IMO Resolution MSC-FAL.1/Circ.3 required ship operators to address cyber risks in their Safety Management Systems by the first annual verification after 1 January 2021. Five years on, the requirement is understood in principle but poorly implemented in practice — especially when it comes to managing vulnerabilities in onboard ICS systems.
This post breaks down what the IMO requirement actually means, where operators fall short, and what a credible vulnerability management process looks like for maritime OT.
What MSC-FAL.1/Circ.3 Actually Requires
The resolution itself is short — three pages. Its core requirement is that cyber risk management should be incorporated into the ISM Code's existing Safety Management System framework. Specifically:
- Identify critical systems that depend on cyber technology and could be compromised
- Protect those systems from exploitation
- Detect when a compromise has occurred
- Respond to and recover from incidents
It doesn't specify tools. It doesn't mandate continuous monitoring. It doesn't name specific CVE databases. What it does require is that you have a documented, repeatable process — and that auditors can see evidence it's being followed.
The weakest link in most SMS cybersecurity implementations is the identify and protect phase, specifically: how do you know if one of your onboard systems has a known vulnerability?
The Gap Between Paper Policy and Practice
Most operators have done the following since 2021:
- Added a cybersecurity section to their SMS
- Listed their critical OT systems (PMS, ECDIS, AIS, propulsion controls)
- Written a policy about software updates and remote access
What most haven't done:
- Set up a process to receive alerts when new vulnerabilities are published for those specific systems
- Created a mechanism to assess whether a published vulnerability affects their installed firmware version
- Maintained an evidence trail of vulnerability assessments per vessel
The gap isn't malicious. It's practical. Your IT team, if you have one, is focused on office infrastructure. Your fleet management team doesn't have the security background to parse CISA advisories. The OT vendors publish advisories, but there's no push notification — you have to go looking.
Why ICS Vulnerability Feeds Matter for Maritime
CISA publishes ICS security advisories for every major maritime OT vendor: Kongsberg, Wärtsilä, ABB, Yokogawa, Rockwell Automation, Siemens, Schneider Electric. In 2025 alone, CISA published more than 450 ICS advisories — many with CVSS scores above 8.0.
Consider a practical scenario: your vessel fleet runs Kongsberg K-Chief for power management. CISA publishes ICSA-25-XXX-01 disclosing a buffer overflow in a specific K-Chief firmware version that could allow remote code execution — no authentication required, CVSS 9.8 CRITICAL. Without a monitoring process, you won't know about this until Kongsberg's next service visit, or until you happen to check their portal.
With a monitoring process, you'd receive an alert within hours. You'd assess whether your installed firmware is in the affected range. You'd document that assessment. If you can't patch immediately (because the vessel is at sea), you'd document the compensating controls: network segmentation, monitoring, deferred patch plan for next port call.
That's what ISM auditors want to see. Not that you've never had a vulnerability — that you have a process for finding and responding to them.
What an IMO-Compliant Vulnerability Management Process Looks Like
A credible maritime OT vulnerability management process has five components:
1. Asset register — Document the OT vendors and systems on each vessel. Include firmware versions where possible. This doesn't need to be a fancy CMDB — a spreadsheet per vessel is fine.
2. Vulnerability feed monitoring — Subscribe to ICS vulnerability alerts for the vendors in your asset register. CISA's CSAF feed covers all major maritime OT vendors. Tools like OTWarden can filter to your specific vendor list and send email alerts automatically.
3. Relevance assessment — When an alert arrives, assess whether it affects your installed version. CISA advisories include affected version ranges. Document your assessment outcome (affected, not affected, unknown).
4. Response plan — For affected systems: raise a defect item, schedule remediation at the next available opportunity, document compensating controls if immediate patching isn't possible.
5. Evidence trail — Keep records of all the above. Date-stamped alert receipts, relevance assessments, defect items, patch records. This is your evidence for the annual ISM audit.
Practical Steps to Get Started
If you're starting from scratch:
1. Build your vendor list — Go through each vessel and list the OT vendors: PMS, ECDIS, main engine control, thruster controls, ballast system. For each, note the system name and installed firmware version if available.
2. Set up vulnerability monitoring — Add those vendors to an ICS vulnerability monitoring tool. OTWarden lets you add vendors and sends filtered email alerts the moment CISA publishes a new advisory. Free 14-day trial at otwarden.com.
3. Create a simple assessment template — A one-page form: advisory ID, date received, affected product, our installed version, assessment outcome (affected/not affected/unknown), planned action, completed date.
4. Add vulnerability management to your SMS — One paragraph in the cybersecurity procedure describing the process above. Reference the tools and templates by name.
5. Run it for 90 days before your next audit — You'll have a log of alerts received, assessments completed, and any remediation actions taken. That's what auditors want to see.
The IACS UR E26/E27 Dimension
If you're building newbuild vessels contracted after 1 July 2024, IACS Unified Requirements E26 and E27 go further than IMO 2021. E26 requires ship owners to maintain an inventory of OT equipment that includes known vulnerabilities, and to have a process for monitoring vendor security advisories. E27 requires individual OT equipment to be designed and documented to support vulnerability disclosure.
The expectation is that an asset inventory and vulnerability monitoring process exists from commissioning, not retrofitted later. Getting your monitoring infrastructure right during the build and commissioning phase is significantly easier than trying to reconstruct it years later.
OTWarden's CSV import for watchlists makes it practical to bulk-add an entire vessel's OT vendor list during the commissioning process, immediately establishing monitoring coverage from day one.
Summary
IMO 2021 requires a documented cybersecurity process in your SMS. A vulnerability monitoring process for onboard OT vendors is the most concrete evidence of the "identify and protect" requirements that auditors look for. The tools to implement this are inexpensive and accessible. The gap isn't technical — it's awareness that the process needs to exist and discipline to run it.