Maritime cyber security

Regulations

One of the most important drivers behind the rapid evolution of cyber-security standards in the maritime industry is a fast-developing regulatory environment. This relates to cyber security regulations specific to the maritime industry as well as broader regulations, which many maritime stakeholders need to comply with 

GDPR

The EU’s General Data Protection Regulation (GDPR), implemented in 2018, mandates strict controls over the collection, storage, processing, and sharing of personal data. This has increased cyber security requirements in the maritime industry by requiring organizations to implement appropriate measures which will ensure the safe and secure processing of data.  

IMO Resolution MSC.428(98)  

Implemented in 2021, this requires owners, operators, and managers to consider overall cyber risks, and to implement cyber security across all levels of their management system, in line with International Safety Management (ISM) Code.  

In combination with this resolution, the IMO also released Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3). This provides high-level recommendations for maritime cyber risk management that can be incorporated into existing risk management processes. 

International Association of Classification Societies’ (IACS) new unified requirements (URs) for cyber security   

Taking effect from 1 July 2024, this obliges owners, yards and suppliers to build cyber security barriers into their systems and vessels, requiring compliance across the full spectrum of critical on-board control and navigation systems.  

The IACS URs for cyber security consist of two sets of rules: E26 governs system integration, while UR E27 applies to essential onboard systems. Both must be met by vendors and yards and will be mandatory for all newbuilds with contracts signed after 1 July 2024. 

The URs (maritime cyber security regulations) will apply to everything computer-based on board such as main-engine control systems, steering, cooling systems, fire detection, communications systems including public address systems, and navigation systems – anything that is integral to making the ship move, navigate and operate safely. 

The URs are minimum prescriptive requirements agreed by all IACS members. Based on the IEC 62443 standards that address OT cyber security in a holistic way, they aim to ensure the secure integration of both OT and IT equipment into the vessel’s network during the design, construction, commissioning and operational life of the ship, covering equipment identification, protection, attack detection, response and recovery. These regulations also aim to ensure system integrity is secured and hardened by third-party equipment suppliers. 

EU Directive on Network and Information Systems (NIS2)  

Set to be implemented in October 2024, this obliges EU member states to adopt cyber security strategies and establish competent cyber security structures across their jurisdictions. The directive will ensure that operators of essential services, including major ports, shipping companies and even single vessels like FSRUs, take appropriate security measures and report serious cyber incidents. 

Similar legislation is expected to take effect in other key regions over the coming years.