The International Maritime Cyber Security Organisation (IMCSO) released its cybersecurity testing methodology for vessels looking to join the Cyber Risk Registry, a risk register database maintained by the IMCSO.
According to IMCSO, the methodology stipulates the conditions under which the cybersecurity assessments will be carried out. It acts as a legal and practical guide for cybersecurity practitioners who must adhere to the standards as a condition of their inclusion on the approved suppliers list, otherwise known as the Certified Supplier Registry, held by the IMCSO.
In addition, the Captain and crew undergoing the assessment will also be required to abide by the methodology and undergo pre-assessment training to become cyber-ready in order to better understand the process and its findings.
Testing will assess security across ten categories under the umbrella term of Operational Technology (OT), i.e., the hardware and software needed to monitor and control the physical processes of the ship. These include navigation, propulsion, electrical systems, communication, safety systems, cargo handling, environmental systems, and maintenance systems, human factors, and regulatory and compliance issues.
The assessment may be carried out at sea, onshore or a combination of the two. Currently, the only OT standards available to the sector are those associated with the manufacturing industry and very few directly assess OT.
Key components of the IMCSO security testing methodology
- Pre-Requisites: Rules of engagement, authorisation, scope of work, objectives, zones of testing.
- Scope of Work: Outlines the project details and goals, signed by both parties.
- Rules of Engagement: Guidelines for testing, including permitted hours and restrictions.
- Authorisation and Legal Considerations: Compliance with laws and written stakeholder approval.
- Testing Methodology: The approach used (e.g., black-box, white-box).
- Deliverables: Expected outputs, such as reports and recommendations.
- Timelines: Start and end dates, with key milestones.
- Communication Plan: Points of contact and reporting protocols.
- Risk Management and Contingency Planning: Plans to mitigate potential risks like downtime or data loss.
- Confidentiality and Data Handling: Protecting sensitive data and results.
- Testing Activity: Performed by qualified personnel, with prompt reporting of critical issues.
- Reporting: Clear and categorised reporting of security findings, including solutions.
- Report Delivery: Secure and confidential delivery of the final report.
As explained, the reports will provide practical recommendations for addressing security issues or vulnerabilities, using standardized qualitative metrics for consistency. The results will help assess the vessel’s cyber risk, which will be recorded in the Cyber Risk Registry.
