The MTS is, at its core, a sprawling and diverse system of transportation. Each segment has its own specific purpose, set of tools, and risks. However, the MTS is a system of systems driven by the responsibilities, actions, and objectives of its players. Any ground-level understanding of the MTS must begin with a bird’s-eye view of the various players in regulating, advising, informing, and driving the maritime industry, including those specifically related to maritime cybersecurity.
Baltic and International Maritime Council (BIMCO)
BIMCO is the largest international organization representing the interests of ship owners, charterers, brokers, and agents. The group’s primary role is the preparation of global regulations and policy recommendations in many areas related to the MTS, from the environment, crew support, and insurance to maritime safety and security, ice information, and digitalization, including guidelines related to maritime cybersecurity. BIMCO membership comes from more than 120 countries and represents approximately 60 percent of the global merchant fleet (measured by gross tonnage of the vessels). With headquarters in Copenhagen, BIMCO has been designated a nongovernmental organization (NGO) by the United Nations.
Chambers of Shipping
National chambers of shipping (COS), such as the Chamber of Shipping of America (CSA) and the United Kingdom’s Chamber of Shipping, are nongovernmental trade organizations representing the interests of a nation’s shipping companies. Approximately forty national COS organizations are members of the International Chamber of Shipping, representing the interests of the maritime industry to international regulatory and standards bodies.1 The organization strives to ensure the development, promotion, and application of best practices throughout the shipping industry, and works with key actors across the ecosystem and in the private and public sectors to do so.2 The International Chamber of Shipping holds consultative status with the IMO.
Classification (or class) societies are nongovernmental organizations that set and maintain technical standards related to the design, construction, and operation of ships and offshore structures.3 The primary focus of these standards is on a ship’s hull, propulsion and steering systems, power generation, and other systems related to a vessel’s operation. Class societies employ a program of inspection and certification to deliver a baseline reference point on ship safety and reliability for shipbuilders, brokers, operators, flag administrations, insurers, and the financial community. The International Association of Class Societies (IACS) has ten member organizations—including the American Bureau of Shipping (ABS), Bureau Veritas (BV, France), China Classification Society, Lloyd’s Register (United Kingdom), Nippon Kaiji Kyokai (ClassNK, Japan), and the Russian Maritime Register of Shipping—and some insurers require that a vessel have a class society certification before providing coverage.4 IACS issues advisory recommendations related to adopted resolutions: recommendation no. 166 addresses cyber resilience.5
Cybersecurity and Infrastructure Security Agency (CISA)
CISA is an agency within the DHS. Tasked with guiding public-sector cybersecurity strategies in the United States, CISA enhances cyber defense across all levels of government by coordinating state cybersecurity programs and improving the government’s ability to repel cyberattacks (ranging from ransomware to attacks on the supply chain).6 CISA is not an enforcement agency and has no enforcement branch; instead, it focuses on risk management and, working with public- and private-sector partners, shares threat intelligence and builds a more cyber-resilient infrastructure. CISA’s Cybersecurity Division addresses many physical and cyber threats, including ICS/OT and cyber-physical system (CPS) security.
Cybersecurity, Energy Security, and Emergency Response (CESER)
CESER is an office within the DOE tasked with enhancing and improving the US energy infrastructure and supporting DOE’s national security mission. By encouraging cooperation between industry, academia, DOE national laboratories, state and tribal governments, and other federal governmental agencies, CESER aims to build an energy infrastructure and supply chain that is resilient to natural and human-made threats and makes the US energy sector stronger and more secure. CESER’s projects include coordinating international cooperation, providing grant funding, offering training and operational support, and designing training exercises. Cybersecurity preparedness, information sharing, and incident response within the sector is emerging as a major task of the CESER office.
European Union Agency for Cybersecurity (ENISA)
Originally chartered in 2004 as the European Network and Information Security Agency, ENISA is the EU’s lead agency for common standards of cyber defense throughout Europe. With headquarters in Athens, ENISA activities include the development of cybersecurity policies, cybersecurity certification programs for IT products and services, information sharing, capacity building, and cyber-awareness training programs. Recognizing the importance of the maritime sector to the EU economy and society, along with the increased digitalization of maritime facilities, ENISA has taken an active role in the preparation of maritime cybersecurity guidelines for ports.
Information Sharing and Analysis Groups
Information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs) collect, process, analyze, interpret, and share actionable intelligence related to cyber and physical threats that are relevant to their particular mission. Their overarching goal is to assist their members to maintain relevant domain situational awareness.
ISACs were defined by presidential order in the United States in 1998, during the earliest efforts to define critical infrastructures and infrastructure protection. ISACs were designed to enhance private sector/public sector information sharing to aid critical infrastructure owners and operators—the vast majority of whom are in the private sector—to protect their facilities, employees, and customers against cyber and physical security threats.
The National Council of ISACs (NCI) is composed of twenty-five member ISACs, including the Maritime ISAC, the Oil and Natural Gas ISAC (ONG-ISAC), the Electricity ISAC (E-ISAC), and Maritime Transportation Sector ISAC (MTS-ISAC).
ISAOs were formed by a 2015 US presidential order to promote voluntary information sharing within industry sectors. The goal in establishing a group of ISAOs was to enhance threat-related information sharing among organizations that did not belong to an ISAC because they were not in a clearly defined infrastructure sector. The International Association of Certified ISAOs (IACI) comprises fifteen information-sharing organizations, including the Maritime and Port ISAO (MPS-ISAO).
International Maritime Organization (IMO)
The IMO is an agency of the United Nations, headquartered in London, with a mission to develop a regulatory framework for international shipping. Its primary roles address safety, environmental concerns, legal issues, security, and international technical cooperation. It is, perhaps, best known for the Safety of Life at Sea (SOLAS) Convention, a treaty first adopted in 1914 after the sinking of the Titanic, and the International Convention for the Prevention of Pollution from Ships (MARPOL), first adopted in 1983. In 2017, the IMO Maritime Safety Committee released a set of Maritime Cyber Risk Management recommendations for safety-management systems that IMO encouraged shippers to implement no later than the first annual verification of a vessel’s Document of Compliance and Safety Management in 2021; this resolution is known as IMO 2021.
Maritime insurance dates back to Edward Lloyd’s Coffee House in London, which opened in 1686. The coverage framework for ships and cargo is among the most mature in the insurance industry and covers damage or loss to vessels, terminals, cargo, and passengers. An increasing number of marine insurers require compliance with cyber-safety guidelines issued by class societies, the International Maritime Organization, and regulatory agencies.
National Institute of Standards and Technology (NIST)
NIST, a part of the Department of Commerce, is tasked with providing standards and guidelines for making the US technology base more secure. NIST’s Cybersecurity Framework, created in tandem with stakeholders across the public and private sectors, focuses on putting forward a voluntary framework for reducing cyber risks to critical infrastructure based on existing standards, guidelines, and practices. The framework is considered one of the best current standards programs out there and is utilized often throughout the MTS. The framework consists of three main components: the core, implementation tiers, and profiles.
The core focuses on providing an overarching set of desired cybersecurity activities and outcomes in common terms that are easy to understand, with the goal of helping organizations reduce their cyber risk. The implementation tiers assist these organizations in implementing these activities and outcomes by providing context for what this looks like operationally. The framework profiles aim to take this a step further by identifying key requirements and objectives for specific types of organizations.
North Atlantic Treaty Organization (NATO)
NATO was born with the signing of the North Atlantic Treaty in 1949, in the aftermath of the dark days of World War II. With headquarters in Brussels, Belgium, NATO has thirty member nations in Europe and North America. As a primarily military alliance, one of the most significant parts of the treaty is Article 5, the mutual defense clause, stating that an attack on one member country is an attack on all. This is a very controversial concept in these days of information warfare, where the very definition of cyberwar is not codified and an appropriate response in real space to an attack in cyberspace is not defined at all. To that end, NATO has established the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, where research, training, and exercises are conducted in the areas of technology, strategy, operations, and law. One outcome from the CCDCOE is the Tallinn Manual, a comprehensive guide on how existing law applies to information operations in cyberspace. This manual itself is not law, but it is the nearest guidance that is available on what constitutes a war in cyberspace.
US Department of Homeland Security (DHS)
The DHS, formed after the 9/11 attacks, is a cabinet-level agency tasked with border security, immigration and customs, disaster management and response, cybersecurity, anti-terrorism, and other efforts to protect the public within US borders. DHS also oversees the CISA and the Coast Guard. DHS has funded a dozen Science and Technology (S&T) Centers of Excellence (COE) addressing a range of multidisciplinary technology solutions for homeland security. Of particular interest to maritime cybersecurity is the Maritime Security Center (MSC) at Stevens Institute of Technology.