Harmonizing Maritime Cybersecurity Regulations, Standards, and Guidelines

By Scott Dickerson, CISO LLC Founder & Principal

A Growing Predicament

A specific, discreet cybersecurity challenge that is manifesting for practitioners across critical infrastructure sectors relates to the proliferation of non-harmonized cybersecurity regulations, standards, and guidelines. Each regulation, standard, or guideline, while on the surface appearing very similar in nature and perhaps even repetitive, has different focal points and levels of granularity. While this is happening across critical infrastructure sectors, the devil’s in the details. Here we will focus and look at one specific sector – maritime.

An example of this can be given relating to “assets”, whereby one requirement may be maintaining an inventory of critical IT and OT assets, another is a complete asset inventory, a different one requires firmware details, some want a software bill of materials (SBOM), and others get into variations of asset management, which clearly goes far beyond mere inventories. Meeting each of these requirements and providing the evidence desired from an inspector or auditor for a specific framework, requires effort from numerous personnel. This creates confusion as to what “right” looks like for the organization, increasing frustration from front line workers all the way through executive teams. Below is a list of the standards, regulations, and guidelines that an organization may be required to meet, which can be a frustrating and complex challenge.



​

​
The exact pain points vary across stakeholders and their exact operating locations. The pain points are often less severe for port authorities who may have a limited set of regulations to adhere to in some countries. However, those in the U.S. may be facing more challenges than in other countries because of the extent to which multiple Federal agencies are requiring cybersecurity efforts which are not harmonized. Depending on the location and number of onshore or offshore facilities and/or ships operating in different jurisdictions, owners and operators are the ones most impacted by non-harmonized regulations. Unfortunately, their voices are all too often ignored by the “decision makers”.

Hazards Ahead

To date, each regulatory, standard, or guideline effort has occurred within the vacuums of individual organizations and remains unaligned, or non-harmonized, based on their own vested interests. And from a faraway perch, this non-harmonization may seem like an afterthought or trivial type of problem. However, upon closer inspection, it becomes abundantly clear to the organizations and their third parties that the complexities and challenges are very real with stunning results. An organization’s already limited resources trying to fight off nation state attacks (a separate concern in and of itself) become drawn away from managing risks to meet compliance by completing non-value added, repetitive but distinct efforts. The end result is decreased resiliency for individual organizations, which becomes multiplied across the sector, and the increased likelihood of systemic impacts.

Additionally multiple countries have recently enacted new cybersecurity regulations or are working towards finalizing regulations. Each separate cybersecurity regulation or standard that becomes enacted creates an inertia as they become entrenched in how things are done, whether in a geographic area or particular industry. They create their own vested interests, often resulting in self-licking ice cream cones. This makes it more difficult for harmonization efforts to gain traction. This begs the question, “is it already too late to create harmonized outcomes?”.

As the idea of harmonization is in its infancy, how we go down the path could itself be problematic. Who will be at the table, decide upon and create the outcomes? Will there be people with an adequate level of knowledge and understanding at the table as regulations, standards, and guidelines are created? Will the industry personnel who ultimately work to implement these requirements be asked for feedback and would it actually be factored in? While international agreement is notoriously difficult to achieve and is often accompanied by much longer timelines for completion, there should still likely be dozens of parties at the table representing thousands of stakeholders. To be impactful and helpful, there needs to be a concerted effort to avoid including some of the current regulations that may sound good in writing but either: a) cannot be met in practice, b) cannot be realistically enforced, or c) do not fundamentally lead to improved cyber resiliency.

Proposed Harmonization Efforts

Following MSC 109, one attempt to bring industry associations together to work on harmonization efforts occurred in late 2024. A letter was sent to BIMCO, CLIA, DCSA, IACS, INTERCARGO, INTERTANKO, IAPH, ICS, IUMI, OCIMF, Sybass, and the World Shipping Council, with IMO being copied for awareness. The proposal was to look at common regulations, standards, and guidelines and create a harmonized set of specific cybersecurity controls that these industry organizations would commit to using. Unfortunately, this attempt was unsuccessful, and only representatives from CLIA and IACS responded with commitments to support the effort.

In April 2025, Canada, Indonesia, Republic of Korea, United Arab Emirates, United Kingdom, IACS, and IAPH sent a proposal to IMO (MSC 110/7) to develop a goal-based approach for maritime digital-ecosystem cybersecurity standards (MDECSS) that consists of four guiding objectives and subsequent principles. It is unclear if the intent is to stop at goal-based objectives and principles or go further. Stopping at broad principles would mean this approach fundamentally will not alter the current challenges for industry stakeholders as it will simply create yet another framework. It may be possible that this effort will gain some traction at MSC 110 and will trigger an outcome with detailed regulatory recommendations.

Also in April 2025, the United States sent a proposal to IMO (MSC 110/7/2) for the development of cybersecurity standards for ships and port facilities in an effort to harmonize regulations internationally. The proposal focuses on two main parts: determining a standardized approach for the further development of cybersecurity requirements (i.e. risk-based/goal-based/prescriptive) and determining if cybersecurity requirements should be made mandatory or voluntary. This proposal was unilaterally submitted by the U.S., which indicates that it was created in a vacuum without international collaboration. A source very familiar with IMO processes and interested in international harmonization efforts expressed their concerns to the author stating, “Once this kind of mindset becomes the baseline at MSC, even if IMO sets goal-based, high-level requirements, they won't have practical meaning without a clear and coordinated implementation pathway, and it will leave those working in the field struggling to comply with countless fragmented low-level requirements derived from different approaches around the world.” This sentiment is appreciated and aligns with the need for detailed, collaborative outcomes for the maritime community as a whole.

Moving Forward

Considering the challenge that maritime stakeholders are facing, the following could be logical next steps:

1. IMO should officially call for an industry-led harmonization effort to create agreed-upon and detailed cybersecurity controls. The IMO should support industry’s efforts as needed and requested.
2. Industry associations should seize the leadership opportunity this challenge represents to align their guidelines and influence regulations. While this would be challenging, it will pay immense dividends for their stakeholders over the long term.
3. Governments should support industry efforts to create detailed, harmonized standards and agree to adopt them. Industry associations often have much better visibility into the challenges through their stakeholders, whereas government bodies often do not have a full understanding or appreciation of the implications of the new regulations.
4. Public and private sector stakeholders should engage in reciprocity agreements to accept audits, assessments, etc. that are completed based on harmonized cybersecurity regulations and standards. In each country, government agencies should then map the internationally harmonized requirements within their own borders.

Without a doubt more steps will be needed, but these could be foundational elements to build internationally harmonized regulations, standards, and guidelines.

---