The International Maritime Cyber Security Organisation (IMCSO), an independent maritime standards organisation, has today released its cybersecurity testing methodology for those maritime vessels looking to assess their risk and join the Cyber Risk Registry, a risk register database maintained by the IMCSO. The methodology aims to provide IMCSO accredited cyber consultants and the senior maritime personnel they will be assessing with standardised testing by outlining test scope and the language to be used to ensure tests are planned, executed and reported effectively.
“Currently there is no standard in the maritime sector for governing the quality of cyber risk assessments. This methodology will set a precedent by providing a set of criteria that assessors must observe when on engagement and against which maritime security can be measured. It is a very big step forward in normalising both expectations and requirements in the maritime space,” said Campbell Murray, CEO at the IMCSO.
The methodology stipulates the conditions under which the cybersecurity assessments will be carried out. It acts as a legal and practical guide for cybersecurity practitioners who must adhere to the standards as a condition of their inclusion on the approved suppliers list, otherwise known as the Certified Supplier Registry, held by the IMCSO. The Captain and crew undergoing the assessment will also be required to abide by the methodology and undergo pre-assessment training to become cyber ready in order to better understand the process and its findings.
Testing will assess security across ten categories under the umbrella term of Operational Technology (OT) i.e. the hardware and software needed to monitor and control the physical processes of the ship. These include navigation, propulsion, electrical systems, communication, safety systems, cargo handling, environmental systems, and maintenance systems, human factors, and regulatory and compliance issues. The assessment may be carried out at sea, onshore or a combination of the two. Currently, the only OT standards available to the sector are those associated with the manufacturing industry and very few directly assess OT.
In addition, it can often be difficult for shipping companies to objectively assess their OT suppliers, as Murray explains: “Third parties and the shipping companies share a dependency, with joint goals and integrated operations. Yet, with supply chain attacks on the rise, they represent a real risk to operations. This can strain the relationship but by applying a systematic approach through a standardised risk assessment, the company can rely upon the process to vet the cybersecurity posture of their suppliers for them.”
Key components of the IMCSO security testing methodology include:
- Pre-Requisites: Rules of engagement, authorisation, scope of work, objectives, zones of testing.
- Scope of Work: Outlines the project details and goals, signed by both parties.
- Rules of Engagement: Guidelines for testing, including permitted hours and restrictions.
- Authorisation and Legal Considerations: Compliance with laws and written stakeholder approval.
- Testing Methodology: The approach used (e.g., black-box, white-box).
- Deliverables: Expected outputs, such as reports and recommendations.
- Timelines: Start and end dates, with key milestones.
- Communication Plan: Points of contact and reporting protocols.
- Risk Management and Contingency Planning: Plans to mitigate potential risks like downtime or data loss.
- Confidentiality and Data Handling: Protecting sensitive data and results
- Testing Activity: Performed by qualified personnel, with prompt reporting of critical issues.
- Reporting: Clear and categorised reporting of security findings, including solutions.
- Report Delivery: Secure and confidential delivery of the final report.
Reports will take a practical approach with clear recommendations made in response to any of security issues or vulnerabilities. Outputs will be standardised under the methodology using qualitative metrics and this consistency will ensure the results for each vessel are comparable. The results will be used to profile the cyber risk of the vessel, the status of which will be recorded in the Cyber Risk Registry.
Shipowners are sensitive about sharing their vessel’s data. The Cyber Risk Registry will serve as a valuable resource for stakeholders and relevant parties, including port authorities, insurance companies, and association partners, by providing insights into cyber risk trends within the maritime sector. Additionally, it will support the broader industry—including the IMO, shipbuilders, management companies, and industry associations—by offering a trusted registry of vendors, qualified practitioners, and service providers to help vessels strengthen their cyber resilience and mitigate risks effectively.
Notes to editors:
- Risk assessment is a prerequisite for those shipping companies looking to join the Cyber Risk Registry.
- The methodology covers assessing captains and officers at the bridge and the assessment of OT.
- The methodology aims to minimise the risk of liability for practitioners while ensuring shipping companies achieve return on investment from the assessment.
- Risk assessments score the security of the shipping company to provide a quantifiable risk score and a benchmark for improvement.
About the IMCSO
The International Maritime Cyber Security Organisation (IMCSO) has been established to help raise the standard of cybersecurity assessment across the shipping industry. The organisation offers certification for maritime specific knowledge and maintains the Certified Supplier Registry, a register of maritime cyber security service suppliers, detailing the qualifications and expertise of those working for them. The IMCSO also catalogues risk reports on a Cyber Risk Registry and makes the results available to selected parties to profile vessels and chart cyber trends. To find out more, please go to www.imcso.org.
