Cybersecurity is a relatively new focus in the maritime industry, yet the risks are increasing rapidly. New threats and malicious groups targeting the maritime transportation industry are on the rise. In fact, cyberattacks on the maritime industry’s OT systems have increased 900 percent over the last three years. At the same time, the drive for digitalization, along with internet of things (IoT) connectivity, cloud-based technologies, and remotely operated facilities means attack surfaces are expanding and vulnerabilities are appearing deeper and broader.
For reference, maritime cybersecurity refers to the protection of computers and networks used in ports, terminals, vessels, and related support systems, from cyber threats that could lead to life safety, environmental, operational, or security consequences resulting from information or system compromise. The information technology (IT) and operational technology (OT) systems that operate this infrastructure are susceptible to cybersecurity threats, both malicious and unintentional. If these systems were to be compromised, the short- and long-term impacts could be devastating, both regionally and globally.
In a whitepaper, we are releasing today titled, “How to Meet Upcoming Cybersecurity Guidelines.”, we take a closer look at two of the maritime related cyber security guidelines. The first being the International Maritime Organization (IMO) guidelines on maritime cyber risk management which was released in 2017 and enforceable since January 2021. The second being the United States Coast Guard Navigation and Vessel Inspection Circular (NVIC) 01-20 introduced in February 2020 with the deadline for implementation being September 2021. Once the USGC deadline passes, facilities must submit Facility Security Assessment (FSA) and Facility Security Plan (FSP) cybersecurity annexes by each facility’s annual audit dates. Maritime operators need to start working towards addressing and meeting these regulations and standards now.
So, what do maritime operators need to do to comply? In the paper, we discuss implementing a four-stage work process that includes assessing, planning, implementing, monitoring, maintaining, and responding to changes in threats, technologies, and regulations throughout each system’s lifecycle. For each stage, we identify and detail the essential tasks involved. For example, when assessing the environment, it is vital to develop asset management documents, perform vulnerability and gap assessments and identify the highest risks. In the monitoring, maintaining, and responding stage, it is essential to conduct tasks such as developing a sustainable cybersecurity program, monitoring the overall security posture, maintaining tight cybersecurity controls and regularly conducting incident response drills.
Finally, in addition to the work process steps, it is critical to emphasize the importance of training and skills development. Simply put, training is a crucial element to the success of any ICS/OT cybersecurity program. Many maritime organizations need assistance with their cybersecurity efforts due to a shortage of qualified security professionals, the fast-changing threat landscape, and emerging regulatory requirements. These organizations lack the specialized experience and expertise to identify, assess, manage, and respond to cyber threats. Some also lack the institutional knowledge needed to comply with cybersecurity requirements from regulatory agencies and standards organizations.
Training should include the importance of why and how a company is working to increase security around its processes. The training content needs to consist of not only the safety and environmental aspects, but also the importance of protecting the company image, value, and brand. Owner-operators should require their suppliers and others to be more secure as an extension of protecting their company image and brand as well.
Cyber threats are a real but invisible enemy for maritime operators. Cyberattacks on the industrial control systems that operate these facilities can kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. Because of this, it is imperative for operators to assess their systems, develop a cybersecurity road map, and secure their systems over time. Regulations, standards, and guidelines are available and become enforceable in 2021. By addressing and meeting these regulations and standards now, maritime operators will be well-positioned to guard against future cybersecurity threats and be prepared to respond should an incident occur.