ISM Cyber Security 20.

February 2019 1

ISM
Cyber Security

ISM Cyber Security Process

1. 8. 9.
Policy Qualification Emergency

7. 15.
2. 10.
Office CIP
Responsibility Reporting
Support Improvement

3. 6. 11. 14.
Compliance Master PMS Evaluation

4. 5.
12. 13.
Risk SMS
Documentation Verification
Assessment (Result RA)

The ISM Code is a mandatory international instrument to establish measures for the safe management
and operation of ships. The modular concept of the Code allows the integration of necessary cyber
security measures in the Safety Management System (SMS) of the company.

Such integrated management system corresponds with the requirements of the IMO Resolution
MSC.428(98) and fulfils the IMO GUIDELINE ON MARITIME CYBER RISK MANAGEMENT (MSC-
FAL.1/Circ.3) whilst it is able to avoid a single competing system which could lead to additional
administrative and financial burdens of the company.

The integration allows the company to amend their own safety management system with the required
and specific Cyber Risk requirements that encourage the management and acceptance of changes.
 ISM Cyber Security 20.February 2019 2

Cyber Risk Management

The increasing interactivity and degree of networking as well as the increasing disappearance of network borders on board
are encountering an increasing potential for criminal cyber activities and increasingly shorter attack cycles. Ships may
become a direct and thus externally controlled target. However, they may be accidently damaged by a crew member by
introducing a malicious software not specifically intended for the ship, e.g. via network access by an e-mail attachment or
USB stick. Thereby in an unprotected network system, dependents of a crew member could theoretically bring down
everything that is controlled by software - from the radar to engine control sensors. In addition, in crisis areas, the GNSS
signals (e.g. GPS) may be disturbed in a way that makes them inoperable on board - or spontaneously showing offset
positions by miles. If the ship remains unprotected, the hazard can increase exponentially. These and other concrete and
less concrete hazards make it necessary to support the safe operation of ships by an individual cyber risk management.

The top management of a shipping company recognizes ISM objective

1. the fundamental risks to the safe ship operation through The ultimate aim of all measures to be
Policy cyber crime and the need for regulation and those for the taken is to ensure safe operation of
expansion of the own ISM management objectives. The ships and pollution prevention in all
existing policy needs to be amended with cyber security circumstances.
aspects and required measures. Cyber security becomes a
direct concern of the management board.
Managing Directors & Priority
Queries to the P&I and H&M insurers
The ultimate responsibility in cyber security remains with can influence the consideration of the
2. the top management. To the extent possible and depending significance and priority, and thus the
Responsibility on company´s organization and size, an appropriate person scope of the measures, especially
- usually the head of the company IT department - will be when considering financial risks.
designated as the responsible person for managing and
protecting against cyber risks and to assist the Master in
conducting assigned shipboard tasks and responsibilities. Cyber Risk Management
The measures should fit with the
organization size. The aim of
Rules, guidelines and recommendations of the IMO, Flag achieving a continuous improvement
3. State, Class and related industry are identified and the process should always outweigh the
Compliance essential requirements are derived. They form a basis for attempt to regulate and cover all
creating and updating the Risk Assessment (RA) and aspects at once.
Company´s SMS. Legal registers will be amended or
recreated accordingly and list these guidelines and
recommendations. Compliance
IMO Resolution MSC.428(98)
IMO Guidelines MSC-FAL/Circ.3
With the ISM RA the risks and necessary safe guards are ISM Circular 04/2017
4. being identified. Unless an equivalent system exists, the The Guidelines on Cyber Security on-
Risk following approach can be used for a systematic board Ships (BIMCO, ICS Guide)
Assessment assessment:
Additional useful information
1. Preparation: 1. HAZID Hazard Identification regarding Cyber-Security can be
2. RESID Resource Identification found under www.bsi.bund.de
3. TOP Potential safe guards

2. Assessment: Based on the preparation: IPDRR Check

determining the risks, safe guards and
responsibilities. Are the ISM measures covering
following aspects?

IdentifyIdentification of hazards
The results of the risk assessment - and thus the necessary and critical systems.
5. safe guards – are a subject to be included into the SMS of
SMS Protect Protection against attacks.
the company. They are recorded as a process or operating
(Result RA) instruction or in another suitable way. Basically, the Detect Identification of an attack.
required measures should be made known to the crew. If Respond Measures to respond to an
the RA determines that certain measures should not be attack.
made public or should not address all persons within the Restore Measures to be done after
Company, they can be a subject to the SSP. an attack.
ISM Cyber Security 20.February 2019 3

HAZID HAZID
Hazard Identification
Create a list without rating & risk determination with all potential hazards and potentially List of all potential hazards
endangered assets - GAIN AN OVERVIEW and potentially endangered
systems on board as a non-
IT IF OT ACP exhaustive list to be further
updated which serves as the
Information Interface – Operational Access Points basis for the risk assessment.
technology and IT & OT technology -
networks System installation USB If it is created in a team of
LAN various participants (e.g.
Office-PC´s GNSS
WLAN Masters, engineers, DPA,
EMAIL & Internet AIS quality manager, CSO, super-
BT
IP phone RADAR & ECDIS intendents, IT managers /
DVD/CD ROM
SAT phone Engine control experts, top management,
Mobile mass storage etc.) and subdivided in
weather PC System- and valve & mobile units
PMS Server control advance into the four areas
… IT, IF, OT and ACP, the list
WLAN / LAN Sensors
Concrete can provide a comprehensive
(Cargo-PC) Steering gear identification: basic picture of the hazards.
… Alarm & monitoring at which plant?

RESID Externals & contractors

Resource Identification
Create a competence list: potential internal or external resources? Makers and contractors may
have to be involved if the own
IT IF OT ACP resources are not sufficient -
this may be necessary in
Competences: Competences: Competences: Competences: particular for OT and IF
Own? Own? Own? Own? protection.
Contractor? Contractor? Contractor? Contractor?
The RESID list should identify
which resource becomes
List all maker´s and List all maker´s and necessary.
possible service possible service
contractors. contractors.

T Technical Measures Example of possible measures

TOP measures:

List all potential safe guards

Firewall Crew Internet email: Stand as a non-exhaustive list to be
alone solution instead of further updated. The list
Anti-virus software Remote access control: "cabin networking" (physical serves as another basis for
Spam-Filter authentication of accesses separation from the network)
the risk assessment.
(RAS,VPN) Log files for IT experts
Firewall & anti-virus software
& spam-filter installed on all Sealing access of the (follow-up) One way of developing could
relevant PCs devices (USB,LAN), Seal
management
Avoid simple cloud services be a "Brain Storming" with IT,
USB lock (mass storage (the Company), otherwise DPA, QM / QHSE, Nautical &
media) BUS Management provide own services
Technical Department, top
Backup Storage Networks: Activation of automatic management or others.
(external solution) multiple segmentation updates and patch services:
(Operation/Master/Crew/…), - Software in general
Blocking certain email especially WLAN networks
attachment like .exe, .cpl, - MS Office
(secured to the latest - OT systems
.bat, .com, .scr, .vbs, .vba standard)
(e.g. crew allowed: only - IT system
.jpg,.txt,.pdf). Stand alone solution instead - anti-virus software
of network-system (e.g.
Limitation on email cargo-PC)
attachments (account
Unnecessary software Data protection
Quarantine PC functions & plug-ins are
depending)
(for virus checks) removed or locked.
Cyber security should include
Configuration management
Software: access Server location: measures for personal data
Separation of internal and differentiation - different restricted area protection.
external systems levels. Only those persons
VPN get rights that need them
(software, drives)
ISM Cyber Security 20.February 2019 4

O Organizational Measures Example of possible measures Risk Assessment

Processing the RA to identify
Monitor & control: terrestrial and assess the risks.
Policy of the Management navigation (check GNSS,
Board (Ultimate Manual Updates (PMS) for ECDIS) The risk is determined by the
Responsibility) time / system critical Navigation: redundancy, product of the likelihood x
patches: backup astronomical severity.
Password policy / Password - for stand-alone units navigation
management - IT/OT without auto-update Nautical charts as backup If a risk becomes apparent,
Dynamic (regular) changes - Antivirus Software for critical sensitive areas
-… appropriate safeguards
of password
ARPA and evaluation, error should be initiated by
Assignment of access rights Screen lock (automatically of speed input (ARPA:
after x minutes / manually considering a specific
(different levels) RADAR data instead of AIS
when leaving the work hierarchy which is similar to
data. Speed: LOG input
Clear defined responsibilities station) instead of GPS.) the TOP measures principle
at shore side of occupational health &
Office support: Continuous weak point
Designation of an IT expert analysis and evaluation of safety standards:
- Contingency plan office
Responsibilities at sea - Hotline / contacts the reporting system
Ensure: all PC´s of the
(T) Technical,
Responsibilities shore Emergency recovery plan
Company are affected and (O) Organizational
Responsibilities of third PMS Backup (maintaining need to be protected and (P) Personal.
parties the history) subject to inspections,
Contractor service on board OT access authorization, especially mobile notebooks This covers technical,
(authorization, work permit) system restrictions, work Avoid single competences processual and human
permit for contractors (Administrator, knowledge
Backup organization aspects.
(regular) Expert consulting if own IT is can be lost in case of
overwhelmed (emergency changes)
Audit Technical control measures
contact) Keep administrator
Inspection by IT (internal or documentation available
have priority.
Supervision (monitoring /
external safety contractors) (knowledge base)
detection)
PMS – regular IT checks Maintain information flow
(seafarers, shore
PMS – software update employees)
Administrators only get the Example EMAIL traffic:
rights they need
(P) Personal behavioural
measures: instruction to crew
"do not open attachments
with .exe or .mpg".
P Personal Measures Example of possible measures (T) Technical measures:
A filter only allows receiving
.JPG, .PDF whilst .exe files
are blocked.
Initial familiarization On-demand training
Declaration of omission for (administrator, employees)
Recurrent familiarization manipulation and illegal
Occasional familiarization access to networks (crew Personal behavioural
hacking - contract, contract Training content: behaviour,
monitoring, detection, measures may be imple-
Shore based training supplement)
response measures, mented faster and could be a
Training focus navigation: Disciplinary measures in password management cheaper way. But it cannot be
Detecting manipulation
GNSS, AIS
case of intentional / non- assured and cannot be
intentional disregard of Posters & info material proved safe. This is only
Awareness programs instructions
possible by technical
Timely transfer of measures.
information to employees
(active communication)

The RA must be constantly

reviewed and updated due to
RA the rapid changes and
development of new risks
Risk Assessment
Risk = Likelihood x Severity
Severity

Medium Risk High Risk Very High Risk

Likelihood

Low Risk Medium Risk High Risk

Low Risk Low Risk Medium Risk

ISM Cyber Security 20.February 2019 5

The ISM lists qualification procedures for the Risk

6. master so that he can meet those SMS
Master requirements directed to his position. The
Navigation
company's organization takes into account
that the new cyber security tasks are not Masters and nautical officers should be trained to
solely the responsibility of the captain. know, recognize and respond to hazardous
situations. In addition to general navigational
instructions and qualification measures, the
existing ISM emergency plans should be
By a suitable organization, the captain will amended as necessary.
7. receive qualified land-based support to fulfil
Office his SMS tasks. This includes For example, hazards can result from:
Support - responding to a cyber attack, • Failure or manipulation of GPS and DGPS data
- responding to the consequences of an (jammer).
attack. • Failure or manipulation of AIS data.
- restore (backup measures). • Incorrect speed input leads to faulty ARPA
evaluation.
• Incorrect ECDIS information.
• Failure (shut down) and reboot error of the radar
Upon employment new crew members and equipment.
8. office staff receive a familiarization in the • Failure depth echo sounder and other software-
Qualification company's SMS cyber security activities. based and or integrated navigation systems.
They receive an additional familiarization if job • Impact on the control and monitoring of the
tasks are changing or personnel is getting machinery and power management.
promoted.
The instruction will be necessary for all
persons with cyber security tasks and for all Human element
persons being in contact with a ship. Lack of awareness, missing or failing to conduct
recurring familiarization and training measures
Familiarization, instruction and further training
for seafarers and shore staff increase the
measures are regularly recurring and should
likelihood of misconduct.
be repeated as necessary. The SMS contains
a training and qualification plan and describes
measures to determine training needs. This
includes seafarers and office personnel. The IT (limiting)
scope depends on the position on board / in The RA and SMS should not be reduced to IT
the company - not everyone has to know only. OT, interfaces and access to IT / OT should
everything. be included in any case.

The SMS contains a cyber security Sustainability

9. contingency plan for the sea and shore office RA and SMS should be continually reviewed and
Emergency sector. This contingency plan is regularly adjusted to respond to the changing cyber
practiced through exercises, simulations and threats. One-time integration into the SMS is
training with the aim of reflective action. The inadequate.
shore organization has emergency plans in
place to assist the captain. The plans include
measures to:
- respond to an attack and its consequences, Risk Ship-Shore-Connections
- restore (backup measures). Available connections to the "outside" of a
system may become an unprotected gateway.
An IT manager (if available) may support the
shore based emergency response team.

Risk container stowage planning

Correctness of container information (weight,
Incidents, accidents, near-misses and other dangerous goods, stowage positions) is primarily
10. relevant occurrences are reported to the the task of the terminal and the charterer and is
Reporting responsible departments by using the ISM an important component for the safe carriage of
reporting system. Reports are subject to an cargoes. Despite that fact, the RA and SMS
assessment and analysis. As a result, should also reflect the electronic data exchange
corrective and preventative actions will be regarding stowage planning between shore and
determined and communicated. ship.
Aim: continuous improvement process.
ISM Cyber Security 20.February 2019 6

PMS (Planned Maintenance System): the ISM Check

11. safety measures that have been identified at
PMS the RA as recurrently been put in practice, e.g. Risk Assessment ISM 1.2
software updates, are added to the PMS. The Hazards identified (HAZID List)?
PMS monitors and documents those Risks assessed?
measures. Measures implemented to mitigate the risks?
The Critical Equipment area will be amended
Compliance ISM 1.2
to the needs and required details determined
National and international rules and guidelines
via the RA.
available and considered?

Policy ISM 2.1

Available: description of the basic measures to
Generally, the SMS describes the applicable
achieve the objectives?
12. requirements for any documentation. These
Documentation are taken over for the field of cyber security.
Responsibilities ISM 3.2
If documented measures and requirements Responsible persons and their assigned tasks
are within a sensitivity range that does not identified?
permit public documentation in the SMS,
specific measures should be implemented Master ISM 6.1, 6.2
which are accessible only to a limited group of Qualification measures for the Master?
persons on board and ashore. Examples: Qualified shore support?
Presentation of administrator rights on board,
and password management, backup and Familiarization ISM 6.3
recovery management. On employment and regularly recurring?
For seafarers and shore staff?
Continuous qualification measures?

Internal audits on board and onshore at the Qualification plan ISM 6.5
13. office will be amended with cyber security Training needs and training plan identified?
Verification aspects and will be conducted at intervals not
exceeding 12 months. SMS instructions ISM 6.5
RA result? Qualified instruction?
The implementation of the cyber security
management to the company ISM system as Emergency preparedness ISM 8.1, 8.2
well as the continuous updating is monitored Contingency plan sea / shore?
and verified by audits and reviews. Regular drills based on the plan?
Shore support (emergency response team)?

Reporting system ISM 9.1, 9.2, 9.3

The Company regularly verifies and evaluates Reports: occurrences, accidents, near-misses?
14. the safety management system considering Reports are assessed and analysed?
Evaluation following questions: Corrective & preventive action implemented?
Does the organization (Sea & Office) work
according to the SMS requirements? Maintenance ISM 10.1, 10.2, 10.3
Are the measures of the SMS effective? Measures are integrated to and documented at
Are internal auditors qualified in cyber the PMS. Critical Equipment – checked?
security?
Are the results of the audits brought to the Documentation ISM 11
attention of relevant personnel? Requirements available for dealing with general
Are necessary corrective and preventive and sensitive data with limited accessibility?
measures initiated / implemented promptly?
Verification ISM 12.1
Internal audits amended with cyber security
aspects?
Cyber security is undergoing continuous and
15. major changes. Therefore, a one-time setup Evaluation ISM 12.2 – 12.7
CIP and implementation of safe guards is Organization is working according to the SMS?
improvement insufficient. The company should take into SMS measures effective?
account the constant changes and identified Auditors qualified?. Results communicated.
weaknesses in its own system and must Corrective & preventive action?
ensure that the risk assessment system and
SMS are updated, thereby initiating the
continuous improvement process.
Check of sensitive areas
Administrator rights on board?
Password management?
Backup and recovery management?