ISO 23799:2024

International
Standard
ISO 23799
First edition
Ships and marine technology —
2024-01
Assessment of onboard cyber safety
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Elements and process of risk assessment . 2
4.1 Relationship of elements . .2
4.2 Process of risk assessment .3
5 A s s e s s ment pr ep a r at ion . 5
6 Risk identification . 5
6.1 Identification of asset .5
6.2 Identification of threat .8
6.3 Identification of vulnerability .9
6.4 Identification of existing control measures .11
7 Risk analysis .11
7.1 Risk analysis process .11
7.2 Risk calculation method . . 12
7.3 Impact loss of consequences of incident scenarios . 12
7.4 Likelihood of incident scenarios . 13
7.5 Risk calculation of onboard cyber security .14
8 Risk evaluation . 14
Annex A (informative) Example of risk calculation .16
Bibliography .18

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 8, Ships and marine technology.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
With the development of digitalization, intelligence and the networking of ships, an increasing number of
control systems, communication and navigation systems, information management systems and equipment
are constantly connected to the ship network to access external information. The hidden danger of
shipborne equipment suffering from network threats is growing. Network security risk assessment uses
scientific methods and means to systematically analyse the threats faced by ship borne systems and their
existing vulnerabilities, assess the degree of harm that can be caused once the security time occurs, propose
targeted countermeasures and measures, and control the risks at an acceptable level.
Based on the urgent need to enhance the awareness of network risk threats, this document brings together
content from IEC 31010:2019, MSC-FAL.1/Circ 3. IACS Rec.171, IACS UR E26 and UR E27, to provide the
elements of shipboard network security risk assessment and the basic criteria for assessment process,
assessment preparation, security risk identification, security risk analysis and security risk assessment. The
recommended method of shipboard network security risk assessment which is specified in this document
can help improve the ship's network security defence capability, and provide assistance to stakeholders,
including:
a) identifying onboard network security risks;
b) evaluating the consequences and possibility of shipboard network security risks;
c) prioritizing shipboard network security risk disposal.

v
International Standard ISO 23799:2024(en)
Ships and marine technology — Assessment of onboard cyber
safety
1 Scope
This document establishes the elements of onboard cyber risk assessment and specifies requirements for
the assessment process, assessment preparation, risk identification, risk analysis and risk evaluation.
This document applies to the risk assessment of onboard cyber systems based on network technologies
which mainly include bridge systems, cargo management systems, propulsion and machinery management
and power control systems, access control systems, passenger or visitor servicing and management systems,
passenger-facing networks, core infrastructure systems, administrative and crew welfare systems and
communication systems.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 31000, Risk management — Guidelines
IEC 31010, Risk management — Risk assessment techniques
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
onboard cyber safety
situation where the hardware and software of the shipboard network system and the data in the system
are protected from damage, alteration and leakage due to accidental or malicious reasons, and the system
operates continuously, reliably and normally without interruption of network services
3.2
onboard cyber risk
combination of the likelihood and impact loss of a security incident
Note 1 to entry: In the onboard network system, damage can be caused to assets by taking advantage of the
vulnerabilities that exist in the system and by adopting specific means to attack the onboard network so that the
information in the onboard network is leaked, and the network functions are missing.

3.3
onboard cyber risk assessment
entire process of risk identification, risk analysis and risk evaluation
Note 1 to entry: An onboard cyber risk assessment is performed by establishing the value of information assets;
identifying the existence (or potential existence) of applicable threats and vulnerabilities, existing controls and their
impact on the identified risks; and determining potential consequences. Finally, derive risks are prioritized and
ranked against the risk assessment guidelines in the environment creation.
3.4
onboard cyber risk identification
process of discovering, enumerating and describing the elements of onboard cyber risks (3.2)
Note 1 to entry: This involves identifying risk sources, the scope of impact, incidents and their causes and potential
consequences that can have an impact on the ship's voyage. This helps to determine what can occur in onboard
cyber systems that will result in potential loss, and also gives insight into how (threat identification), where (asset
identification), and why (vulnerability identification, existing control measures identification) the potential loss will
occur.
3.5
onboard cyber risk analysis
analysis of the likelihood and impact loss of consequences for the security incident onboard
3.6
onboard cyber risk evaluation
risk metrics for accident scenarios encountered by the ship to assess the risk level of the accident situation
3.7
onboard cyber asset
existing resources that are valuable to the system onboard
3.8
onboard cyber threat
potential causes of damage to the shipboard network system or environmental factors causing damage to
the shipboard network
3.9
onboard cyber security incident
events that have an actual or potential negative impact on shipboard systems, networks and computers
or the information they process, store, or transmit, and that require response measures to eliminate their
consequences
3.10
impact loss of consequences of incident scenarios
damage caused by a security event to the software, hardware, functions and data of the onboard system,
resulting in interruption of system operations
Note 1 to entry: The severity of such loss depends primarily on the cost of restoring the system to normal operation
and eliminating the negative impact of the security incident.
4 Elements and process of risk assessment
4.1 Relationship of elements
The basic elements of risk assessment include assets, threats, vulnerabilities, and security measures. The
relationship of the basic elements is shown in Figure 1.

Figure 1 — Relationships of risk assessment elements
The core of the risk element is the asset, but assets are vulnerable. Security measures are used to make it
more difficult for asset vulnerabilities to be exploited, to defend against external threats, and to achieve asset
protection. Threats cause risk by exploiting vulnerabilities created by assets. When a risk is transformed
into an onboard cyber security incident, it has an impact on the operational status of the asset.
4.2 Process of risk assessment
Onboard cyber risk assessment shall comply with ISO 31000 and IEC 31010, which includes four processes:
assessment preparation, risk identification, risk analysis and risk evaluation (see Figure 2).

Figure 2 — Process of onboard cyber risk assessment
Assessment preparation includes the development of an assessment work plan, the formation of an
assessment team according to the needs of the assessment work, and the clarification of the responsibilities
of each party.
Risk identification includes carrying out asset identification, threat identification, identification of existing
security measures and vulnerability identification.
Risk analysis includes the calculation of risk values based on the results of identification.
Risk evaluation includes determining the risk level based on risk evaluation guidelines.
Communication, negotiation, and evaluation of documentation for the evaluation process should be carried
out throughout the entire risk assessment process.
During the risk assessment, in the absence of relevant statistical data, experts are required to make
judgements based on experience for the process of risk identification and risk analysis. A judgement
matrix or other methods can be used to analyse whether the consistency of expert judgement meets the
requirements.
Risk assessment is an ongoing activity, and should be conducted again when the policy environment,
external threat environment, business objectives and security objectives of the assessment target change.

5 Assessment preparation
Determine the objectives of the risk assessment on the basis of the work form, the stage in the life cycle and
the safety assessment needs of the assessed unit.
The object, scope and boundaries of the risk assessment should be determined before the assessment.
According to the needs of the evaluation work, an evaluation team is formed; the evaluation methods are
clarified, and evaluation tools and manual methods should be used for evaluation.
Conduct preliminary research and analysis, including: reviewing detailed documentation of shipboard
system maintenance and support and analysing potential impact levels, identifying key manufacturers of
shipboard system equipment using a risk-based approach, identifying shipowners’ potential for onboard
network and equipment maintenance and support have contractual requirements and obligations.
Risk assessment criteria should be established and comply with the requirements of in ISO/IEC 27005:2022,
6.4 to ensure that risk assessment results can be graded and the organization's later risk control strategies
can be determined.
Develop a complete risk assessment plan, determine the assessment basis, and obtain the support and
approval of the organization's top management.
6 Risk identification
6.1 Identification of asset
Asset identification should include physical, software and data assets throughout the shipboard network.
Onboard cyber assets are generally classified as information technology (IT) systems and operational
technology (OT) systems. IT systems are usually used to manage data and support business functions
through data; OT systems can directly control or monitor physical equipment and operations through
software and hardware.
IT systems are more vulnerable to security risks because they are usually associated with networks and
data transmission. Since the OT system can directly issue control commands to the ship, once it is attacked
by the network, the navigation of the ship is affected, and has higher security requirements in terms of
security assurance level.
According to the difference of security level and vulnerability, the assets are divided into IT systems and OT
systems. Physical assets, software assets and data assets are listed in Figure 3.
Figure 3 — Classification of onboard cyber assets
The identification of onboard cyber assets should be combined with the onboard environment and operating
business characteristics. At least nine categories of ship risk systems should be included, as shown in Table 1.

For different ship types, different technical characteristics and specific requirements, ship risk systems can
be supplemented in the subclass system.
Table 1 — Identification content of onboard cyber assets
Serial
Class Division
number
— integrated communication systems
— satellite communication equipment
Communication systems
1 — voice over internet protocols (VOIP) equipment
(IT+OT)
— wireless networks (WLANs)
— systems used for reporting mandatory information to public authorities
— integrated navigation system
— positioning systems (GPS, etc)
— Electronic Chart Display Information System (ECDIS)
— Dynamic Positioning (DP) systems
— systems that interface with electronic navigation systems and propulsion/
manoeuvring systems
Bridge systems
— Automatic Identification System (AIS)
(OT)
— Global Maritime Distress and Safety System (GMDSS)
— radar equipment
— Voyage Data Recorders (VDRs)
— Bridge Navigational Watch Alarm System (BNWAS)
— Shipboard Security Alarm Systems (SSAS)
— engine governor
— power management
— integrated control system
— alarm system
Propulsion, machinery
— bilge water control system
management and power
control systems
— water treatment system
(OT)
— emissions monitoring
— heating, ventilation and air-conditioning monitoring
— damage control systems
— other monitoring and data collection systems e.g. fire alarms
— surveillance systems such as CCTV network
Access control systems
(IT)
— electronic “personnel-on-board” systems

TTabablele 1 1 ((ccoonnttiinnueuedd))
Serial
Class Division
number
— Cargo Control Room (CCR) and its equipment
— onboard loading computers and computers used for exchange of loading
information and load
— plan updates with the marine terminal and stevedoring company
Cargo management sys-
— remote cargo and container tracking and sensing the system's level
tems
indication system
(OT)
— valve remote control system
— ballast water systems
— reefer monitoring systems
— water ingress alarm system
— property management system (PMS)
— ship management systems (often including electronic health records)
Passenger or visitor ser-
— financial related systems
vicing and management
systems — ship passenger/visitor/seafarer boarding access systems
(IT)
— infrastructure support systems like domain naming system (DNS) and
user authentication/authorization systems
— incident management systems
— passenger wi-fi or Local Area Network (LAN) internet access, e.g. where
Passenger-facing net-
onboard personnel can connect their own devices
works
(IT)
— guest entertainment systems
— security gateways
— routers
— switches
Core infrastructure
— firewalls
systems
— Virtual Private Network(s) (VPN)
(IT and OT)
— Virtual LAN(s) (VLAN)
— intrusion prevention systems
— security event logging systems
— administrative systems
Administrative and crew
welfare systems
— crew Wi-Fi or LAN internet access, e.g. where onboard personnel can
(IT and OT)
connect their own devices
According to the importance of the asset (economic value of the asset, the degree of impact on the business)
and security attributes, the onboard cyber assets are assigned values and divided into three levels. The
higher the level, the more important the asset is, as shown in Table 2.

Table 2 — Assignment of assets value levels
Level Mark Class Description
The destruction of its security properties can cause very small losses, and
Not so the specific amount can be defined by each country. For example, the direct
1 Low
important economic loss is less than US $10 000, and the IT system is temporarily in-
terrupted.
The destruction of its security attributes can cause serious losses, and the
specific amount can be defined by each country. For example, the direct eco-
2 Moderate Important
nomic loss is US $10 000 to US $ 20 000,
...