The International Maritime Organization (IMO) adopted Resolution MSC.428(98) in 2017, mandating that cyber risk management be incorporated into the Safety Management Systems (SMS) of ships and maritime operations. This resolution highlights the growing importance of cybersecurity in the maritime industry, recognising that cyber threats can disrupt critical operations, compromise vessel safety, and expose sensitive data.
This article takes a detailed look at the requirements of IMO Resolution MSC.428(98), including its implications for cyber risk management, key areas of focus, and best practices for compliance.
1. Overview of IMO Resolution MSC.428(98)
IMO Resolution MSC.428(98), titled “Maritime Cyber Risk Management in Safety Management Systems,” requires that shipowners, operators, and managers address cyber risks as part of their SMS. The resolution emphasises that failure to manage cyber risks could jeopardise the safety of ships, crew, cargo, and the marine environment.
The resolution took effect on 1 January 2021, aligning with the International Safety Management (ISM) Code. As part of compliance, shipping companies must incorporate cyber risk management into their operational procedures and demonstrate ongoing risk mitigation efforts.
2. Why Cybersecurity is Critical for Maritime Operations
Maritime operations rely on interconnected systems, including navigation equipment, cargo handling systems, communications, and engine controls. These systems, often integrated with onshore networks, are increasingly targeted by cybercriminals, state-sponsored actors, and hacktivists.
Key Cyber Threats Facing the Maritime Industry
Malware and Ransomware Attacks: Malware can disrupt critical systems, rendering vessels inoperable.
Phishing Attacks: Crew members may inadvertently grant attackers access to onboard systems by clicking malicious links.
GPS Spoofing and Jamming: Cyberattacks on navigation systems can mislead or disable critical positioning data.
Supply Chain Attacks: Vulnerabilities in third-party software or services can compromise vessel security.
Insider Threats: Disgruntled employees or contractors may intentionally damage systems or leak sensitive information.
Failure to mitigate these threats can lead to severe consequences, including loss of life, environmental damage, financial penalties, and reputational harm.
3. Core Requirements of IMO Resolution MSC.428(98)
IMO Resolution MSC.428(98) outlines key principles for maritime cyber risk management, encouraging a risk-based approach. Below are the core requirements and recommendations.
3.1 Integration with Safety Management Systems (SMS)
The resolution mandates that cybersecurity be incorporated into the Safety Management System (SMS), which governs the safe operation of ships. The SMS must include procedures for:
Identifying cyber risks that could affect ship operations.
Implementing preventive measures to mitigate cyber risks.
Responding to cyber incidents to minimise their impact on safety and operations.
Continuous improvement through audits and reviews.
3.2 Risk Assessment and Identification
Organisations must perform regular cyber risk assessments to identify threats, vulnerabilities, and potential impacts. These assessments should cover both IT (information technology) and OT (operational technology) systems, including:
Bridge Systems: Navigation and control systems such as GPS, radar, and autopilot.
Cargo Handling Systems: Systems controlling cargo loading, unloading, and tracking.
Engine Control Systems: Automation systems managing propulsion and engine performance.
Communication Systems: Internal and external communication networks, including satellite links.
Shore-Based Systems: Networks and systems used by onshore offices that interact with vessels.
Best Practices:
Use frameworks such as ISO/IEC 27005 or NIST Cybersecurity Framework to guide risk assessments.
Conduct both physical and digital assessments to ensure a comprehensive evaluation.
3.3 Implementing Cybersecurity Measures
To mitigate risks, maritime organisations must implement both technical and procedural controls. These measures may include:
Network Segmentation: Isolate critical systems (e.g., navigation and engine controls) from less secure networks.
Access Control: Use role-based access control (RBAC) and multi-factor authentication (MFA) to restrict system access.
Patch Management: Ensure that all software and systems are regularly updated to address known vulnerabilities.
Encryption: Protect sensitive data in transit and at rest using encryption technologies.
Intrusion Detection and Prevention Systems (IDS/IPS): Monitor networks for signs of unauthorised access or malicious activity.
3.4 Incident Response and Recovery
The resolution requires organisations to have an incident response plan to handle cyber incidents. This plan should include:
Detection and Reporting: Procedures for detecting, logging, and reporting cyber incidents.
Containment and Mitigation: Steps to limit the spread of an attack and protect critical systems.
Recovery: Procedures to restore normal operations after an incident, including system backups and redundancy measures.
Post-Incident Review: Analysis of the incident to identify root causes and prevent recurrence.
Best Practices:
Conduct regular incident response drills to ensure readiness.
Maintain offsite backups of critical data and systems.
3.5 Training and Awareness
Human error is a leading cause of cyber incidents. IMO Resolution MSC.428(98) stresses the importance of cybersecurity awareness and training for all personnel, both onboard and onshore.
Training Programs Should Cover:
Recognising phishing and social engineering attacks.
Secure use of onboard systems and devices.
Incident reporting procedures.
Best Practices:
Tailor training programs to the roles and responsibilities of different personnel.
Use real-world scenarios and simulations to reinforce learning.
3.6 Continuous Improvement and Auditing
Cyber risk management is an ongoing process. Organisations must regularly audit their cyber risk management measures and update them based on:
Changes in the threat landscape.
Results of risk assessments and incident reviews.
Advances in technology and best practices.
Audits should verify that security measures are effectively implemented and aligned with regulatory requirements.
4. Benefits of Compliance with IMO Resolution MSC.428(98)
Adhering to the resolution helps maritime organisations strengthen their cybersecurity posture and achieve several key benefits:
Enhanced Safety: Reducing the risk of cyber incidents improves the safety of crew, cargo, and vessels.
Operational Resilience: Cyber risk management measures minimise the impact of disruptions on critical operations.
Regulatory Compliance: Compliance with IMO regulations protects organisations from legal and financial penalties.
Reputation Protection: Demonstrating a commitment to cybersecurity can enhance trust with customers, partners, and stakeholders.
5. Best Practices for Achieving Compliance
To effectively comply with IMO Resolution MSC.428(98), organisations should:
Adopt a Cybersecurity Framework: Implement a recognised framework such as the NIST Cybersecurity Framework or ISO/IEC 27001.
Conduct Regular Assessments: Perform periodic risk assessments to identify new threats and vulnerabilities.
Invest in Security Technology: Deploy tools such as SIEM, EDR, and network monitoring solutions to enhance detection and response capabilities.
Engage Cybersecurity Experts: Partner with security consultants or managed SOC providers to ensure comprehensive risk management.
Develop Collaborative Policies: Coordinate cybersecurity efforts between shipboard and shore-based teams to maintain consistent security practices.
6. Conclusion
IMO Resolution MSC.428(98) underscores the critical role of cybersecurity in modern maritime operations. By integrating cyber risk management into their Safety Management Systems, maritime organisations can enhance the security of their vessels, protect critical assets, and ensure compliance with international regulations. A proactive approach to cybersecurity not only mitigates risks but also strengthens operational resilience in an increasingly interconnected world.
For expert guidance on maritime cybersecurity, compliance strategies, and SOC services, contact our specialists today. Would you like additional resources, such as risk assessment templates, incident response plans, or cybersecurity training programs? Let us know!
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article