A new organisation has been formed to help shipping companies select bona fide cyber security professionals.
The International Maritime Cyber Security Organization (IMCSO) describes itself as a non-profit organisation with a remit to raise the standard of cyber security risk assessment across the shipping industry.
It said in a statement it has three roles: a certification programme for consultants, a register of qualified consultants and a database of assessment reports on vessels.
IMCSO chief executive Campbell Murray said the aim of the organisation is to give shipping companies the opportunity to select security audit personnel and know they will get audits that satisfy their own needs and those of their stakeholders, including insurance companies.
“A number of issues that we see repeatedly come up particularly around cyber security specialist organisations, which are outside of the class societies,” he said.
“They provide professional services because they are subject matter experts, but encounter a lot of difficulties, despite their skills, to get on the ship.
“We aim to create certification schemes that will allow existing cyber professionals to learn about and gain maritime-appropriate knowledge and etiquette and prove they have the technical knowledge to correctly take their existing cyber methodologies and prove they can apply that to maritime.
“Thus, the aim is to increase the size of the pool of available consultants to the maritime industry and get over one of the barriers, which is availability, and actually getting assessments done in a timely fashion and at a good price,” Murray said.
There are, he said, well over 100,000 cyber experts globally who have the skills to perform the required cyber risk surveys that shipowners will need under new regulations, but there are not the numbers currently with maritime competence.
“The IMCSO has not been formed to create standards or challenge standards, authority or class societies, but to enable the global body of cyber security professionals to have the set of standards to adhere to, to refer to, and create efficiencies, particularly around things like insurance and risk rating,” Murray said.
As well as registering suppliers and authorised consultants, IMCSO said it will build a risk register database containing the results of ship assessments and audits. This will allow companies to assess the cyber risk profile of any given vessel.
Murray said this registry will be housed on an existing platform used by many vessel owners, but declined to say which one.
“When we say cyber risk register, the information that will be available will be based on the principle of least privilege and the need to know. We are not going to be including full attack profiles and vulnerability information,” he said.
“However should a port, for example, wish to have an indication of the cyber risk profile of a ship before it comes in, they are already accessing this platform, and there is now some information about its cyber risk assessment.”