Risk Assessment Guide

Part of the IDENTIFY Playbook ← Return to Hub

Phase 1: Identify All vessels

Satisfies: E26 §6 IEC 62443 IMO MSC-FAL.1 BIMCO v4 All vessels

Risk Assessment & Threat Mapping

The “Identify” Synergy: An effective Risk Assessment (RA) is not a standalone document; it is the synthesis of your Asset Inventory, Interdependency Matrix, and Exclusion Logic. This guide explains how to map functional threats to your vessel’s specific OT topology per IACS UR E26 §6.

1. The RA Methodology (E26 vs. Best Practice)

For UR E26 compliance, the risk assessment must be “Functional-Based.” For non-mandatory vessels, we recommend a “Vulnerability-Based” approach to prioritize budget and maintenance.

Mandatory Path (UR E26)

Focuses on Category II & III systems. Requires formal documentation of the “Safety Impact” if a system’s Integrity or Availability is lost.

Requirement: Class Approval File

Best Practice Path (Existing Fleet)

Focuses on Cost & Operational Downtime. Prioritizes “Low-Hanging Fruit” like USB lockdowns and network segmentation.

Goal: Resilience & Insurance Alignment

2. Functional Threat Mapping (UR E27 Alignment)

Under UR E27, you must prove that technical controls are in place to mitigate specific threats. Use this matrix to bridge the gap between your inventory and your security controls.

Threat Scenario	Impact on OT Asset	Mitigation Reference
Unauthorized Access	Malicious set-point changes in the Power Management System (PMS).	Authentication (§4.1)
Malware Infiltration	Introduction of ransomware via OEM service laptop or infected USB.	Interface Protection (§4.3)
Network Storm/DoS	Loss of communication between Bridge and Engine Room due to traffic surge.	Network Isolation (§4.2)

3. Defining Risk: Scoring & Visual Matrix

To ensure consistency across the fleet, use the following criteria and the 5×5 Heat Map to determine your risk priority.

IMPACT
	5	10	15	20	25
	4	8	12	16	20
	3	6	9	12	15
	2	4	6	8	10
	1	2	3	4	5
	LIKELIHOOD

Extreme (16-25): Stop operations / Immediate Fix.

High (10-15): Technical controls required within 30 days.

Medium (5-9): Operational monitoring / Scheduled hardening.

Low (1-4): Risk accepted / Regular review.

Likelihood Scale (1-5)

1. Rare: Requires physical access + expert skill.
2. Unlikely: Possible via remote port; no known exploit.
3. Possible: Networked system; standard security.
4. Likely: Legacy OS or known unpatched vulnerability.
5. Almost Certain: Internet-facing OT with default credentials.

Severity Impact (1-5)

1. Insignificant: No operational impact.
2. Minor: Loss of non-essential monitoring.
3. Moderate: Temporary loss; manual bypass possible.
4. Major: Degradation of propulsion/steering.
5. Catastrophic: Total loss of safety-critical control.

4. Risk Response & Treatment

Once a risk is scored, the Technical Manager must select a treatment strategy. This is a mandatory step for UR E26 §5.3 documentation.

Avoid Eliminate the risk (e.g., removing a legacy Wi-Fi bridge).

Mitigate Implement technical controls (e.g., Firewalls, MFA).

Transfer Shift risk to a third party (e.g., Cyber Insurance).

Accept Document low risks that do not justify the cost of fix.

5. Strategic Integration: The RA Hub

To avoid duplicating effort, your Risk Assessment must directly reference the data points already established in your other playbook sections:

From Inventory Pull the Criticality Category (I, II, III) as the primary risk weight. From Interdependencies Determine the “Blast Radius” of a compromised system. From Exclusions Document why low-risk systems were Removed from Scope.

6. RA Lifecycle: When to Re-Assess

A Risk Assessment is not a one-time project. Under E26 Management of Change (MoC), the RA must be updated during:

Annual Fleet Audit Major Network Changes New Satellite HW Installation Post-Cyber Incident Review

Strategic Intelligence: The “Cascading Failure”

The Auditor’s Trap: Many shipowners assess systems in isolation. However, UR E26 requires you to assess “Networked Dependence.” If a Category I (Non-Essential) system like Crew Wi-Fi shares a switch with a Category II system, the risk score of the Category I asset must be elevated due to the potential for lateral movement.

Pro-Tip: Always audit the Physical Layer (Layer 1) before finalising your risk score. A shared cable is a shared risk.

Compliance Documentation Previews

Standardized templates for Risk Assessment and Threat Analysis. View watermarked previews below; full SOPs require the Pro Bundle.

TAG-OT-CYRA-TOOL

Cyber Risk Assessment Tool

Launch Tool

TAG-OT-LOG-05

Threat Mapping Matrix

Unlock with Pro Bundle

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle

Includes Unlimited Intel Search

Instant access to IACS E26/E27 Templates

PREVIOUS:
System Interdependency Matrix

Next Section

Roles & Change Management (MoC)

Phase 1: Identify All vessels Satisfies: E26 §5.3.1 ISM Code §10 BIMCO v4 All vessels Roles & Change Management UR E26...

Roles & Change Management (MoC) →