ASTM International - ASTM F3449-20
Standard Guide for Inclusion of Cyber Risks into Maritime Safety Management Systems in Accordance with IMO Resolution MSC.428(98)―Cyber Risks and Challenges
|Publication Date:||1 June 2020|
significance And Use:
5.1 ISM Code Requirement-In 1989, IMO adopted guidelines on management for the safe operation of ships and pollution prevention that is now the International Safety Management (ISM) Code that was... View More
5.1 ISM Code Requirement-In 1989, IMO adopted guidelines on management for the safe operation of ships and pollution prevention that is now the International Safety Management (ISM) Code that was made mandatory for ships trading on international waters through the International Convention for the Safety of Life at Sea, 1974 (SOLAS). In 1995, the IMO Assembly adopted the guidelines on implementation of the ISM Code by administrations by Resolution A.788(19). These guidelines were revised and adopted as Resolution A.913(22) in 2001. The guidelines were further revised and adopted as Resolution A.1022(26) in 2009 and entered into force on 1 July 2010.
5.1.1 ISM Code Purpose-The ISM Code is designed to improve the safety of international shipping and reduce pollution by encouraging self-regulation and oversight for identifying safety issues, taking corrective action, and promoting overall organization safety culture. The ISM Code establishes an international standard for the safe management and operation of ships and for the implementation of a SMS operating internationally.
5.1.2 ISM Code Intent-The intent of the ISM Code is to support and encourage the development of a safety culture in shipping by moving away from a culture of "unthinking" compliance with external rules toward a culture of "thinking" self-regulation of safety and the development of a "safety culture" that identifies safety issues and concerns and promotes proactive corrective actions. The safety culture involves moving to a culture of self-regulation with every individual from the top to the bottom empowered to ownership, responsibility, and action for improving and addressing safety.
5.2 Additional Applications-In addition to the ISM Code requirements, Flag States, industry organizations, and companies have initiated mandatory and nonmandatory SMS. All of these systems are being instituted to improve operational safety, identify safety issues, promote implementation of corrective actions, and improve overall organizational safety culture.
5.2.2 Limitation of Guide-This guide is not all encompassing but provides a foundation for starting the process by leveraging existing resource to address cybersecurity issues beginning with basic cyber hygiene and running all the way through nefarious intentional cyberattacks. This guide is interned to serve the entire maritime community but will be most beneficial to resource constrained organizations that may not have significant infrastructure or resources or both to secure comprehensive cybersecurity services and solutions.
5.2.3 Focus Topics for Applying the Guide-Considerations
1.1 This guide is designed to provide the maritime industry guidance, information, and options for incorporating cyber elements into safety management systems (SMS) in accordance with the International Safety Management (ISM) Code and other national (United States) and international requirements.
1.2 This guide will support U.S. maritime operating companies but is a guide only and does not recommend a specific course of action. However, this guide is to be used to improve cyber safety, address vulnerability, recommend and outline training, and raise knowledge and awareness of cyber threats by leveraging documented, auditable SMS mechanisms.
1.3 The purpose of this guide is to offer guidance, information, and options based on a consensus of opinions but not to establish a standard practice. Each organization shall evaluate their SMS, their information management systems at sea and ashore, and the level of cyber risk that exists within the organization to determine the best methods of compliance with the cybersecurity requirements of the ISM Code or other legal or self-imposed requirements or both.
1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.
1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.