Cybersecurity assessment methodology released for ships seeking to join the IMCSO Cyber Risk Registry

The International Maritime Cyber Security Organisation (IMCSO), an independent maritime standards organisation, has today released its cybersecurity testing methodology for those maritime vessels looking to assess their risk and join the Cyber Risk Registry, a risk register database maintained by the IMCSO. The methodology aims to provide IMCSO accredited cyber consultants and the senior maritime personnel they will be assessing with standardised testing by outlining test scope and the language to be used to ensure tests are planned, executed and reported effectively. 

“Currently there is no standard in the maritime sector for governing the quality of cyber risk assessments. This methodology will set a precedent by providing a set of criteria that assessors must observe when on engagement and against which maritime security can be measured. It is a very big step forward in normalising both expectations and requirements in the maritime space,” said Campbell Murray, CEO at the IMCSO.   

The methodology stipulates the conditions under which the cybersecurity assessments will be carried out. It acts as a legal and practical guide for cybersecurity practitioners who must adhere to the standards as a condition of their inclusion on the approved suppliers list, otherwise known as the Certified Supplier Registry, held by the IMCSO. The Captain and crew undergoing the assessment will also be required to abide by the methodology and undergo pre-assessment training to become cyber ready in order to better understand the process and its findings. 

Testing will assess security across ten categories under the umbrella term of Operational Technology (OT) i.e. the hardware and software needed to monitor and control the physical processes of the ship. These include navigation, propulsion, electrical systems, communication, safety systems, cargo handling, environmental systems, and maintenance systems, human factors, and regulatory and compliance issues. The assessment may be carried out at sea, onshore or a combination of the two. Currently, the only OT standards available to the sector are those associated with the manufacturing industry and very few directly assess OT. 

In addition, it can often be difficult for shipping companies to objectively assess their OT suppliers, as Murray explains: “Third parties and the shipping companies share a dependency, with joint goals and integrated operations. Yet, with supply chain attacks on the rise, they represent a real risk to operations. This can strain the relationship but by applying a systematic approach through a standardised risk assessment, the company can rely upon the process to vet the cybersecurity posture of their suppliers for them.”

 Key components of the IMCSO security testing methodology include:

Pre-Requisites: Rules of engagement, authorisation, scope of work, objectives, zones of testing.

Scope of Work: Outlines the project details and goals, signed by both parties.

Rules of Engagement: Guidelines for testing, including permitted hours and restrictions.

Authorisation and Legal Considerations: Compliance with laws and written stakeholder approval.

Testing Methodology: The approach used (e.g., black-box, white-box).

Deliverables: Expected outputs, such as reports and recommendations.

Timelines: Start and end dates, with key milestones.

Communication Plan: Points of contact and reporting protocols.

Risk Management and Contingency Planning: Plans to mitigate potential risks like downtime or data loss.

Confidentiality and Data Handling: Protecting sensitive data and results

Testing Activity: Performed by qualified personnel, with prompt reporting of critical issues.

Reporting: Clear and categorised reporting of security findings, including solutions.

Report Delivery: Secure and confidential delivery of the final report.

Reports will take a practical approach with clear recommendations made in response to any of security issues or vulnerabilities. Outputs will be standardised under the methodology using qualitative metrics and this consistency will ensure the results for each vessel are comparable. The results will be used to profile the cyber risk of the vessel, the status of which will be recorded in the Cyber Risk Registry. 

Shipowners are sensitive about sharing their vessel’s data. The Cyber Risk Registry will serve as a valuable resource for stakeholders and relevant parties, including port authorities, insurance companies, and association partners, by providing insights into cyber risk trends within the maritime sector. Additionally, it will support the broader industry—including the IMO, shipbuilders, management companies, and industry associations—by offering a trusted registry of vendors, qualified practitioners, and service providers to help vessels strengthen their cyber resilience and mitigate risks effectively.