The International Maritime Cyber Security Organisation (IMCSO) has released a cybersecurity testing methodology for maritime vessels seeking to evaluate their cyber risk and join the IMCSO’s Cyber Risk Registry.

This methodology establishes a standardised approach for IMCSO-accredited cyber consultants and senior maritime personnel, ensuring assessments are conducted consistently and effectively by defining the scope, structure, and reporting framework of cybersecurity tests.

Shipping_getty

“Currently, there is no universally accepted standard within the maritime sector for assessing cybersecurity risk. This methodology will change that by providing clear criteria for assessors to follow during engagements, offering a benchmark against which maritime cybersecurity can be measured,” said Campbell Murray, CEO of IMCSO.

“It marks a significant step forward in aligning expectations and requirements across the industry.”

A comprehensive framework for cybersecurity assessments

The methodology outlines the conditions under which cybersecurity assessments must be performed.

It serves as both a legal and operational guide for cybersecurity professionals, who must adhere to these standards to be listed on IMCSO’s Certified Supplier Registry—an approved directory of service providers.


“With supply chain attacks on the rise, they represent a real risk to operations.”

Additionally, the ship’s captain and crew undergoing assessment are required to complete pre-assessment training, equipping them with the necessary knowledge to understand the evaluation process and its outcomes.

Testing will focus on ten key categories under the umbrella term of Operational Technology (OT), which consists of the essential hardware and software used to monitor and control a ship’s physical processes.

These categories are:

  • Navigation
  • Propulsion
  • Electrical Systems
  • Communication
  • Safety Systems
  • Cargo Handling
  • Environmental Systems
  • Maintenance Systems
  • Human Factors
  • Regulatory and Compliance Issues

Assessments can be conducted at sea, onshore, or through a combination of both. While existing OT cybersecurity standards primarily cater to the manufacturing industry, very few directly address maritime OT, leaving a significant gap in risk management.

Another challenge within the sector is the difficulty shipping companies face in objectively evaluating their OT suppliers. As Murray explains: “Third parties and the shipping companies share a dependency, with joint goals and integrated operations.

“Yet, with supply chain attacks on the rise, they represent a real risk to operations. This can strain the relationship but by applying a systematic approach through a standardised risk assessment, the company can rely upon the process to vet the cybersecurity posture of their suppliers for them.”

Key elements of the IMCSO cybersecurity testing methodology

The IMCSO testing methodology includes:

  • Pre-Requisites: Rules of engagement, authorisation, scope of work, objectives, zones of testing.
  • Scope of Work: Outlines the project details and goals, signed by both parties.
  • Rules of Engagement: Guidelines for testing, including permitted hours and restrictions.
  • Authorisation and Legal Considerations: Compliance with laws and written stakeholder approval.
  • Testing Methodology: The approach used (e.g., black-box, white-box).
  • Deliverables: Expected outputs, such as reports and recommendations.
  • Timelines: Start and end dates, with key milestones.•    Communication Plan: Points of contact and reporting protocols.
  • Risk Management and Contingency Planning: Plans to mitigate potential risks like downtime or data loss.
  • Confidentiality and Data Handling: Protecting sensitive data and results
  • Testing Activity: Performed by qualified personnel, with prompt reporting of critical issues.
  • Reporting: Clear and categorised reporting of security findings, including solutions.
  • Report Delivery: Secure and confidential delivery of the final report

Standardised peporting and the cyber Rrsk Registry

All assessment reports will follow a structured format using qualitative metrics to ensure consistency and comparability across vessels. These reports will be instrumental in profiling a vessel’s cyber risk, with its status recorded in the Cyber Risk Registry.

Given the sensitivity of vessel data, the Cyber Risk Registry is designed as a trusted resource for industry stakeholders, including port authorities, insurers, and maritime associations.

It will also provide valuable insights into cybersecurity trends, assisting organisations such as the International Maritime Organisation (IMO), shipbuilders, fleet management companies, and industry regulators in strengthening cyber resilience across the sector.

Source