Adopting regulations, standards, and guidelines to build safeguards into maritime cyber security frameworks

Adopting regulations, standards, and guidelines to build safeguards into maritime cyber security frameworks

The changing outlook in the increasingly connected maritime sector has led to the greater adoption of regulations, standards, and guidelines to secure and protect maritime cyber security frameworks. The diverse maritime transportation system (MTS) does this by putting in place appropriate safeguards and updating the safety management system that deals with various types of assets, operations, and infrastructure, which are operated and influenced by a diverse set of stakeholders.

Effective management of cyber risk is critical for the proper functioning of a diverse maritime community where stakeholders from the port authority, ship operators, port facilities, maritime agencies, customs, and law enforcement are all interconnected. A typical MTS comprises waterways, ports, land-side connections, and people and goods moving to and from the water.

Marco (Marc) Ayala director for ICS cybersecurity and sector lead 1898 & Co.

One preferred method aside from standards and frameworks is utilizing the Consequence-driven Cyber-informed Engineering (CCE) methodology to determine high consequence events and the safeguards in place or needed to deter cyber hackers, Marco (Marc) Ayala, director for ICS cybersecurity and sector lead at industrial cybersecurity company 1898 & Co., part of Burns & McDonnell, told Industrial Cyber.

Cybersecurity attacks on the maritime sector are no different than other cyber attacks and threats to other sectors, but the consequence and impacts do differ from that in oil and gas or chemical complex facilities, for example, according to Ayala. “Cyber actors are focusing and have already begun to target maritime transportation systems port authorities, operators and marine terminals as seen over the last year and a half. Disruption and degradation of service and maritime mission is what is at stake and we must take appropriate actions to assess and protect these systems,” he added. Richard Hodder, CEO of Pelion Consulting

Richard Hodder, CEO of Pelion Consulting,

Richard Hodder, CEO of Pelion Consulting

, also said that “There’s not much difference in the attacks that target maritime compared to other critical infrastructure. There’s a mix of control systems, PLCs, remote connectivity, IT and people amongst other things that comprise a commercial ship or private yacht – which are potentially as exposed in the critical infrastructure sector,” he added.

“The motives for such attacks might be different though, as may be the consequences. Target the commercial maritime fleet could have grave consequences for global trade if there’s disruption to the supply chain,” Hodder told Industrial Cyber. “The ships themselves, if inoperative due to an attack, present a danger to the local eco-systems and shore-based installations. A lot of damage could be inflicted on other types of infrastructure and the environment itself.”

“As with any critical infrastructure, the consequences could be catastrophic not only economically but also affect lives too. Unfortunately, there have already been examples in the past few years of this. Criminals targeting the yacht side of the maritime industry may have different motives which may more financially or personally driven,” Hodder added.

Internet connectivity is becoming increasingly available onboard ships, Avital Sincai, COO and co-founder of Cydome told Industrial Cyber. “Whilst this has the benefits of improved welfare, communication with vessel owners and remote fleet management, it also comes with the increased risk of cyberattacks due to the vulnerability of onboard systems,” she added.

Avital Sincai, COO and co-founder of Cydome

Avital Sincai, COO and co-founder of Cydome

“In this case, the threat actors are cybercriminals and hacktivists whose aim is mostly to gain financial benefit, unlike the vessel hacking, in which the threat actor could be a contractor or a third-party doing remote vessel maintenance that can cause financial loss and vessel-critical asset destruction (such as Main Engine damage),” Sincai said. “The critical asset that can be attacked to gain this outcome could be the VSAT router, GPS, ECDIS, AIS, main engine systems, stability and ballast systems, cargo system and more,” she added.

The IMO 2021 maritime cyber security requirements have been aligned to guide ship owners and operators to address the growing number of vulnerabilities, and facilitate appropriate cyber risk management for vessel owners and operators.

To deal with increasing cyber threats to maritime operations and mitigate maritime cyber security risks, the International Maritime Organization (IMO) introduced Resolution MSC.428(98), whose goal is to ‘support safe and secure shipping, which is operationally resilient to cyber risks.’ This mandate along with other guidelines and standards aims to secure and protect the differing needs and levels of maturity when it comes to the breadth of their vessel IT and OT networks and cyber-related systems, so the approaches adopted to defend maritime cyber architectures will accordingly differ.

“I believe that the IMO 2021 is a good start for ship owners and operators as a start and baseline but we must avoid a check the box mentality that some of these initiatives may enable,” Ayala said. “I am a fan of the ISA/IEC 62443 cybersecurity lifecycle approach that should be utilized in tandem with IMO and the USCG NVIC 01-20,” he added.

With experience primarily in the yacht sector, Hodder said that “we’re seeing a visible push towards IMO 2021 cyber risk management compliance, however, that’s only because the regulations are now being enforced by flag and port state. There’s nothing like a good regulation to get the industry moving.”

Crews, owners, and management companies are pushing to meet compliance, but there is a gap in the skills and knowledge required by all crew members to ensure continued safety and security onboard – one of the problems being that cyber security is seen as a tick-box exercise and that a one-box solution will solve all issues, according to Hodder. “As we know cyber security is multi-faceted and covers many disciplines that don’t fit into any single role on board. Security needs to be reviewed constantly so we encourage a cyber aware culture on board that starts with us as individuals,” he added.

Building a collaborative and holistic approach to maritime cyber security is imperative, as vessel owners and operators work towards achieving a better understanding of the cybersecurity-threat landscape, coupled with a segmented view of MTS infrastructure. This will allow developers, policymakers, owners, and regulators to match the best policy levers with particular maritime systems, and achieve better cybersecurity outcomes across the entire MTS.

Shipowners are engaging with specialist cyber security companies, to assess, monitor, and mitigate the threats, according to Hodder. “This way we work in collaboration with the shipping industry and their wider supply chain to ensure the risks are as minimised as possible. Using this approach will give strength to the overall sector and ensure that it at least attempts to keep-up with the latest threats and vulnerabilities, rather than being one step behind, as has traditionally been the case,” he added.

There are also increasing conversations with the insurance industry to quantify and insure against the threat if set criteria have been made. This too is a new area and currently, underdevelopment, Hodder added.

Shipowners and operators are realistically challenged with remote access and third-party OEM support for their vessels, Ayala said. “Unlike a refinery in which has fence lines the very nature of maritime systems creates broad and wide cyber challenges that I have helped clients uncover and remediate. It is important that ship owners bring in cybersecurity assessors that have deep operational, navigation, and propulsion systems expertise,” he added.

Maritime companies are dealing with a digitalization process and more devices are connected to the internet, so there is more connectivity in general and a complex of legacy devices, Sincai said.

“All of these increase the need for maritime companies to adopt more protection measures than before. The initial step is to assess and better understand what the specific vulnerabilities on board each vessel are and the steps needed to mitigate these in a process that would make sense. The maritime industry has existed for many years, and it has to adapt to the changes, which can be done with the right guidance and direction for the best, most secure path,” she concluded.