The International Maritime Organization (IMO) introduced Resolution MSC.428(98) to enhance cybersecurity in the maritime sector by requiring that cyber risk management be integrated into the Safety Management System (SMS) of organisations operating under the International Safety Management (ISM) Code. While the resolution provides a framework for managing cyber risks, many maritime operators question whether penetration testing is explicitly required for compliance with MSC.428(98).
This article explores how penetration testing fits into the cyber risk management requirements of MSC.428(98), the benefits of penetration testing for maritime cybersecurity, and best practices for incorporating testing into your compliance strategy.
1. Overview of MSC.428(98)
Resolution MSC.428(98) mandates that all ships and maritime operators manage cyber risks to safeguard the safety of life at sea and the integrity of maritime operations. This requirement became mandatory on 1 January 2021, with cyber risk management now forming a core component of an organisation's safety management system under SOLAS (Safety of Life at Sea) regulations.
Key elements of MSC.428(98) include:
Identifying cyber risks: Understanding potential threats to shipboard and onshore systems.
Implementing mitigation measures: Protecting critical IT and OT (Operational Technology) systems from cyber threats.
Monitoring and incident response: Detecting and responding to cyber incidents in a timely manner.
Continuous improvement: Regularly assessing and updating cyber risk management strategies to address emerging threats.
While the resolution emphasises cyber risk assessment and mitigation, it does not explicitly mention penetration testing. However, penetration testing plays a crucial role in identifying vulnerabilities and improving cybersecurity, making it a valuable component of a comprehensive risk management strategy.
2. What is Penetration Testing?
A penetration test (or pentest) is a controlled and authorised simulation of a cyberattack on an organisation’s IT or OT infrastructure. The goal of penetration testing is to identify security weaknesses, exploit potential vulnerabilities, and assess the effectiveness of existing security measures.
Penetration tests typically follow a structured process, including:
Planning and Scoping: Define the objectives, target systems, and rules of engagement for the test.
Reconnaissance: Gather information about the target environment, such as IP addresses, system configurations, and software versions.
Vulnerability Analysis: Identify potential weaknesses in networks, applications, and devices.
Exploitation: Attempt to exploit identified vulnerabilities to simulate the actions of a real attacker.
Reporting: Provide a detailed report of findings, including prioritised recommendations for remediation.
Penetration tests can target various areas, such as external and internal networks, web applications, mobile applications, and operational technology systems critical to maritime operations.
3. How Penetration Testing Supports Compliance with MSC.428(98)
Although MSC.428(98) does not explicitly require penetration testing, it aligns closely with the resolution's objectives by helping organisations:
3.1. Identify and Assess Cyber Risks
Requirement:
Organisations must conduct risk assessments to identify potential threats and vulnerabilities.
How Penetration Testing Helps:
Penetration testing provides an in-depth assessment of security risks by simulating real-world attack scenarios. It identifies vulnerabilities that may not be discovered through routine risk assessments or automated vulnerability scans, such as:
Misconfigured systems and services.
Weak access controls and authentication mechanisms.
Application-level vulnerabilities (e.g., SQL injection, cross-site scripting).
Weaknesses in OT systems (e.g., industrial control systems on ships).
These findings enable organisations to prioritise remediation efforts based on risk severity and potential impact.
3.2. Validate Security Controls
Requirement:
Organisations must implement technical and organisational measures to mitigate cyber risks.
How Penetration Testing Helps:
Penetration testing validates the effectiveness of security measures by attempting to bypass them. For example, testers may:
Attempt to exploit firewalls, intrusion detection systems, and access controls.
Test the robustness of encryption and data protection measures.
Simulate phishing attacks to assess employee awareness and response.
By identifying weaknesses in existing controls, penetration tests provide actionable insights for strengthening security.
3.3. Enhance Incident Response Readiness
Requirement:
Organisations must establish procedures for detecting, responding to, and recovering from cyber incidents.
How Penetration Testing Helps:
Penetration tests can simulate various types of cyberattacks, such as ransomware, denial-of-service (DoS), and unauthorised access attempts. These simulations help organisations:
Test the effectiveness of their incident detection and response capabilities.
Identify gaps in communication, escalation, and recovery procedures.
Train staff on how to respond to cyber incidents in real-world scenarios.
By improving incident readiness, organisations can minimise the impact of cyberattacks on safety and operations.
3.4. Support Continuous Improvement
Requirement:
Cyber risk management must be regularly evaluated and updated to address new threats and vulnerabilities.
How Penetration Testing Helps:
Regular penetration testing ensures that organisations remain aware of evolving security risks. It provides a feedback loop for continuous improvement by:
Identifying new vulnerabilities introduced by changes in technology or operations.
Assessing the effectiveness of previous remediation efforts.
Providing updated recommendations for mitigating emerging threats.
This iterative approach helps organisations maintain a strong security posture in the face of changing risks.
4. Regulatory and Industry Expectations
Although MSC.428(98) does not explicitly require penetration testing, other regulatory frameworks and industry standards recognise its importance. For example:
NIS2 Directive: Requires essential and important service providers, including maritime operators, to implement risk-based security measures and conduct regular security testing.
ISO/IEC 27001: Recommends periodic security assessments, including penetration testing, as part of an organisation’s information security management system (ISMS).
Industry Best Practices: Many shipowners, operators, and port authorities incorporate penetration testing into their cybersecurity strategies to meet client expectations, improve insurance coverage, and demonstrate due diligence.
By conducting regular penetration tests, maritime organisations can strengthen their compliance posture across multiple regulatory frameworks.
5. Best Practices for Penetration Testing in the Maritime Sector
To maximise the benefits of penetration testing, maritime organisations should follow these best practices:
5.1. Engage Certified Penetration Testers
Work with experienced professionals, such as those accredited by CREST or other recognised bodies, to ensure high-quality testing and reporting.
5.2. Define a Clear Scope
Clearly define the systems, networks, and applications to be tested. Include both IT and OT assets that are critical to maritime operations, such as:
Navigation systems (e.g., ECDIS).
Cargo handling and logistics systems.
Ship communication and control systems.
Onshore and offshore network infrastructure.
5.3. Prioritise High-Risk Areas
Focus testing efforts on areas with the highest potential impact, such as systems that handle sensitive data, critical operations, or external access points.
5.4. Schedule Regular Tests
Conduct penetration tests on an annual basis or after significant changes to technology, operations, or security policies. Regular testing ensures that vulnerabilities are identified and addressed in a timely manner.
5.5. Act on Findings
Implement remediation plans based on the test findings, prioritising critical and high-risk vulnerabilities. Follow up with re-testing to confirm that issues have been resolved.
6. Conclusion
While IMO Resolution MSC.428(98) does not explicitly mandate penetration testing, it plays a vital role in managing cyber risks and improving maritime cybersecurity. By identifying vulnerabilities, validating security controls, and enhancing incident response readiness, penetration testing helps organisations meet the resolution’s core requirements and strengthen their overall security posture.
For expert guidance on penetration testing, cyber risk assessments, and compliance with MSC.428(98), contact our cybersecurity specialists today.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article