As the impact and complexity of cybersecurity programming continues to escalate, so does the frequency of cyber attacks across the industry. As a result, industry regulators are becoming hyper-focused on the problem and acting to impose sweeping new regulations both near and long term. The Maritime Transportation Security Act (MTSA) has changed the overall security posture in Maritime for the better in establishing shipboard and shoreside security standards. As a plethora of Information Technology (IT) and Operations Technology (OT) applications have emerged, significant new vulnerabilities have have been created for exploitation. Consequently, this new reality has placed considerable responsibility to adapt and change long-established business practices and investment plans.
Earlier this year the U.S. Coast Guard published technical guidance to assess and mitigate technological vulnerabilities for MTSA regulated facilities. As the industry acts to implement new cybersecurity measures, it will be important to analyze their ongoing effectiveness in thwarting attacks. The Coast Guard is likely to release similar guidance on vessel cybersecurity sometime in the future.
The continuous deployment of new technology provides new threat vectors from which to remotely attack both facility and vessel operations. Not only does this put systems and information at risk, but people and other assets as well. While virtually all maritime operations become increasingly dependent on technology, the industry is focused on understanding the intent and required actions associated with new regulations. Many maritime players are working hard to assemble programs and guidelines to keep up with the changing times.
The United States Coast Guard Navigation and Vessel Inspection Circular (USCG NVIC 01-20) are guidelines for establishing cybersecurity frameworks to protect facility technology infrastructure. The NVIC does not change existing legal requirements, and to a large degree leaves specific program development decisions up to individual owners and operators. Facility security regulations within 33 CFR 105 and 106 already address technology security and have not been changed. The Coast Guard is encouraging the application of standards for Cyber Risk Management (CRM) in accordance with the National Institute of Standards and Technology (NIST) Framework. Required Facility Security Assessment (FSA) activities must also identify technology and network systems whose failure may cause a Transportation Security Incident. It is up to the owner / operator to decide whether cyber mitigation procedures are set up within a stand-alone cyber annex or incorporated within existing facility security plans together with physical security procedures.
The NVIC offers flexibility for facilities to determine what they believe would fit best into their existing security requirements, and options to amplify their overall posture in the most effective way. This leaves them with the opportunity to pick and choose which standards are more important for their specific operations. With the cybersecurity challenges organizations face today, it is important for businesses like Maritime to ensure accountability across their entire organization. This is crucial especially when it comes to keeping track of security measures and making sure everything is running smoothly for the sake of their business and customers. These standards are important to keep all employees up to date on what is expected of them while on the job and their specific roles in case they face a cyber incident.
In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System. The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
The guidelines place an obligation on shipowners, operators, and stakeholders to adopt a risk management approach with three overriding objectives: minimizing the danger to crew, to environmental safety, and to the financial consequences of a full or partial loss of availability, integrity and confidentiality of sensitive data. The following is a description of ISM Code Safety Management System requirements and applicability:
TMSA Cybersecurity Requirements:
Mandatory requirements set out in the ISM Code cover the following operations of all vessels on international operations, specifically:
Maritime entities must assess risk and mitigate risk, continuously monitor systems and implement new security measures to keep them secure. Take action today and schedule a free consultation with Strategic Planning Partners to help your improve overall security posture.