The Emerging Requirements in Maritime You Need to Know About

  • Home
  • Blog
  • The Emerging Requirements in Maritime You Need to Know About
The Emerging Requirements in Maritime You Need to Know About

As the impact and complexity of cybersecurity programming continues to escalate, so does the frequency of cyber attacks across the industry. As a result, industry regulators are becoming hyper-focused on the problem and acting to impose sweeping new regulations both near and long term. The Maritime Transportation Security Act (MTSA) has changed the overall security posture in Maritime for the better in establishing shipboard and shoreside security standards.  As a plethora of Information Technology (IT) and Operations Technology (OT) applications have emerged, significant new vulnerabilities have have been created for exploitation. Consequently, this new reality has placed considerable responsibility to adapt and change long-established business practices and investment plans. 

Earlier this year the U.S. Coast Guard published technical guidance to assess and mitigate technological vulnerabilities for MTSA regulated facilities. As the industry acts to implement new cybersecurity measures, it will be important to analyze their ongoing effectiveness in thwarting attacks. The Coast Guard is likely to release similar guidance on vessel cybersecurity sometime in the future. 

The continuous deployment of new technology provides new threat vectors from which to remotely attack both facility and vessel operations. Not only does this put systems and information at risk, but people and other assets as well. While virtually all maritime operations become increasingly dependent on technology, the industry is focused on understanding the intent and required actions associated with new regulations. Many maritime players are working hard to assemble programs and guidelines to keep up with the changing times.

What is USCG NVIC 01-20?

The United States Coast Guard Navigation and Vessel Inspection Circular (USCG NVIC 01-20) are guidelines for establishing cybersecurity frameworks to protect facility technology infrastructure. The NVIC does not change existing legal requirements, and to a large degree leaves specific program development decisions up to individual owners and operators. Facility security regulations within 33 CFR 105 and 106 already address technology security and have not been changed. The Coast Guard is encouraging the application of standards for Cyber Risk Management (CRM) in accordance with the National Institute of Standards and Technology (NIST) Framework. Required Facility Security Assessment (FSA) activities must also identify technology and network systems whose failure may cause a Transportation Security Incident. It is up to the owner / operator to decide whether cyber mitigation procedures are set up within a stand-alone cyber annex or incorporated within existing facility security plans together with physical security procedures. 

The NVIC offers flexibility for facilities to determine what they believe would fit best into their existing security requirements, and options to amplify their overall posture in the most effective way. This leaves them with the opportunity to pick and choose which standards are more important for their specific operations. With the cybersecurity challenges organizations face today, it is important for businesses like Maritime to ensure accountability across their entire organization. This is crucial especially when it comes to keeping track of security measures and making sure everything is running smoothly for the sake of their business and customers. These standards are important to keep all employees up to date on what is expected of them while on the job and their specific roles in case they face a cyber incident.

What Is The IMO 2021 Cybersecurity Resolution?

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System. The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.

The guidelines place an obligation on shipowners, operators, and stakeholders to adopt a risk management approach with three overriding objectives: minimizing the danger to crew, to environmental safety, and to the financial consequences of a full or partial loss of availability, integrity and confidentiality of sensitive data. The following is a description of ISM Code Safety Management System requirements and applicability:

    • Cybersecurity measures are to be adopted in the company’s Health, Safety & Environment, Security & Equality / HSES&Q Policy Statement.
    • Risk assessments of all OT and IT systems onboard and ashore
    • Policy for the uses of removable storage.
    • Policy and procedures regarding network communications and WiFi for vessel crews.
    • Policy and procedures for monitoring and updating navigation and communication systems.
    • Policy identifying authorization criteria for remote connections.
    • Inventory of all OT systems.
    • Internet access policy in place outlining restrictions relating to operations currently being performed onboard.
    • Contingency Plans for Emergency Response developed and in place.
    • Items identified by TMSA and listed below.

TMSA Cybersecurity Requirements:

    • Procedures for patch management for software.
    • Processes for the identification and mitigation of cyber threats.
    • Guidelines for cybersecurity set by industry and classification authorities.
    • Password management procedures.
    • Cyber Awareness Plan implementation for all personnel. 

Mandatory requirements set out in the ISM Code cover the following operations of all vessels on international operations, specifically:

    • Passenger ships including high-speed passenger craft.
    • Oil tankers, chemical tankers, gas carriers, bulk carriers and cargo high-speed craft of 500 GRT and above.
    • Other cargo ships (offshore vessels) and mobile offshore drilling units (not bottom founded) of 500 GRT and above.

Maritime entities must assess risk and mitigate risk, continuously monitor systems and implement new security measures to keep them secure. Take action today and schedule a free consultation with Strategic Planning Partners to help your improve overall security posture.

Learn More