Professional Documents
Culture Documents
Section 1 ‐ Introduction
1.1 Scope
The scope of this section is to establish the purpose & objective of Cyber Security Plan
and identify key personnel related to Cyber security and their responsibility. Introduce
to the terms and definitions related to Cyber Security.
This document aims to develop understanding and awareness of key aspects for
managing Cyber Safety and Cyber Security Risks. The document offers guidance to ship
and shore staff on how to assess their operations and put in place the necessary
procedures and actions to maintain the security of cyber systems onboard the ships by:
Identifying the roles and responsibilities of key personnel, and management both on
board and ashore for Cyber risk management.
Identifying the systems, assets, data and capabilities, which if disrupted, could pose
risks to the ship’s operations and safety.
Implement Protection and Detection measures to protect against a cyber incident and
ensure continuity of operations. This may include Technical measures such as
configuration of networks, access control to networks and systems, communication and
boundary defense and the use of protection and detection software. Implement
activities and plans (procedural protection measures) to provide resilience against cyber
incidents through training and awareness and controls for software maintenance,
remote and local access, access privileges, use of removable media and equipment
disposal.
Implement activities to prepare for and respond to cyber incidents. Plans that provide
resilience and restore systems for seamless recovery of operations that may have been
First Wave Marine Services CYBER RISK MANUAL
TITLE: Rev No: 0 Date: 23-Jul-22 Section 1 : Introduction
Cyber Risk Management
Prepared By: DPA Approved By: MD Page 2 of 8
disturbed by a cyber‐event. Identify Measures that backup and restore cyber systems
necessary for operations that are impacted by a cyber incident:
Plans and procedures for cyber risk management should be seen as complementary to
existing security and safety risk management requirements contained in the
International Safety Management Code (ISM) Code and the International Ship and Port
Facility Security (ISPS) Code.
1.3 Responsibility
Cyber security should be considered at all levels of the Company, from senior
management ashore to crew on board, as an inherent part of the safety and security
culture necessary for safe and efficient ship operations.
The Key personnel and their roles and responsibilities related to Cyber Security shall be
as follows:
Master: To ensure compliance with the procedure and proper documentation related to
Cyber Security on board the vessel, as stated in this document. He is to ensure that all
personnel onboard are conversant and conforms to these procedures/instructions.
Master will always have the overriding authority for safety of ship, personnel and
environment.
Master has the duty to promptly respond to and report all Cyber Security incidents to
the Company in line with the procedures under section 5 of this manual. The Master
shall review this document annually together with the Ship Cyber Security Officer
(SCSO) to provide feedback to Company Cyber Security Officer (CCSO) for
enhancement of Cyber Security Management.
Ship Cyber Security Officer (SCSO): The Chief Officer is the designated Ship Cyber
Security Officer (SCSO). The SCSO is to assist the Master to ensure that the procedures
mentioned in this manual are complied with.
First Wave Marine Services CYBER RISK MANUAL
TITLE: Rev No: 0 Date: 23-Jul-22 Section 1 : Introduction
Cyber Risk Management
Prepared By: DPA Approved By: MD Page 3 of 8
Seafarer: The officers and ratings on board the vessel is to ensure that they understand
the procedure in this manual and complies with same.
The Company Security Officer (CSO) is the designated Company Cyber Security Officer
(CCSO). He is to ensure adequate Company response in case of a Cyber Security
incident on board a vessel. He is responsible for tailoring the cyber security policy as
detailed in Appendix 1, and its publication, distribution and review to satisfy useful
purpose as well as meeting regulatory and reporting needs. He is responsible for
development and implementations of Cyber Security systems on board the vessel. The
CCSO shall investigate all Cyber Security incidents and review common learnings to
implement preventive measures fleetwide. He shall oversee the training and awareness
of personnel ashore and on board the vessel through training centers.
The Head of IT department ashore is responsible provide shore based IT support to the
vessel in cooperation with the SCSO to ensure adequate protection and detection
measures are set on board for effective Cyber Security Management and to report to
CCSO. He is to assist the CCSO to respond and recover from a Cyber Security Incident.
Top Management / DPA to embed a culture of Cyber Risk awareness into all levels of
organization and ensure a holistic and flexible Cyber Risk Management regime is
established and continuous operation and constantly evaluated through effective
feedbacks / internal audits.
Access control is selective limiting of the ability and means to communicate with or
otherwise interact with a system, to use system resources to handle information, to gain
knowledge of the information the system contains or to control system components and
functions.
Back door is a secret method of bypassing normal authentication and verification when
accessing a system. A back door is sometimes created by hidden parts of the system
itself or established by separate software.
Bring your own device (BYOD) allows employees to bring personally owned devices
(laptops, tablets, and smart phones) to the ship and to use those devices to access
privileged information and applications for business/personal use.
Cyber risk management means the process of identifying, analyzing, assessing, and
communicating a cyber‐related risk and accepting, avoiding, transferring, or mitigating it
to an acceptable level; taking into consideration the costs and benefits of actions taken
by stakeholders.
ships this approach will generally focus on network design, system integration,
operations and maintenance.
Local Area Network (LAN) is a computer network that interconnects computers within
a limited area such as a home, ship or office building, using network media.
First Wave Marine Services CYBER RISK MANUAL
TITLE: Rev No: 0 Date: 23-Jul-22 Section 1 : Introduction
Cyber Risk Management
Prepared By: DPA Approved By: MD Page 6 of 8
Malware is a generic term for a variety of malicious software which can infect computer
systems and impact on their performance.
Patches are software designed to update software or supporting data to improve the
software or address security vulnerabilities and other bugs in operating systems or
applications.
Phishing refers to the process of deceiving recipients into sharing sensitive information
with a third‐party.
Principle of least privilege refers to the restriction of user account privileges only to
those with privileges that are essential to perform its intended function.
Producer is the entity that manufactures the shipboard equipment and associated
software.
Recovery refers to the activities after an incident to restore essential services and
operations in the short and medium term and fully restore all capabilities in the longer
term.
Removable media is a collective term for all methods of storing and transferring data
between computers. This includes laptops, USB memory sticks, CDs, DVDs and diskettes.
Risk assessment is the process which collects information and assigns values to risks for
informing priorities, developing or comparing courses of action, and informing decision
making
Social engineering is a method used to gain access to systems by tricking a human into
revealing confidential information.
Software whitelisting means specifying the software which may be present and active
on an IT or OT system.
Virtual Local Area Network (VLAN) is the logical grouping of network nodes. A virtual
LAN allows geographically dispersed network nodes to communicate as if they were
physically on the same network.
Virtual Private Network (VPN) enables users to send and receive data across shared or
public networks as if their computing devices were directly connected to the private
network, thereby benefiting from the functionality, security and management policies of
the private network.