Recommendation on Cyber Resilience (Rec.166)

These recommendations outline the technical requirements needed to ensure that ships are cyber resilient and have the capability to cope with cyber incidents that may occur on board.

They provide guidance on risk mitigation and are designed to ensure that the design, integration and/or maintenance of computer based systems support secure operations and protect against unauthorised access. Topics covered include:

• Reference guidelines and standards
• terms and definitions
• goals for design and construction
• functional and technical requirements
• verification testing.

These recommendations support IMO Resolution MSC.428(98) ‘Maritime Cyber Risk Management in Safety Management Systems’.

The purpose of this Recommendation is to provide technical requirements for stakeholders that lead to the delivery of cyber resilient ships, whose resilience can be maintained throughout service life.

Resilience, in this context, is meant as a characteristic that provides crew and ships with the capability to effectively cope with cyber incidents occurring on computer based systems on board, which contribute to the operation and maintenance of the ship in a safe condition. The most effective method of dealing with an incident is to prevent it ever happening. Therefore, in this context ‘prevention’ is more important than ‘cure’.

It is intended that recommendations herein provide guidance for mitigating the risk related to events affecting onboard computer based systems, recognising that, if no measures are implemented, such events could potentially affect human safety, the safety of the ship and/or present a threat to the marine environment.

The intent of this Recommendation is to ensure that design, integration and/or maintenance of computer based systems supports secure operations and provide a means to protect against unauthorised access, misuse, modification, destruction or improper disclosure of the information generated, archived or used in onboard computer based systems or transported in the networks connecting such systems.

This Recommendation seeks to support IMO Resolution MSC.428(98) (June 2017): ‘Maritime Cyber Risk Management in Safety Management Systems’, which requires cyber risks to be addressed in safety management systems by 1 January 2021, based on MSC-FAL.1/Circ.3 (June 2017): ‘Guidelines on Maritime Cyber Risk Management.

Chapter 1: Introduction

Chapter 2: Scope

Chapter 3: Reference Guidelines and Standards

Chapter 4: Terms and Definitions

Chapter 5: Goals for Design and Construction

Chapter 6: Functional Requirements

Chapter 7: Technical Requirements

Chapter 8: Verification Testing

Appendices:
Appendix A: Detailed List of Standards
Appendix B: Documents Referred to in Recommendation
Appendix C: Mapping of Sub Goals to Technical & Verification Requirements

Annex A: Guidance on Operational Aspects Addressed in Recommendations

Reference List

IACS

Dedicated to safe ships and clean seas, IACS makes a unique contribution to maritime safety and regulation through technical support, compliance verification and research and development. More than 90% of the world's cargo carrying tonnage is covered by the classification design, construction and through-life compliance rules and standards set by the twelve Member Societies of IACS.

IACS is a not for profit membership organisation of classification societies that establish minimum technical standards and requirements that address maritime safety and environmental protection and ensures their consistent application. It carries out this responsibility through its panels, expert groups and project teams and provides a Quality System Certification Scheme (QSCS) that its Members comply with, as an assurance of professional integrity and maintenance of high professional standards. IACS is recognized as the principal technical advisor of IMO.

http://www.iacs.org.uk/