The Work Instruction CVC-WI-027, “Vessel Cyber Risk Management” provides guidance to inspectors and officers for assessing cyber hygiene onboard applicable vessels, as well as compliance options if deficiencies are noted.
Guidance for assessing cyber security onboard a vessel subject to the ISM Code
During the course of a normal inspection/examination, the MI/PSCO should evaluate whether or not a cybersecurity event was a factor in the failure of a system required for the safe navigation or operation of the vessel.
"Example: While aboard a ship for a PSC exam the 2nd Officer explains that the ECDIS is not operational after a recent electronic chart update. The PSCO asks the 2nd Officer what is the procedure to update the ECDIS? The 2nd Officer explains that the ECDIS is updated via a flash drive loaded with updates from a shipboard computer (this scenario continues throughout the work instruction)".
Up to this point, the PSCO is still trying to determine why a piece of equipment required for the safe navigation of the vessel is not operating properly. SOLAS Regulation V/27 requires all nautical charts necessary for the intended voyage shall be adequate and up to date. Since the ECDIS is not operational, the applicable SOLAS Regulation is not met.
"Example continued: The PSCO continues by querying the 2nd Officer if the flash drive was scanned for viruses/malware prior to connecting to the ECDIS, and they state “no.” At this point, poor cyber hygiene may have occurred and the PSCO has established clear grounds to conduct a more detail exam including the cyber risk management portion of the SMS".
If objective evidence is identified indicating that the vessel failed to implement its SMS with respect to cyber risk management, the MI/PSCO should direct the vessel to take the following actions:
a. For US vessels:
- MIs should follow the guidance in reference (k) which sets forth guidance for assessing the effectiveness of a company’s SMS on US flag vessels
b. For foreign vessels:
- If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a US port after sailing foreign.
- When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a US port after sailing foreign.
- When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the OCMI, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a US port after sailing foreign.
c. With the exception of US vessels described in a.1 above, deficiencies issued with respect to ISM and cybersecurity should be assigned deficiency code 15113 (Other ISM) on the respective deficiency form (PSC Form B) and entered into MISLE marked “Worklist Item/Do Not Show in PSIX” and include the word ‘CYBERSECURITY-ISM’ at the beginning to aid with data analysis.