BV issues Rules on Cyber Security for the Classification of Marine Units

Matko Rak -

Classification society Bureau Veritas has issued the Rules on Cyber Security for the Classification of Marine Units.

This document was published on January 1st, 2023.

Application

These rules apply to design, construction, installation and maintenance of computer based systems (CBS) which rely on software for the achievement of their functions.

The requirements focus on the functionality of the software and on the hardware supporting the software.

These requirements apply to the use of IT (Information Technologies) and OT (Operational Technologies), computer based systems which provide, communicate or transport control, alarm, monitoring, safety or internal communication functions which are subject to classification requirements.

In addition, the Shipowner may specify other IT or OT systems to be included in the scope of the notation.

These rules apply to either new buildings or ships in-service as detailed in [1.2].

Cyber risk assessment

Based on the Target of Evaluation (defined in Sec 2) and the Criticality Assessment (defined in Sec 3), a Cyber Risk Assessment is to be performed.

A methodology is proposed with a standard template detailed in Sec 5.

This template and associated methodology may be used by the Shipowner to perform the Risk Assessment by himself.

This assessment can also be performed by a third party contributor applying a recognized methodology.

Assignment and maintenance of a classification notation

A ship may be granted with one of the following notations defined in [1.2]:

  • CYBER MANAGED when found in compliance with the requirements of Chapter 2
  • CYBER SECURE when found in compliance with the requirements of Chapter 3
  • CYBER RESILIENT, when found in compliance with the requirements of Chapter 4.

The scope of survey and the requirements to be verified for the maintenance of the additional class notations CYBER MANAGED and CYBER SECURE are detailed in Chapter 5.

The scope of survey and the requirements to be verified for the maintenance of the additional class notation CYBER RESILIENT are detailed in Ch 4, Sec 2, [12].

Type Approval of equipment and systems

The certification requirements for equipment and system are detailed in Ch 3, Sec 5, Ch 3, Sec 6 and Ch 3, Sec 7 and in Ch 4, Sec 3.

Classification notation

The additional class notations CYBER MANAGED, CYBER RESILIENT and CYBER SECURE may be assigned to ships or offshore units fitted with equipment and networks which comply with the requirements of this Rule Note:

  • The additional class notation CYBER MANAGED, defined in [1.2.2] may be assigned to new ships and existing ships.
  • The additional class notation CYBER SECURE defined in [1.2.3], may be assigned to new ships only.
  • The additional class notation CYBER RESILIENT defined in [1.2.4], may be assigned to new ships only.

CYBER MANAGED

The CYBER MANAGED notation corresponds to a first level of cyber security for new ships and existing ships. It requires human awareness, human organization and procedures.

Note 1: Requirements for granting CYBER MANAGED notation seeks to support IMO Resolution MSC.428(98) (June 2017): “Maritime Cyber Risk Management in Safety Management Systems”, which requires cyber-risks to be addressed in safety management systems by 1 January 2021, based on MSCFAL.1/Circ.3 (June 2017): “Guidelines on Maritime Cyber Risk Management”.

The CYBER MANAGED notation corresponds to compliance with a set of requirements defined in Chapter 2 and dealing with:

  • critical equipment
  • cyber management
  • crew training
  • remote access, and
  • change management.

CYBER SECURE

The CYBER SECURE notation is defined for ships secured by design.

For new ships, the CYBER SECURE notation requirements are defined in Chapter 3 and dealing with:

  • equipment hardening and
  • vessel secure by design.

The additional class notation is completed with a construction mark ({ or [ or µ) in accordance with NR467 Rules for the Classification of Steel Ships, Pt A, Ch 1, Sec 2, [3].

Note 1: CYBER SECURE notation requests more stringent requirements that CYBER RESILIENT notation.

CYBER RESILIENT

CYBER RESILIENT may be assigned to ship complying with the minimum requirements defined in Chapter 4 regarding ships resilience when dealing with cyber-attacks.

For more information, please see the documents below (available only to subscribers):

Subscription - First payment discount 50%

RELEVANT DOCUMENTS:

Rules on Cyber Security for the Classification of Marine Units

MSC.428(98): Maritime Cyber Risk Management in Safety Management Systems

Are you interested in more regulatory documents? Visit Marineregulations.com