have an active ISM plan must address cyber security within that plan by their first flag inspection after Jan. 1, 2021. There are tools and reference documents the IMO cites to help vessels develop the cyber management plan as part of their ISM.

Specifically, there are three reference documents the IMO recommends when putting together the cyber security part of an ISM plan. The first document was put together by a coalition of maritime organizations called Guidelines on Cyber Security. The second reference document is published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is the ISO/IEC 27001 standard on information technology, security techniques, and information security management systems. The final guidance document is published by the U.S. National Institute of Standards and Technology (NIST) called The Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework). There is a lot of information within each of these reference documents.

The primary focus of cyber security programs is to put measures in place to protect both OT (Operational Technology) and IT (Integrated Technology) onboard a vessel. OT is defined as a system we use in our normal day-to-day operations such as navigation equipment, radar, GPS, etc. IT is the system that integrates those devices and connects them eventually to the internet. 

Putting an effective shipboard cyber security plan in place is more difficult than land-based operations and requires coordination between multiple devices and support organizations. IT and OT technology being deployed onboard large yachts continues to expand as new software technology is being developed and launched to reduce onboard workloads.

The reference document most maritime organizations, flag states and vessels use to develop their cyber security program is the NIST framework. This framework has five basic parts: identify, protect, detect, respond, and recover. This framework is easy to develop into a basic cyber security plan for a vessel. 

In part two of this column, I will explore the framework and some of the basic parts that should be included in an ISM plan as part of a vessel’s overall SMS.

Corey D. Ranslem is CEO at International Maritime Security Associates ( With more than 24 years of combined Coast Guard and maritime industry experience, he aims to enhance the way mariners handle security threats and risk management. Comments are welcome below.

Related Articles

Secure at Sea: Disaster response calls for extra steps

Secure at Sea: Disaster response calls for extra steps

Secure@Sea: by Corey D. Ranslem The hurricane season this year hasn’t been particularly busy when it comes to the number of storms and systems, however, it has been devastating for the Abacos …

Secure at Sea: Yachts off Mexico need plan for piracy

Secure at Sea: Yachts off Mexico need plan for piracy

Secure@Sea: by Corey D. Ranslem Piracy off the Gulf Coast of Mexico has been prevalent for several years. Pirates in this region are typically organized gangs that specifically target the Mexican …

Secure at Sea: Solid plan can mitigate cyber-security issues

Secure at Sea: Solid plan can mitigate cyber-security issues

Secure@Sea: by Corey D. Ranslem Cyber security for the global maritime industry continues to be a concern that most seem to be ignoring. Over the past few weeks, I have read several news articles …

Secure at Sea: Guide helps set up cyber security plan

Secure at Sea: Guide helps set up cyber security plan

Secure@Sea: by Corey Ranslem Cyber security is a hot topic. It’s  become one of the most dominant and expanding threats to the maritime industry, and it’s increasing at rapid rates. A day …

Secure at Sea: Training must be specific to yacht, crew

Secure at Sea: Training must be specific to yacht, crew

Secure@Sea: by Corey Ranslem Our daily underway routine was constant on board the Coast Guard cutter. Each day, right after lunch, we did drills and training for just about every type of possible …

Secure at Sea: Yachts, yards may be liable for inadequate network security

Secure@Sea: by Corey D. Ranslem Cyber security issues are a dominant part of world headlines on an hourly basis. Attacks continue in almost every industry and location of the world with an …