When plotting a course on the open ocean, conditions rarely allow a navigator to chart a straight line home. Hazards below the surface of every ocean and the unpredictability of weather systems require a crew to consistently reassess the vessel’s position and adjust maneuvering to reach its destination safely. Both the captain and the crew are expected to navigate using all means available, a lens that should apply to approaching recommendations to reduce cybersecurity risks for the MTS as a whole: actors within the MTS must be capable of tapping into every available resource.
The approach to maritime cybersecurity must ultimately be holistic; even if every component of the MTS was cyber secure, the interconnection of the subsystems might not result in a secure MTS. Taking the steps necessary to build a secure maritime domain will require a better understanding of the cybersecurity-threat landscape, coupled with a segmented view of MTS infrastructure. This will allow developers, policy makers, owners, and regulators to match the best policy levers with particular maritime systems, and achieve better cybersecurity outcomes across the entire MTS.
This report puts forward twelve recommendations—split into three overarching themes—to help better secure all subsystems of the MTS from evolving cyber threats. First, stakeholders operating within the MTS must raise the baseline for cybersecurity across the maritime industry and shipping communities. Knowing is half the battle, and stakeholders must develop a sector-specific cyber risk framework, a global intelligence clearinghouse, and a common cyber-incident threat matrix, while pushing for an active, industry-wide vulnerability disclosure policy.
Second, MTS stakeholders must deepen their understanding of maritime cybersecurity and associated risks by building cross-sector linkages, especially through new professional and international exchanges between academia, industry, and government. Stakeholders must design MTS cyber-specific educational certifications to support these new workforce initiatives, with the goal of upskilling the industry and attracting talent into a cyber-aware MTS. Developers and the maritime industry must collaborate on eradicating systemic software vulnerabilities from MTS software. Lawmakers and regulators must complement these efforts by ensuring that MTS receive adequate resources to improve cybersecurity.
Third, executives and high-level stakeholders in the public and private sectors globally must prioritize cybersecurity as part of their broader risk management efforts, leveraging increased security measures and appropriate risk mitigations to help support long-term improvements in cybersecurity. MTS stakeholders should assess risk by relating their cybersecurity maturity to those of other sectors, like energy, better integrating cybersecurity with traditional maritime insurance coverage, and finally, improving cybersecurity proactively through multistakeholder simulations.
The bulk of these identified actions build on or integrate existing programs, such as the US Department of Energy-backed Cyber Testing for Resilient Industrial Control Systems (CyTRICS) program,1 run across four national labs and the Department of Transportation (DOT) Maritime Administration (MARAD) 2021 Port Infrastructure Development Program (PIDP).2 These programs are embedded in broader lines of policy effort and come with well-established relationships—both virtues over starting from scratch.
The maturity and effectiveness of contemporary approaches to cybersecurity in the MTS fail to reflect the vital role maritime transportation plays in supporting global commerce, diverse energy systems, and national security. Cyber threats will only continue to metastasize, accelerating both in quantity and consequence. Navigating through such turbulent waters requires an all-hands-on-deck approach—both in the United States and beyond—to improve the collective cybersecurity of the MTS.
Source: atlanticcouncil
