Maritime Cyber Risk Assessment: IMO Framework

Why the Risk Assessment Is the Foundation

Every other element of a maritime cyber programme depends on the risk assessment. The asset inventory is built during it. The selection of controls is justified by it. The training programme targets the risks it identifies. The incident response plan prioritises the scenarios it surfaces. And when a flag state or class auditor arrives, the risk assessment is the first document they ask for, because it is the evidence that the shipowner has actually thought about cyber risk rather than simply bought some products.

This is why a thin or generic risk assessment fails so visibly. An assessment that lists a handful of obvious risks with no asset detail, no methodology and no link to the controls actually deployed tells an auditor that the work was not really done. By contrast, a well-built assessment reads as a management tool: it shows the assets, reasons about the threats to each, evaluates the vulnerabilities, scores the risk, maps each significant risk to a control, and states the residual risk the company has chosen to accept. That document carries an audit, informs investment decisions, and gives the master and the designated person ashore a clear picture of where the real exposure lies.

The IMO framework does not prescribe a single methodology. It requires risk-based cyber management and points to the NIST Cybersecurity Framework functions. The shipowner is free to choose how to conduct the assessment, provided the result is genuine, documented and maintained. The method below is the one Codesecure uses, aligned to the IMO functions and the BIMCO Guidelines.

The IMO Functional Framework

MSC-FAL.1/Circ.3, the IMO Guidelines on Maritime Cyber Risk Management, frames the whole subject around five functional elements borrowed directly from the NIST Cybersecurity Framework. These five functions give the risk assessment its structure and give the auditor a checklist of what the shipowner should be able to demonstrate.

The five functions are not sequential phases so much as ongoing capabilities, each of which the risk assessment should address for every significant asset. A complete assessment can show, for each high-criticality system, how the company identifies it and its risks, how it protects it, how it would detect a problem, how it would respond, and how it would recover.

• Identify: vessel and shore asset inventory, threat assessment, vulnerability assessment, vendor identification, criticality rating of each system
• Protect: technical controls such as segmentation, hardening and patching; administrative controls such as access management and training; physical controls such as USB and removable-media handling
• Detect: monitoring of vessel and shore systems for anomalies, integrity checks on bridge systems, log review and alerting
• Respond: documented incident response plan, vessel-to-shore communication protocols during an incident, clear recovery decision authority
• Recover: backup of safety-critical systems, restoration testing, post-incident review feeding back into the Safety Management System

The Five-Step Assessment Method

The practical assessment proceeds in five steps that turn the IMO functions into a concrete, repeatable exercise. Each step produces an output that feeds the next, and the whole sequence is documented so the reasoning is visible to an auditor or a successor.

Step 1: Identify Assets and Threats

Build the asset inventory for the vessel: bridge systems such as ECDIS, AIS, GMDSS and GPS; engine and machinery monitoring; cargo, ballast and scrubber control where present; communication systems including satcom and any 5G or 4G links; and the crew and ship-office IT. For each asset record the vendor, version, network location and a criticality rating. Then identify the credible threats to each asset class, from malware on update media to spoofing of position sources to a compromised vendor remote-access path. The threat picture is informed by industry incident data, flag state advisories and the vessel's own trade pattern and geography.

Step 2: Identify Vulnerabilities

For each asset, identify the weaknesses that a threat could exploit: unsupported operating systems, missing patches, default credentials, flat network segments, unverified update workflows, exposed management interfaces, and weak USB and removable-media controls. This step is where a technical assessment or a vessel pentest adds the most value, because it replaces assumption with observation. The network as drawn is rarely the network as built, and the vulnerabilities are usually in the gap between the two.

Step 3: Assess Likelihood and Impact

For each credible threat-vulnerability pairing, assess how likely it is to occur and how severe the consequence would be. Likelihood draws on the exposure of the asset, the difficulty of the attack and the threat environment. Impact is assessed across safety, operations, environment and business. A maritime assessment weights safety and environmental impact heavily, because a cyber failure that endangers the vessel, the crew or the marine environment is in a different category from one that merely disrupts office IT. The output is a prioritised risk register.

Step 4: Select and Map Controls

For each significant risk, select the controls that reduce it to an acceptable level, drawing on the IMO Protect, Detect, Respond and Recover functions and the BIMCO control areas. Map each control to the risk it addresses so the linkage is explicit. Controls span people, process and technology, and the people-and-process controls, such as training, USB discipline and vendor management, frequently deliver more risk reduction per unit of cost than the technology controls.

Step 5: Document Residual Risk and Review

After controls are applied, document the residual risk that remains and have the appropriate authority formally accept it. State the review cadence, at minimum annually and on any significant change, and define what triggers a reassessment. This final step turns the assessment from a snapshot into a living management tool with an owner, a review schedule and a clear record of accepted risk.

The Maritime Severity Overlay

Standard cyber severity scoring, such as CVSS, was designed for enterprise IT and does not natively capture what matters most at sea: the safety consequence. A vulnerability that would be a moderate finding in a corporate network can be a critical finding on a vessel if it touches a safety-relevant system, and conversely a high CVSS score on an isolated crew-welfare system may be a low priority in the maritime context.

For this reason a maritime risk assessment benefits from a severity overlay that sits alongside the technical score. A simple and effective overlay classifies each finding as Safety-Impacting, Operations-Impacting or IT-Only. A Safety-Impacting finding is one that affects, or could credibly affect, navigation, propulsion, steering, communications, cargo safety or pollution prevention. An Operations-Impacting finding disrupts vessel operations without a direct safety consequence. An IT-Only finding is confined to vessel or shore IT with no operational or safety effect.

This overlay does real work. It lets the master and the designated person ashore read the risk register the same way the technical team reads the CVSS scores, it drives the prioritisation of remediation toward the findings that matter most at sea, and it aligns the risk assessment with the incident classification used in the response plan. A finding rated Safety-Impacting in the risk assessment becomes a Tier 1 incident in the response plan, giving the whole programme a consistent language for severity.

Keeping the Assessment Alive

The most common failure mode of a maritime risk assessment is not that it is wrong when written, but that it is never updated. A vessel's cyber risk profile changes constantly: new equipment is installed, software is upgraded, a 5G link is added, a vendor relationship changes, a new threat emerges in the vessel's trade area. An assessment that does not track these changes drifts steadily out of date until it no longer describes the vessel an auditor is standing on.

The discipline that keeps the assessment alive is management of change. Any significant modification to a safety-relevant system, including the addition of connectivity, triggers a review of the affected part of the risk assessment. On top of that, a scheduled annual review revisits the whole assessment, refreshes the threat picture, confirms the controls are still in place and effective, and re-accepts the residual risk. The master review and internal audit programme already built into the Safety Management System provide natural checkpoints for this.

Codesecure delivers maritime risk assessments as living documents with a defined review cadence, an owner, and integration into the Safety Management System rather than as standalone reports. For fleets, we use a representative-class approach: one vessel per class is assessed in depth and the findings are extrapolated across sister vessels with a desk review, which keeps the programme affordable while still producing a genuine, defensible assessment for every vessel.

BIMCO as the Practical Companion

The IMO framework sets the requirement and the functional structure, but it deliberately leaves the methodology open. The BIMCO Guidelines on Cyber Security Onboard Ships fill that gap. Co-produced with the major shipowner and operator associations, the BIMCO Guidelines provide a detailed, vendor-neutral risk assessment methodology that turns the IMO Identify-Protect-Detect-Respond-Recover structure into a workable, step-by-step exercise, complete with control areas across people, process and technology.

Because the BIMCO Guidelines have become the de facto reference that flag state inspectors, class society auditors, P&I clubs and charterers use to evaluate a shipowner's cyber posture, conducting the risk assessment in alignment with BIMCO is the path of least resistance through almost every audit and questionnaire the company will face. A risk assessment that is structured around the IMO functions, conducted with the BIMCO methodology, and overlaid with a maritime severity model satisfies the regulator, the class society and the commercial counterparty in a single coherent document.

Codesecure conducts maritime risk assessments aligned to the IMO functions and the BIMCO methodology, with a maritime severity overlay, full asset inventory, prioritised risk register, control mapping and documented residual risk. The output integrates into the Safety Management System and produces the evidence pack that satisfies IMO 2021, BIMCO gap closure and charterer questionnaires together.