International Maritime Cyber Security Organisation launched
A new non-profit organisation called the International Maritime Cyber Security Organisation (IMCSO) has been launched, aiming to raise the standard of cybersecurity risk assessment across the maritime industry.
IMCSO has created a certification programme for security consultants as well as a professional register to help shipping organisations to select experienced personnel. Alongside this, the organisation also plans to standardise and validate cyber report outputs to ensure consistency, with those reports to be held on a central database.
“Cybersecurity has been mandated by the International Maritime Organisation (IMO) which requires shipping companies to implement measures to protect their onboard safety management systems and to regularly audit them. However, the change in legislation has given rise to a new maritime cyber security industry that has proven to be variable in its approach to assessing systems and interpreting the standards,” said Campbell Murray, CEO at the IMCSO.
“Ship’s captains often do not have the time to escort cyber auditors for these assessments. This is compounded by a variety of assessment methodologies used to provide risk and technical audit results to port authorities and insurers, leading to needless complexity, overheads and delays.”
“It’s these issues that the IMCSO aims to address, by equipping the security industry to conduct these tests in an appropriate, safe and uniform manner, thus enabling the sector to benchmark compliance.”
The IMCSO Maritime Standard cyber certification scheme offers training across four disciplines. Cyber professionals who take the examination can qualify as an Offensive Security Practitioner or Maritime Cyber Security Specialist, in addition to specific fields including Secure by Design and Cloud Security.
The authorised supplier registry will act as a record of approved cyber security suppliers within the maritime cyber security speciality, with applicant organisations needing to meet certain certification and accreditation standards such as ISO 27001 and ISO 9001. Shipping companies can then search the database to look for personnel experienced in a specific domain and location.
A risk register database will be maintained containing the results of ship assessments and audits enabling relevant parties to access the cyber risk profile of any given vessel, while standardisation of report outputs will aim to prevent the confusion that can arise from using different reporting methodologies, providing a uniform approach to eliminate any ambiguity over report findings.
IMCSO hopes that the standardised vessel-by-vessel data will also allow for the building of a sharable and searchable dataset that will enable the organisation to track trends in cyber risk, and to inform the IMO, ship builders, insurers and management companies of such trends.
“The independent validation of cybersecurity professionals offered by the IMCSO will help our members to select cybersecurity testers in a much more efficient way, ensuring they allow personnel onboard with the requisite experience. It will make it much easier to comply with the IMO mandate and will prove an invaluable resource,” said Caroline Yang, President, Singapore Shipping Association (SSA).
