Frequently asked questions
Below you find a collection of FAQs questions related to Cyber security
Click on the questions to read the answers:
Below you find a collection of FAQs questions related to Cyber security
Click on the questions to read the answers:
There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.
The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. When that is said cyber risk may also impact security (ISPS) and working and living conditions (MLC) so we encourage also needs related to these to be considered. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.
The statutory certificates will be the SMC and the DoC. Any deficiency will be identified in the audit reports and handled as other deficiencies.
The IMO decision is to verify compliance starting with the 1st annual Company (DoC) audit after January 1st 2021. This will be the starting point for the assessing compliance. As this will include the SMS measures for ongoing compliance and continuous improvement, the systematic to assess implementation and handling on board will remain and include cyber security.
The IMO decision linking cyber security to ISM means that cyber security must be handled on vessels where the ISM Code is applicable. The risks to vessels and companies is of course not limited to these vessels so we encourage also others to identify and handle cyber risk.
Yes, in order to handle cyber security and cyber risk, we do expect you to have effective measures through your safety management system ensuring compliance on board. With the use of personal equipment by most, we do expect that all on board will be involved and have to be aware to some degree. In addition there will have to be crew members with special responsibilities for cyber security on board and to some degree that will also have to include the others. Where to draw the lines and set up the organization must be a part of the revision of the SMS which you must consider also noting the outcome of the performed the risk assessment.
There are competency requirements in the ISM Code and the MLC which will have to be complied with. So far there are no mandatory courses.
In the 2020 audits DNV aim to raise the awareness of cyber security, however from 1st of January 2021 it will be a standard audit item and deficiencies will be tagged as any other deficiency.
If you have combined services through the DNV Seamless Management Systems services including ISO 27001 in scope we will ensure to utilize overlaps and take out synergies in one audit crediting both. If these are not delivered as seamless then there will be two audits and it will always be the statutory ISM/DoC audit which will verify compliance and through which required statutory certificates will be issued.
The handling of risk has been and is a requirement from the ISM code, what is new is that the IMO in 2017 identified cyber security as a risk and mandated verification of handling through the safety management system starting from the first annual DoC audit after 01.01.2021
The Cyber secure class notation is a voluntary additional notation used to prove the cyber security resilience of the vessel. However, the Class notation can be a good tool to use to proof compliance to other mandatory regulatory and commercial requirements.
There is a vast amount of different standards being used for cyber security across industries. We have chosen to base our rules on recognised IEC standards already in use in the maritime industry such as IEC62443 (control system cyber security) and IEC61162-460 (bridge systems) to ease industry uptake of the rules and have made maritime and offshore profiles for these. The IEC62443-2-1 which we have based our procedural requirements on, is also well aligned with the ISO27000 standards more used for information technology (IT) systems.
Moreover, the entry level Cyber secure class notation (Link) reflects the IMO MSC.428(98) cyber requirements. We also believe the Cyber secure class notation levels are well aligned with maritime regulation and charter requirements.
The Cyber secure class notation has three main levels, in addition to the (+) qualifier.
1. The entry-level class notation Cyber Secure addresses the most critical vulnerabilities (security profile 0). In addition, the notation requires that a cyber security management system is established to ensure secure ship operation and meet the upcoming IMO resolution MSC.428(98). Systems under consideration is the 10 essential and important vessel functions.
2. Class notation Cyber Secure (Essential) , formerly called Basic, includes all of the Cyber secure entry-level notation above, but in addition examines the control systems in more detail to ensure security controls/capabilities at security profile 1 (provide comprehensive protection against casual or coincidental cyber security threats/violations).
3. Cyber Secure (Advanced) covers the same scope as the Essential scope, however with increased security level (security profile 3). This is primarily intended for more complex newbuilding projects and is designed to protect against intentional violations using sophisticated means and specific control system skills.
4. If additional and/or other systems are requested addressed for cyber security, the (+) qualifier can be added to any of the three levels above.
See the Cyber secure class notation service page (Link) and Cyber Secure notation level selector app web page (Link) for more details.
The level selected from the Cyber secure class notation for your vessel will depend on cyber security risk, complexity, remote connection, system interconnectivity, available resources, etc.
As a rule of thumb, existing merchant vessels such as bulk carriers, container ships, tankers, etc. should aim at the entry level Cyber secure. Newbuilding and more complex vessels may consider to use higher requirements. As support for the initial qualifier selection, we have made an app (Link) on the Cyber secure class notation web page (Link)
The DNV entry level Cyber secure class notation (Link) reflects DNV ship classification's interpretation of the IMO MSC.428(98) cyber requirements.
The technical cyber security design requirements need to be fulfilled by the yard and the system suppliers, and will result in an Cyber secure class notation DNV-RU-SHIP-Pt6-Ch5-Sec21 (Link) .
To keep the class notation during the sailing phase, the operator/manager will need to show that procedures and policies in line with requirements to a cyber secure management system are complied with DNVGL-RU-SHIP-Pt7-Ch1-Sec6-41 (July 2020) (Link)
To keep the class notation during the sailing phase, the operator/manager will need to show that procedures and policies in line with requirements to a cyber secure management system are complied with, DNVGL-RU-SHIP-Pt7-Ch1-Sec6-41 (July 2020) (Link)
Since Class rules are according to the relevant class society, the Cyber secure class notation is for DNV rules. However, we have chosen to base our rules on a recognised IEC standard to make it universally applicable. There is also work within IACS to align cyber requirements, and this will probably align the overall structure, but the different societies will decide by themselves how they implement and enforce it in their rules.
Yes, the DNV Cyber secure rules can also be applied to non-DNV classed vessels. The vessel will then get a Certificate of Compliance towards the rules instead of a Class notation. Other scheme for following up during the sailing phase also needs to be established.
Our Cyber secure class notations address by default the software-based systems needed to maintain essential vessel services.
The following systems are included in scope:
- Systems related to vessel propulsion
- Systems related to vessel steering
- Systems related to vessel watertight integrity
- Systems related to vessel fire detection and mitigation
- Systems related to vessel ballasting
- Systems related to thruster(s) not part of propulsion (if applicable)
- Systems related power generation
- Auxiliary systems related to propulsion, steering and power generation
- Navigation systems
- Communication systems
If desired, additional control systems may also be added to scope, see Cyber secure(+) below.
The (+) notation is intended to allow for flexibility when it comes to the systems and security requirements being applied for the class notation. The base qualifier without (+) has the 10 essential and important ship functions as scope (propulsion, steering, power generation, ballasting, fire, auxiliary thrusters, essential auxiliary equipment, navigation and communication).
You can use (+) qualifier to add a system to scope, i.e. add cargo systems or drilling systems. It can also be used to increase security controls for any of the 10 systems in scope, i.e. Cyber secure (+) where e.g. the navigation systems furfill security profile 1 instead of security profile 0 (as for the remaining Cyber secure systems).
A system which has a Cyber security type approval has been verified to have capabilities which fulfil the cyber secure rules at a given security profile.
If a Cyber secure type approved systems is used in a Cyber secure class project, the project effort will be reduced, and only the configuration of that system as well as the integration, not the capabilities, needs to be verified.
The Cyber security type approval program (Link) (DNVGL-CP-0231) is intended to verify the cyber security capabilities of software based ship systems such as control and bridge systems. It can also be applied to any other system intended to fulfil a ship function onboard a vessel.
Moreover, it can also be used to verify the capabilities of a cyber security protection solutions as to verify which cyber secure requirements can be protected using the solutions. E.g. a removable media scanning station can fulfil some requirements towards removable media usage and malicious code when used in combination with certain procedures.
Yes, it can also be used to verify the capabilities of a cyber security protection solutions as to verify which cyber secure requirements can be protected using the solutions. E.g. a removable media scanning station can fulfil some requirements towards removable media usage and malicious code when used in combination with certain procedures
The detail of such a request needs to be considered on a case by case basis, and you should contact via the Cyber security type approval page (link to Cyber security type approval page) to get an offer for this support.
Please see "Yards" tab (Link) of our DNV web site.
There are on-going discussions on autonomous and remotely operated vessels both nationally and internationally. The importance of cyber security is of course increasing with the degree of autonomous and remote operations. The ISM Code and responsibilities of the DoC holder when operating autonomously or remotely has been a part of the ongoing discussions. This has not be landed, but indications are that these will remain the same and with that cyber security must also be handled in the SMS for Companies operating autonomous or remotely-supported vessels.
The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. When that is said cyber risk may also impact security (ISPS) and working and living conditions (MLC) so we encourage also needs related to these to be considered. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.
We recommend you use existing systematics for risk assessment (process, rating scales and risk matrix). If you find that the existing solution does not fit needs, then consider alternatives. Special care should be taken to address all potential consequence impact categories (confidentiality, integrity and confidentiality) to systems and data. For the statutory work there is no risk assessment guidance.
True, therefore alternative approaches are relevant for estimating the likelihood of an cyber incident. These include "Ease of Access" (see DNV-RP-0496 and Cybersecure Class Notation) as well as threat modelling based on the capacity, motivation of the attacker and the level of vulnerability of the equipment.
We recommend to use the same risk matrix and likelihood/consequence rating scales as for all safety/environmental risks onboard. This way the comparison between cyber related risks and non-cyber related risks will be possible and a more holistic approach enables more efficient (cost-benefit) risk treatment. However, the way how to assess the risk will differ, the consequence of the loss of Confidentiality, Integrity and Availability should be assessed and the lack of statistical data for the likelihood assessment require another approach to determine the expected frequency of incidents.
The decision is to handle cyber security through ISM and as is well known, the risk assessment and handling requirement in the objective of that code. We do recommend that DoC Holders handle requirements and objectives through one system and that this is the safety management system (and systematics), required by the ISM Code.
The more connectivity a system has the higher likelihood it will be that this system will suffer from a cyber security incident. Furthermore, targeted attacks are likelier towards systems/data of high value.
There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.
Yes, in order to handle cyber security and cyber risk, we do expect you to have effective measures through your safety management system ensuring compliance on board. With the use of personal equipment by most, we do expect that all on board will be involved and have to be aware to some degree. In addition there will have to be crew members with special responsibilities for cyber security on board and to some degree that will also have to include the others. Where to draw the lines and set up the organization must be a part of the revision of the SMS which you must consider also noting the outcome of the performed risk assessment.
The tasks and responsibilities ashore and on board related to Safety Management is well defined in the ISM Code and should be defined in the vessels Safety Management System. A review of this in light of Cyber Security would be appropriate. .
The burden on officers is an ongoing concern and the IMO has a goal to consider the impact on operations and those on board when adopting new instruments and requirements. The plan has been to limit when possible. The requirements keep coming and we do expect them to continue to do so. Dialogues with authorities and representative organizations are recommended. When it comes to organization of work on board and Manning we reference IMO Resolution A1047(28) and the MLC Regulation 2.7 para 1. "Each [flag State] shall require that all ships that fly its flag have a sufficient number of seafarers employed on board to ensure that ships are operated safely, efficiently and with due regard to security under all conditions, taking into account concerns about seafarer fatigue and the particular nature and conditions of the voyage."
A "idiot proof" system is in most cases not achievable due to lack of practicability or costs. The most efficient way to protect the vessel is to provide aware crew, practicable policies/procedures and secure technology.
It is up to the DoC holder to implement measures needed to ensure compliance with requirements. Ensuring that people involved in the safety management activities have the necessary competence and support are also responsibilities for the DoC Holder. We do recommend that DoC Holders consider which positions are best placed to coordinate activities on board in addition to considering training and resources. In doing so we suggest you consider staff who already are responsible for critical equipment and/or systems where cyber security is deemed essential or staff who already hold key positions in the safety management system.
From the ISM/statutory perspective no. That said, there are requirements from ISM and the MLC that staff shall be qualified for their tasks. This allows the DoC Holders to develop and implement solutions (including through external providers) in order to handle their obligations.
Depending on the operation and complexity of the vessel it could be. Also remote support of certified IT personal could be sufficient for standard cargo and simpler vessels.
From the ISM Code it must be inferred that there has to be a person or persons on board responsible for handling the safety management systems measures on cyber security.
There is no requirement decided by the IMO. Competency requirements are found in the ISM Code and in the Maritime Labour Convention (Regulation 1.3). In addition we find it self-evident that there must be people with cyber security responsibility in the company and on board the vessels and communication between these in order to ensure ongoing compliance and continuous improvement. From the statutory perspective, it is up to the DoC Holder to develop measures needed.
Currently, we do not see as much sharing of cyber incidents as with other safety topics. However this is crucial for the industry and we recommend to share to increase overall industry resilience. This can be through sharing within smaller groups of companies working together, or through other stakeholders such as Intertanko, BIMCO, CSO Alliance, etc.
To monitor and detect cyber attacks on OT systems is a challenging task since they often do not have the capabilities in the system to detect malicious code and attacks. Compensating measures can be to perform regular antivirus scans of the system as part of planned maintenance and check security configuration or implement Intrusion Detection or Protection Systems (IDS/IPS) on the network.
The competency of involved staff ashore and on board is the primary defence against cyber risks and a primary source for utilizing opportunities for optimizing operations through digital solutions. We do encourage companies to consider this and to put in place needed measures to ensure staff have and maintain needed competence. Those involved in and those responsible for handling safety management measures must be trained in accordance with the ISM Code. In addition there are competence requirements in the Maritime Labour Convention, 3: 1. Seafarers shall not work on a ship unless they are trained or certified as competent or otherwise qualified to perform their duties.
Ownership, responsibility and authority by top management for the safety management systems including showing the value of safety management systems and the importance of staff ashore and on board is crucial. Involving and investing in staff so that they can actively contribute in development, implementation, use and follow up in a systematic plan, do, check and act (PDCA) is also crucial. In short when we place and show the high value and potential of the management systems, then others will as well.
There are different possibilities available including the DNV/Gard Cyber Security Awareness Video, DNVGL/Seagull E-Learning, class room training, emergency response drills, phishing email exercises, posters, etc. Key is to provide continuous training for general awareness and how to operate in a secure manner both during normal and emergency operations. Efforts should be directed to both avoid and respond to cyber attacks. For more information please contact our Maritime Academy (Link) :
There is no statutory requirement to have such certificates.
Yes, DNV has Certified Ethical Hackers who can support you in this task. (Link)