IMO, the ISM Code and Maritime Cyber Risk Management

9 min read

Modern ships are far more sophisticated than ships of just a decade or so ago, and in a world of increasing digitalisation they are becoming even more complex year by year. That is not to say that the core purpose of ships – to move goods and people across the world’s oceans – has changed because in many ways this aspect has remained unchanged, and the only major development was the advent of containerisation almost half a century ago.


What has changed is the reliance on computerised systems be they for stowage calculations, navigation, communications or engine and fuel performance and monitoring. In terms of navigation and performance monitoring, the industry is at a fairly elementary level but as regulators plan to make shipping more efficient and less polluting through eNavigation strategies that could eventually see vessels operating autonomously, this is an area that could see rapid change in the near to mid-future.

Until quite recently, the threat of cyber attacks was considered to be mostly directed at the financial side of the industry. Cyber criminals it was assumed would be looking to infect systems with ransomware or steal data that would give them access to the financial systems of companies and their customers. The idea that the safety of the vessel and physical assets in ports might be at risk was not something that had entered the minds of many.

How the cyber threat became a safety issue

In the 2010s electronic navigation equipment in the form of ECDIS became mandatory on most cargo ships over 3,000gt and passenger ships over 500gt. Just prior to that engine makers had developed electronically controlled engines and were in the early stages of offering monitoring and maintaining engines remotely. GPS jamming had been encountered and while that could impact safety it falls outside of the definition of cyber threat. It was at this time that the idea that navigation and ships’ power supplies could be at risk from cyberattacks.

At MSC 94 in 2014, the Committee considered a proposal to develop voluntary guidelines on cyber security practices to protect and enhance the resiliency of cyber systems supporting the operations of ports, vessels, marine facilities and other elements of the maritime transportation system and agreed to coordinate its future work on this matter with the Facilitation Committee.

At the time the IMO agreed that cyber security was an important and timely issue but that it should not take unilateral action without consultation with other UN bodies and relevant international organizations such as the International Telecommunication Union (ITU). Member States and observer organisations were invited to consider the issue and submit proposals to MSC 95.

Meanwhile, the Facilitation Committee (FAL) of the IMO had been discussing the electronic exchange of data between ship and shore relative to reporting and clearing ships and the use of the GISIS database as a means of storing electronic versions of ships’ documents for use by customs and port authorities.

In 2016 at FAL 39, Canada proposed the development of guidelines on maritime cyber security in light of the dramatic increases in the use of cyber systems across the maritime sector. The proposal asked the committee to explore the subject and to set up a working group to develop the idea. There was a lot of support although the committee referred to the ongoing work at MSC.

With the two committees co-operating the first attempt to address the issue was MSC.1/Circular.1526 – Interim Guidelines on Maritime Cyber Risk Management – (1 June 2016). Those guidelines were to be short lived and were replaced by a circular issued by both committees as MSC-FAL.1/Circ.3 – Guidelines on Maritime Cyber Risk Management – (5 July 2017).

By resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems, the MSC linked the cyber threat with the ISM Code which had been in place since the mid-1990s.

Mandatory or not?

There is a strong perception across the industry that MSC.428(98) required ship operators to include cybersecurity in their safety management systems, this is not actually the case. The resolution actually said:

NOTING the objectives of the ISM Code which include, inter alia, the provision of safe practices in ship operation and a safe working environment, the assessment of all identified risks to ships, personnel and the environment, the establishment of appropriate safeguards, and the continuous improvement of safety management skills of personnel ashore and aboard ships,

1 AFFIRMS that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code;

2 ENCOURAGES Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021;

3 ACKNOWLEDGES the necessary precautions that could be needed to preserve the confidentiality of certain aspects of cyber risk management;

4 REQUESTS Member States to bring this resolution to the attention of all stakeholders.

As can be seen from the wording, there is a strong recommendation and encouragement to include the subject into safety management systems as from 1 January 2021 but no mandatory requirement for individual companies or Administrations (Flag states) to actually do that.

In 2018, the IMO published the fifth version of the ISM Code and here again there are several recommendations to take any appropriate guidelines into account, the words used in the Code itself do not imply a legal obligation to do so.

It must be understood that with all IMO Conventions and Codes each flag state needs to enact laws making the Convention or Code applicable to ships flying its flag. The FAL Convention only applies to ships making international voyages (between two different states) and the same is true of SOLAS and therefore the ISM Code. However, flag states are at liberty to apply the conventions and codes also to ships trading domestically.

Furthermore, it is an anomaly that whilst the IMO can make rules and regulations applying to ships, it is left to Port states to formulate rules that apply to ships regardless of flag calling at ports or in territorial waters. Therefore, it is important to check what the flag state and any port state that a ship may trade to have determined about incorporating cyber risk management into the ISM Code.

It is beyond the scope of this work to list what each administration has done but a good example of mandatory inclusion is the UK. In MARINE INFORMATION NOTE MIN 647(M), the Maritime and Coastguard Agency set out the UK position. This states that for vessels subject to the ISM Code.

From the 1st January 2021, ISM Audits for the DOC and subsequent Safety Management Certificate (SMC) audits conducted by the MCA will verify that that the safety management systems contain elements showing that cyber risks have been addressed.

The notice goes on to say;

Though the IMO Resolution refers directly to those vessels and operators where the ISM Code applies, the need to address identified cyberthreats and vulnerabilities is not limited to those vessels and operators of companies and vessels to which the ISM Code does not apply are strongly advised to note the guidance available on the subject of Cyber Security and assess their own systems against the threats apparent in the increasingly technical environment in which they operate.

By contrast, Malta – which operates a large open registry – highlights in Transport Malta’s Technical Notice SLS 34 that the requirement is non-mandatory but there could be consequences for not incorporating cyber risk management in the Safety Management Systems. It makes specific reference to the US saying;

Notwithstanding the fact that the said Resolution is non-mandatory, the attention of all stakeholders is drawn to the fact that, some countries like the US have made such a requirement mandatory to all vessels that call on ports in the U.S. regardless of the ship’s flag.

The US position and instruction to US Port State Control Officers is contained in USCG Vessel Cyber Risk Management Work Instruction CVC-WI-027(2) which states:

1) If cyber risk management has not been incorporated into the vessel’s SMS by the company’s first annual verification of the DOC after January 1, 2021, a deficiency should be issued with action code 30 – Ship Detained, with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.
2) When objective evidence indicates that the vessel failed to implement its SMS with respect to cyber risk management, then the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with an action code 17 – Rectify Prior to Departure and require the vessel to conduct an internal audit, focused on the vessel’s cyber risk management, within 3 months or, prior to returning to a U.S. port after sailing foreign.
3) When objective evidence indicates there is a serious failure to implement the SMS with respect to cyber risk management that directly resulted in a cybersecurity incident impacting ship operations (e.g. diminished vessel safety/security, or posed increased risk to the environment), after gaining concurrence from the OCMI, the PSCO should issue a deficiency for both the operational deficiency and an ISM deficiency with action code 30 – Ship Detained with the requirement of an external audit within 3 months or prior to returning to a U.S. port after sailing foreign.

Clearly, a ship manager with a fleet containing ships operating under more than one flag state will need to identify what each flag state has to say on the matter and may need to adopt different procedures for different flag ships in its Safety Management System.