Maritime Cybersecurity: From IMO Compliance To Truly Resilient Fleets

By /

As ships, ports, and shoreside offices become more connected, cyber risk is now firmly a safety and business continuity issue—not just an IT problem. The IMO has made cyber risk management mandatory as part of the Safety Management System (SMS), and classification societies and industry bodies have followed with detailed requirements and practical guidelines. For owners, charterers, and managers, the question is no longer “if” cyber risk applies, but “how mature and integrated” their cyber programme really is.

This article explains how the main maritime cyber frameworks fit together—IMO guidelines, NIST CSF, ISO 27001, IACS UR E26/E27, and the joint industry “Guidelines on Cyber Security Onboard Ships”—and how they can be turned into a practical strategy for fleets and port operations.

1. IMO Cyber Risk Requirements: The Regulatory Backbone

The IMO’s Maritime Cyber Risk Management guidance (MSC-FAL.1-Circ.3-Rev.3) sets the expectation that cyber risks should be addressed in the ISM Code SMS in the same way as other safety risks. Resolution MSC.428(98) then requires that cyber risk management be appropriately incorporated into existing safety management systems.

Key points that matter in practice:

  • Cyber risk must be treated as part of safety management, not a separate IT policy.
  • Companies are expected to identify, assess, and manage cyber risks related to critical shipboard and shore-based systems through the SMS.
  • Compliance is verified through DOC/SMC audits and ISM audits, which increasingly include cyber-related questions and evidence checks.

The IMO does not prescribe a single framework; instead, it references generic risk management concepts and encourages the use of industry standards such as NIST CSF2.0, ISO 27001, and sector-specific guidelines.

2. Industry “Guidelines On Cyber Security Onboard Ships”

To translate IMO expectations into shipboard reality, several organisations—ICS, BIMCO, INTERCARGO, INTERTANKO, OCIMF and others—publish the Guidelines on Cyber Security Onboard Ships, now in their fifth major iteration.

These guidelines are important because they:

  • Provide a structured process: identify systems, assess risks, implement technical and procedural controls, train crew, and prepare for incidents.
  • Link cyber risks directly to specific shipboard systems: navigation (ECDIS, GPS), propulsion control, cargo and ballast systems, communications, and business IT.
  • Emphasise crew awareness, access control, secure use of removable media, vendor access management, and incident response drills.

For a shipping company, this document is essentially the “bridge” between high-level IMO expectations and daily onboard practices, and it is widely referenced in vetting inspections and TMSA audits.

3. NIST Cybersecurity Framework: The Reference Model

The NIST Cybersecurity Framework (CSF) is not maritime-specific but has become the de facto reference architecture for cyber risk management globally, and IMO material and maritime commentators explicitly reference it as a suitable model. The current NIST CSF organises activities into functions such as Identify, Protect, Detect, Respond, and Recover, with Govern added as an overarching function in CSF 2.0.

In a shipping context, NIST CSF can be used to:

  • Identify: Map assets like ECDIS, VDR, engine control, cargo systems, and shore IT to business processes and risk impacts.
  • Protect: Implement access controls, network segmentation, hardening of OT systems, and crew training aligned with industry guidelines.
  • Detect: Deploy monitoring, logging, and anomaly detection on both ship and shore networks.
  • Respond: Define playbooks for malware infections, data breaches, or loss of critical systems, integrated into the shipboard emergency procedures and company crisis plans.
  • Recover: Plan for restoration and learning, including backup strategies and post-incident reviews that feed back into the SMS.

Because NIST CSF is modular, many maritime cyber programmes structure their policies and controls around its functions and subcategories then cross-map them to IMO, ISM, and the joint industry guidelines.

4. ISO/IEC 27001: Information Security Management For Shipping Companies

ISO/IEC 27001 specifies requirements for an Information Security Management System (ISMS) and is widely used by shipping companies, managers, and port operators to demonstrate structured control over information security risks. It is often used in combination with IMO cyber guidance and NIST CSF as a certification framework for shore-based operations.

In a maritime context, ISO 27001 helps to:

  • Establish governance: roles, responsibilities, and top management commitment for cyber and information security.
  • Formalise risk assessment, control selection, and continuous improvement through internal audits and management reviews.
  • Provide a recognised certification that can be referenced to charterers, financiers, and insurers as evidence of maturity.

Some vendors and advisory firms explicitly link IMO 2021 cyber compliance expectations with 27001-style ISMS structures, allowing a more integrated approach across ship and shore.

5. IACS UR E26 & E27: Cyber Resilience Built Into Ships

While IMO and industry guidelines focus on operations and management systems, the International Association of Classification Societies (IACS) has issued Unified Requirements UR E26 and UR E27 to address cyber resilience in ship design and onboard systems.

  • UR E26 – Cyber Resilience of Ships sets requirements for the ship as a whole, ensuring that cyber risks to essential services (navigation, propulsion, power, steering, etc.) are identified and mitigated through design and integration.
  • UR E27 – Cyber Resilience of Onboard Systems and Equipment defines requirements for OT systems and equipment delivered by vendors, including secure-by-design principles, authentication, logging, and protection against unauthorised changes.

These requirements apply to newbuilds contracted from 2024 onwards and are being incorporated into class rules, with societies such as ClassNK, ABS, and DNV providing additional guidelines and explanatory documents. For owners, this means that cyber resilience is no longer just an operational add-on; it is increasingly embedded in vessel design and equipment procurement.

6. Class Society Guidance And Vetting Expectations

Classification societies have published their own maritime cyber security regulations and guidance, often integrating IMO, NIST, ISO, and IACS requirements into practical rule sets and services.

Examples include:

  • DNV’s overview of maritime cyber security regulations, explaining how IMO, IACS UR E26/E27, and other requirements are implemented across ship design, construction, and operation.
  • ClassNK’s “Guidelines for Cyber Resilience of Ships,” which detail risk assessment methods, technical measures, and verification processes to meet UR E26/E27 and related expectations.

In parallel, vetting and industry programmes such as TMSA and OCIMF documents include cyber security elements, linking operational performance and charterer acceptance to robust cyber practices.

7. Practical Tools: Workbooks And National Resources

The frameworks above can sometimes feel abstract, which is why practical tools are increasingly used onboard:

  • The BIMCO “Cyber Security Workbook for On Board Ship Use” provides checklists, forms, and step-by-step guidance for masters and crew to implement daily cyber hygiene and response procedures on board.
  • The US Coast Guard Maritime Cybersecurity Resource site aggregates cyber advisories, best practices, and incident reporting guidance for vessels and facilities trading to or from US ports.

These resources help turn high-level requirements into operational routines that crews can actually use in real time, particularly in mixed IT/OT environments.

8. Building A Coherent Cyber Programme For A Fleet

For a shipping company or marine service provider, “doing cyber” well means integrating these layers rather than treating them as separate checklists:

  1. Set governance and scope
    • Use ISO 27001 or similar principles for shore-based governance and risk management.
    • Align the cyber risk management process with the ISM Code SMS to meet IMO expectations.
  2. Adopt a reference model
    • Use NIST CSF as the backbone for structuring policies, procedures, and technical controls.
    • Map CSF functions to shipboard practices using the “Guidelines on Cyber Security Onboard Ships.”
  3. Integrate ship design and procurement
    • For newbuilds and major retrofits, ensure that class rules and IACS UR E26/E27 requirements are included in specifications and vendor contracts.
  4. Operationalise on board
    • Implement crew training, access management, secure USB practices, vendor remote access controls, and incident drills following the industry guidelines and Bimco workbook.
  5. Monitor, test, and improve
    • Conduct periodic cyber risk assessments and technical testing (e.g., vulnerability assessments) aligned with NIST and class guidance.
    • Feed lessons learned back into the SMS, management reviews, and future vessel specifications.

“Request Agency Support” or “Book A Survey Today” – To discuss how these new recommendations affect your fleet, or to arrange a survey during your next Singapore call, please reach out to our experts at surveys@sgmarineagency.com or Book Service/Survey via our Contacts page.

Full Marine Agency, Marine Survey & Cargo Survey Services

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top