Overview
This single, standalone Recommendation consolidates IACS’ previous 12 Recommendations related to cyber resilience (Nos. 153 to 164) and applies to the use of computer-based systems which provide control, alarm, monitoring, safety or internal communication functions which are subject to the requirements of a Classification society.
This new recommendation is applicable to a vessel’s network systems using digital communication to interconnect systems within the ship and ship systems which can be accessed by equipment or networks off the ship.
This Recommendation has benefited from the valuable input of a wide range of industry partners contributing via the Joint Industry Working Group on Cyber Systems and covers the constructional aspects of the 12 previously published Recommendations. It provides information on matters such as reference guidelines and standards, terms and definitions, goals for design and construction, functional requirements, technical requirements and verification testing.
The purpose of this recommendation is to provide technical requirements to stakeholders that would lead to delivery of cyber resilient ships, whose resilience can be maintained throughout their service life.
Resilience, in this context, is meant as a characteristic that provides crew and ships with the capabilities to effectively cope with cyber incidents occurring on computer based systems onboard, which contribute to the operation and maintenance of the ship in a safe condition. The most effective method of dealing with an incident is to prevent it ever happening so, in this context ‘prevention’ is even more important than ‘cure’.
It is intended that requirements herein provide guidance for mitigating the risk related to events affecting onboard computer based systems, recognising that, if no measures are implemented, such events could potentially affect human safety, the safety of the vessel and/or the threat to the marine environment.
The recommendation intends to ensure that design, integration and/or maintenance of computer based systems support secure operation and provide a means to protect against unauthorized access, misuse, modification, destruction or improper disclosure of the information generated, archived or used in onboard computer based systems or transported in the networks connecting such systems.
This recommendation seeks to support IMO Resolution MSC.428(98) (June 2017): ‘Maritime Cyber Risk Management in Safety Management Systems’, which requires cyber risks to be addressed
Content
CHAPTER 1 Introduction
1.1 Purpose of the Recommendation
1.2 Overview of the Recommendation Structure
1.3 How to Use This Recommendation
CHAPTER 2 Scope
CHAPTER 3 Reference Guidelines and Standards
CHAPTER 4 Terms and Definitions
CHAPTER 5 Goals for Design and Construction
CHAPTER 6 Functional Requirements
6.1 Introduction
6.2 Identify (I)
6.3 Protect (P)
6.4 Detect (D)
6.5 Respond (R)
6.6 Recover (RC)
CHAPTER 7 Technical Requirements
7.1 Asset Identification
7.2 Communication and Interfaces
7.3 Network
7.4 Computer Based System Physical Access Control
7.5 Software Assurance
7.6 Remote Access (from locations not on board the ship)
7.7 Data Quality
7.8 System Recovery
CHAPTER 8 Verification Testing
8.1 Asset Identification
8.2 Communication and Interfaces
8.3 Network
8.4 Computer Based Systems Physical Access Control
8.5 Software Assurance
8.6 Remote Access (from locations not on board the ship)
8.7 Data Quality
8.8 System Recovery
Appendix
Appendix A Detailed List of Standards
Appendix B Documents Referred to in Recommendation
Appendix C Mapping of Sub Goals to Technical & Verification Requirements
Annexure
Annex A Guidance on Operational Aspects Addressed in Recommendations
Reference List
Introduction
1.1 Purpose of the Recommendation
1.1.1 The purpose of this Recommendation is to provide technical requirements for stakeholders that lead
to the delivery of cyber resilient ships, whose resilience can be maintained throughout service life.
1.1.2 Resilience, in this context, is meant as a characteristic that provides crew and ships with the
capability to effectively cope with cyber incidents occurring on computer based systems on board,
which contribute to the operation and maintenance of the ship in a safe condition. The most
effective method of dealing with an incident is to prevent it ever happening. Therefore, in this context
‘prevention’ is more important than ‘cure’.
1.1.3 It is intended that recommendations herein provide guidance for mitigating the risk related to events
affecting onboard computer based systems, recognising that, if no measures are implemented, such
events could potentially affect human safety, the safety of the ship and/or present a threat to the
marine environment.
1.1.4 The intent of this Recommendation is to ensure that design, integration and/or maintenance of
computer based systems supports secure operations and provide a means to protect against
unauthorised access, misuse, modification, destruction or improper disclosure of the information
generated, archived or used in onboard computer based systems or transported in the networks
connecting such systems.
1.1.5 This Recommendation seeks to support IMO Resolution MSC.428(98) (June 2017): ‘Maritime Cyber
Risk Management in Safety Management Systems’, which requires cyber risks to be addressed
in safety management systems by 1 January 2021, based on MSC-FAL.1/Circ.3 (June 2017):
‘Guidelines on Maritime Cyber Risk Management.
Details
Title: Recommendation on Cyber Resilience
Series Details: Rec No. 166
Number of Pages: 86
Product Code: WS1808K
ISBN: ISBN 13: 978-1-85609-942-4
Published Date: August 2020
Binding Format: Paperback
Book Height: 297 mm
Book Width: 210 mm
Book Spine: 5 mm
Weight: 0.50 kg
Author: IACS