The International Maritime Organization (IMO) is a specialised agency of the United Nations responsible for ensuring the safety, security, and environmental performance of international shipping. In 2017, the IMO adopted Resolution MSC.428(98), a critical mandate focused on cybersecurity within the maritime industry. This resolution underscores the importance of integrating cybersecurity measures into the broader safety management systems (SMS) of shipping operations.
This article provides a comprehensive overview of Resolution MSC.428(98), its key requirements, how it impacts maritime organisations, and best practices for achieving compliance.
1. What is Resolution MSC.428(98)?
Resolution MSC.428(98), titled "Maritime Cyber Risk Management in Safety Management Systems", was adopted by the IMO's Maritime Safety Committee (MSC) during its 98th session on 16 June 2017. The resolution recognises the growing threat of cyberattacks on ships and maritime infrastructure and establishes requirements for managing cyber risks as part of an organisation's overall safety and security strategy.
The resolution applies to shipowners, operators, and other stakeholders involved in maritime transport, including ports, terminals, and service providers. It requires that cyber risk management be incorporated into the International Safety Management (ISM) Code by 1 January 2021, making it a mandatory part of the vessel’s compliance obligations under SOLAS (Safety of Life at Sea) regulations.
2. Why Was Resolution MSC.428(98) Introduced?
The adoption of Resolution MSC.428(98) was driven by the increasing reliance on digital technology in the maritime industry. Modern ships and shipping operations depend on interconnected systems, including:
Navigation systems (e.g., Electronic Chart Display and Information System or ECDIS).
Cargo handling and management systems.
Communication and control systems.
Operational technology (OT) used for engine and machinery control.
Port and terminal systems for logistics and supply chain management.
While these technologies improve operational efficiency and safety, they also introduce significant cyber risks. A successful cyberattack can lead to:
Loss of control over critical systems.
Navigation errors or collisions.
Cargo mismanagement or delays.
Breach of sensitive data (e.g., crew or cargo information).
Operational disruptions with significant financial and reputational consequences.
High-profile incidents, such as the 2017 NotPetya ransomware attack that affected shipping giant Maersk, highlighted the urgent need for improved cybersecurity measures in the maritime sector. Resolution MSC.428(98) aims to mitigate these risks by ensuring that maritime stakeholders adopt robust cyber risk management practices.
3. Key Requirements of Resolution MSC.428(98)
Resolution MSC.428(98) outlines several key requirements that maritime organisations must follow to manage cyber risks effectively. These requirements focus on integrating cybersecurity into the Safety Management System (SMS) and addressing both information technology (IT) and operational technology (OT) risks.
3.1. Cyber Risk Management Integration
Organisations must incorporate cyber risk management into their existing ISM Code compliance efforts. This includes:
Identifying cyber risks to shipboard and shoreside operations.
Implementing measures to protect critical systems from cyber threats.
Establishing procedures for detecting, responding to, and recovering from cyber incidents.
Cyber risk management must be an ongoing process, with regular updates to account for new threats and vulnerabilities.
3.2. Risk Assessment and Mitigation
Maritime organisations must perform regular cyber risk assessments to identify potential threats and vulnerabilities in their systems. Key steps include:
Asset Identification: Identify critical systems and data that need protection.
Threat Analysis: Assess potential cyber threats, including both external attacks (e.g., hackers, malware) and internal risks (e.g., human error, insider threats).
Vulnerability Assessment: Identify weaknesses in system configurations, software, and processes.
Risk Mitigation: Implement technical and organisational measures to reduce the likelihood and impact of cyber incidents.
Examples of risk mitigation measures include:
Network segmentation to separate critical systems from non-critical systems.
Strong access controls and authentication mechanisms.
Regular software updates and patch management.
Cybersecurity awareness training for crew and staff.
3.3. Incident Response and Recovery
Organisations must establish procedures for detecting and responding to cyber incidents. This includes:
Incident Detection: Implementing monitoring tools to detect suspicious activity in real-time.
Incident Response Plans: Defining roles, responsibilities, and actions to take in the event of a cyber incident.
Business Continuity and Recovery: Ensuring that critical operations can continue or be restored quickly after an incident.
Effective incident response reduces downtime and minimises the impact of cyberattacks on safety and operations.
3.4. Continuous Improvement and Auditing
Cyber risk management is an ongoing process that requires regular evaluation and improvement. Organisations should:
Conduct regular cybersecurity audits to assess the effectiveness of their risk management measures.
Update risk assessments and mitigation strategies to address new threats and vulnerabilities.
Incorporate lessons learned from cyber incidents and near-misses into their procedures.
Continuous improvement helps organisations stay resilient in the face of evolving cyber threats.
4. Impact on Maritime Organisations
Resolution MSC.428(98) has significant implications for shipowners, operators, and other maritime stakeholders. Key impacts include:
4.1. Compliance with SOLAS and ISM Code
By incorporating cyber risk management into the ISM Code, Resolution MSC.428(98) makes cybersecurity a mandatory part of SOLAS compliance. Ships that fail to meet these requirements may face penalties, including:
Detention of vessels during port inspections.
Non-compliance reports, which can affect a ship's safety certification and insurance coverage.
Reputational damage and loss of business opportunities.
Compliance with the resolution is essential for maintaining the safety and operational readiness of vessels.
4.2. Increased Focus on Cybersecurity Awareness
Maritime organisations must foster a culture of cybersecurity awareness among their crews and staff. This includes:
Providing regular training on cyber risks and safe practices.
Encouraging employees to report suspicious activity or potential security breaches.
Implementing policies that promote secure use of technology, such as password management and device security.
Cybersecurity is a shared responsibility that requires engagement at all organisational levels.
4.3. Collaboration with Stakeholders
Effective cyber risk management requires collaboration between ship operators, port authorities, service providers, and regulatory bodies. Organisations must:
Share information on cyber threats and best practices.
Coordinate incident response efforts with external partners, including national authorities.
Ensure that third-party vendors adhere to cybersecurity standards and contractual obligations.
A collaborative approach enhances the overall security of the maritime ecosystem.
5. Best Practices for Achieving Compliance
To meet the requirements of Resolution MSC.428(98), maritime organisations should adopt the following best practices:
Develop a Cyber Risk Management Plan:
Define a comprehensive plan that outlines your organisation's approach to identifying, assessing, and mitigating cyber risks.Conduct Regular Risk Assessments:
Perform periodic assessments to stay ahead of emerging threats and vulnerabilities.Implement Multi-Layered Security Measures:
Use a defence-in-depth strategy that combines technical controls (e.g., firewalls, intrusion detection systems) with organisational measures (e.g., training, policies).Test and Update Incident Response Plans:
Regularly test your incident response capabilities through simulations and exercises. Update plans based on lessons learned from incidents.Engage External Experts:
Partner with cybersecurity specialists, such as CREST-accredited penetration testers, to evaluate and strengthen your defences.Stay Informed:
Monitor industry trends, regulatory updates, and threat intelligence to ensure that your cybersecurity strategy remains effective.
6. Conclusion
The IMO’s Resolution MSC.428(98) highlights the critical importance of cybersecurity in the maritime industry. By integrating cyber risk management into the ISM Code, the resolution ensures that organisations take a proactive approach to protecting their ships, systems, and data from cyber threats. Achieving compliance with this resolution not only enhances safety and operational resilience but also strengthens trust with regulators, partners, and customers.
For expert guidance on maritime cybersecurity, risk assessments, and compliance with MSC.428(98), contact our cybersecurity specialists today.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article