At the recent Connecticut Maritime Association’s 2017 Shipping Conference, Coast Guard Rear Admiral Paul Thomas, Assistant Commandant for Prevention Policy, indicated that the U.S. has submitted a paper to International Maritime Organization (IMO) for consideration that makes the case for installation of governance over cyber risks as part of the Safety Management System (SMS) required by the IMO’s ISM Code. “ISM requires that SMS establish safeguards for all risks, and put in place procedures to ensure compliance with all requirements of the convention and domestic regulations. ISM specifically mentions computer systems, which we take to include control systems. Our paper suggests a timeline for port state control officers to verify that SMS do indeed address cyber risks.”
Soon after the Connecticut Maritime Associations Shipping Conference, the U.S. Coast Guard released its Port State Control 2106 Annual Report. Detainable deficiencies are ranked as follows:
It is interesting to note that International Safety Management (ISM) Code has risen from 10th in 1998, when it became mandatory for companies operating certain types of ships, to 2nd in 2016. In his February 2017 interview with Marine News, Admiral Thomas indicated that the Agency is working hard to update ISM requirements in both regulation and guidance.
To mitigate the risk of critical cyber systems, new Coast Guard ISM requirements may include the following:
- Designated person responsible for Cyber Risk Management (CRM);
- Corporate structure to address CRM;
- Training requirements based on access to cyber systems; and
- Corporate and shipboard procedures for operations and maintenance of critical cyber systems.
Does your SMS have these components? How effective is your implementation?
Meridian.us can help your organization improve the effectiveness of your ISM Code compliance and cyber risk management.