The International Maritime Cyber Security Organisation (IMCSO) has launched as a body for standards of cybersecurity risk assessment across the maritime sector. The IMCSO has devised certification for security consultants and a professional register, whereby shipping businesses to select experienced personnel. The IMCSO will also validate report outputs for consistency with those reports then held on a central database and made accessible to the authorities and others that need to determine the risk status of a vessel.
Campbell Murray, CEO at the IMCSO, says: “Cybersecurity has been mandated by the International Maritime Organisation (IMO) which requires shipping companies to implement measures to protect their onboard safety management systems and to regularly audit them. However, the change in legislation has given rise to a new maritime cyber security industry that has proven to be variable in its approach to assessing systems and interpreting the standards.
“Ship’s captains often do not have the time to escort cyber auditors for these assessments, this is compounded by a variety of assessment methodologies used to provide risk and technical audit results to port authorities and insurers, leading to needless complexity, overheads and delays. It’s these issues that the IMCSO aims to address, by equipping the security industry to conduct these tests in an appropriate, safe and uniform manner, thus enabling the sector to benchmark compliance.”
The IMCSO Maritime Standard cyber certification scheme offers training across four disciplines. Cyber people who take the examination can qualify as an Offensive Security Practitioner, or Maritime Cyber Security Specialist, in addition to specific fields including Secure by Design, and Cloud Security.
An authorised supplier registry will also be made available by the IMCSO and will act as a record of approved cyber security suppliers within maritime cyber security. Applicant organisations will need to meet certification and accreditation standards such as the international standards ISO 27001 and ISO 9001 as well as certification criteria. Besides profiling the organisation, the register will also reference the qualifications of those they employ. Shipping companies can then search the database to look for personnel experienced in a specific domain and location.
A risk register database will be maintained by the IMCSO containing the results of ship assessments and audits enabling relevant parties to access the cyber risk profile of any given vessel. The IMCSO will also standardise report outputs. Adopting this uniform approach will eliminate any ambiguity over report findings, the body adds, whereby port authorities and insurers can consider a vessel’s cyber risk.
Standardised vessel-by-vessel data will allow for the building of a sharable and searchable dataset that will enable the IMCSO to track trends in cyber risk. It will also be used to inform the global maritime body the IMO, ship builders, insurers and management companies of such trends.
Comments
Captain of Private Yacht, Kaela Bermeister, says: “The IMCSO promises to simplify the risk assessment process and to give third parties the information they need to accurately determine risk. This will result in more accurate cyber insurance policies, for instance, and the ability to use the report data to track cyber trends may help the sector to become more resilient. We look forward to utilising the IMCSO database to help our clients.”
Ms Caroline Yang is President of the Singapore Shipping Association (SSA), a trade association of over 500 Singapore-based companies. She says: “The independent validation of cybersecurity professionals offered by the IMCSO will help our members to select cybersecurity testers in a much more efficient way, ensuring they allow personnel onboard with the requisite experience. It will make it much easier to comply with the IMO mandate and will prove an invaluable resource.”
Visit www.imcso.org.
