Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.

Cyber risk management means the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders

The overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks.

IMO guidance

IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management.

The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.

The Maritime Safety Committee, at its 98th session in June 2017, also adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Other guidance and standards

(IMO is not responsible for external content)

Guidelines on Cyber Security on board Ships issued by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, OCIMF, IUMI and WORLD SHIPPING COUNCIL.

ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).

Source: imo


The U.S. Department of Homeland Security has awarded Port Canaveral a $908,015 grant to help the port beef up its security.

The port said the grant will help pay for a $1.2 million project to improve Port Canaveral’s risk prevention, threat mitigation and security response service capabilities.

The grant award comes at a time when threats against seaports are evolving and becoming more sophisticated.

Cary Davis, government relations director and general counsel for the American Association of Port Authorities, said that, “whether it’s attempted supply-chain disruption, sophisticated and coordinated cross-border attacks, or novel cyber-threats that transcend national borders, ports have security challenges like never before.”

Port Canaveral Chief Executive Officer John Murray said the grant Brevard County’s seaport is receiving “will help us invest in some new technologies to broaden our capabilities to protect our people and assets with an enhanced ability to detect and respond to threats.”

Port Canaveral has been the world’s second-busiest cruise port, behind PortMiami, in terms of passenger volume, although the coronavirus pandemic has halted multiday cruises since mid-March. Port Canaveral also has a multifaceted cargo sector, with an increasing business involving space-related components, including SpaceX rocket boosters.

The grant Port Canaveral received is part of Department of Homeland Security’s Federal Emergency Management Agency Port Security Grant Program.

Port Canaveral was one of more than 30 U.S. ports awarded fiscal year 2020 federal funding from FEMA’s $100 million Port Security Grant Program, which provides grants to ports on a competitive basis. Some of that money also goes to terminal operators, municipalities and policing entities throughout the country.

Davis said these grants are crucial to the nation’s seaports.

“The Port Security Grant Program protects our country, our workers and our supply chains,” Davis said. “Ports large and small use these grants to stay vigilant; to ‘harden’ their facilities and networks; and to prepare for attacks. Even though it’s grotesque and difficult, critical infrastructure ports are targeted daily by terrorists around the world.”

The program’s priority is to protect critical port infrastructure, enhance maritime domain awareness, improve portwide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities.

This is the second major grant Port Canaveral has received for security projects in the last two years. In September 2018, Port Canaveral was awarded $1.15 million in federal and state grants for upgrades to its port security operations and cybersecurity detection and prevention systems.

Murray said ensuring the safety and securing of the port and surrounding community is a top priority.

Source: floridatoday


ABSG Consulting Inc. (ABS Consulting), a subsidiary of ABS focused on safety and risk management, and American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) have joined forces to provide education, training and insurance guidance that address maritime cyber security.

As digital transformation in the maritime industry brings both opportunities and new challenges, owners and operators are relying more on smart technologies and operational data to drive decisions and run their businesses. Comprehensive cyber security programs are not only necessary to protect operations but are also critical to protect the overall safety of crew and the environment. More frequent cyber attacks, increased digitalization and emerging global regulatory focus are adding to immediate demands to address and reduce cyber risk across the industry’s value chain. Cyber security has become a business imperative and new measures will have an impact on how maritime vessels and facilities will be covered by insurers.

 

“The safety and security of our members is a priority. Having a better understanding of the tools available, the programs that can be implemented and the integration of these in the marine industry will help us provide better services to shipowners and charterers globally,” says Dr. William Moore, Director of Loss and Prevention at the American P&I Club. The work we are going to do with ABS Consulting is going to help us identify how to enhance our policies, and the offerings we need to incorporate to improve the coverage and services we offer to our members.”

 

“Collaborating with the American Club to build education programs for their members and industry will give us a better understanding of the real challenges we are collectively facing,” says Ian Bramson, Global Head of Cyber Security of ABS Group. “This alliance enables us to develop the tools, training and services that support compliance and help ship owners and operators put protections in place to secure their vessels – from the design and construction phases through continuous operation over their service life.”
Source: tankeroperator


ABSG Consulting Inc. (ABS Consulting), a subsidiary of ABS focused on safety and risk management, and American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) have joined forces to provide education, training and insurance guidance that address maritime cyber security.

As digital transformation in the maritime industry brings both opportunities and new challenges, owners and operators are relying more on smart technologies and operational data to drive decisions and run their businesses. Comprehensive cyber security programs are not only necessary to protect operations but are also critical to protect the overall safety of crew and the environment. More frequent cyber attacks, increased digitalization and emerging global regulatory focus are adding to immediate demands to address and reduce cyber risk across the industry’s value chain. Cyber security has become a business imperative and new measures will have an impact on how maritime vessels and facilities will be covered by insurers.

“The safety and security of our members is a priority. Having a better understanding of the tools available, the programs that can be implemented and the integration of these in the marine industry will help us provide better services to shipowners and charterers globally,” says Dr. William Moore, Director of Loss and Prevention at the American P&I Club. The work we are going to do with ABS Consulting is going to help us identify how to enhance our policies, and the offerings we need to incorporate to improve the coverage and services we offer to our members.”

“Collaborating with the American Club to build education programs for their members and industry will give us a better understanding of the real challenges we are collectively facing,” says Ian Bramson, Global Head of Cyber Security of ABS Group. “This alliance enables us to develop the tools, training and services that support compliance and help ship owners and operators put protections in place to secure their vessels – from the design and construction phases through continuous operation over their service life.”

About the American Club
American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) was established in New York in 1917. It is the only mutual Protection and Indemnity Club domiciled in the entire Americas and its headquarters are in New York, USA. The American Club has been successful in recent years in building on its U.S. heritage to create a truly international insurer with a global reach second-to-none in the industry. Day-to-day management of the American Club is provided by Shipowners Claims Bureau, Inc. also headquartered in New York. The Club is able to provide local service for its members across all time zones, communicating in a large number of different languages, and has subsidiary offices located in London, Piraeus, Hong Kong, Shanghai and Houston, plus a worldwide network of correspondents. The Club is a member of the International Group of P&I Clubs, a collective of 13 mutuals which together provide Protection and Indemnity insurance for some 90% of all world shipping.

P&I Insurance
Protection and Indemnity insurance (commonly referred to as “P&I”) provides cover to shipowners and charterers against third-party liabilities encountered in their commercial operations; typical exposures include damage to cargo, pollution, death/injury or illness of passengers or crew or damage to docks and other installations. Running in parallel with a ship’s hull and machinery cover, traditional P&I cover distinguishes itself from usual forms of marine insurance by being based on the not-for-profit principle of mutuality where Members of the Club are both the insurers and the assureds.

About ABS Group
ABSG Consulting Inc. (ABS Consulting) is part of ABS Group of Companies, Inc., a wholly owned subsidiary of ABS, one of the world’s leading marine and offshore classification societies. Through its operating subsidiaries, ABS Group provides data-driven risk and reliability solutions and technical services that help clients confirm the safety, integrity, quality and efficiency of critical assets and operations. Headquartered in Spring, Texas, ABS Group operates with more than 1,000 professionals in over 20 countries serving the marine and offshore, oil, gas and chemical, government and industrial sectors.

Source:
en.portnews.ru

In the Spring Edition of ITNOW, I wrote an article on why we should be moving away from traditional cyber security and focussing on cyber mission assurance and cyber resiliency techniques. This meant framing cyber security in a manner that focussed on the outcomes the organisation needs to achieve with the preparedness to expect, and the ability to respond and recover in response to an adverse cyber effect.

NIST SP 800-160 defines cyber resiliency as: ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.’

What do we mean by cyber safety?

Cyber Safety is a relatively new term but for this article The Royal Academy of Engineering, in their March 2018 document ‘Cyber Safety and Resilience’, defines cyber safety as ‘the ability of digital systems to maintain adequate levels of safety during operation, including in the event of a cyberattack or accidental event, protecting life and property’.

What this means is we have to understand and incorporate into our risk assessment, a consideration of what the potential impact is of a cyber event on the safe and secure operation of a safety-critical system, and therefore what controls and mitigations we need to introduce to ensure that the risk is as low as reasonably practical (ALARP).

What this approach doesn’t cover is recognising the overlaps between cyber security and Safety. We know all too well that we need to adopt an approach of layered security, or defence-in-depth, to protect and defend our systems; making it hard for our adversaries to achieve their goals. It would be wrong of us, however, to believe that we can stop every single attack. It is for this reason why our systems have to be resilient and have to be able to continue mission-essential functions during periods of attack. This means ensuring that these systems remain safe to operate and can continue their safety-critical functions. Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

So, what is new?

A key question you might ask is whether there is anything new by considering safety as part of the totality of cyber risk. The answer is quite simple: Yes. My major concern with current cyber security approaches is that they focus almost entirely on the risks to information, and therefore the risks this presents to the organisation (business objectives):

  • What is the risk to the confidentiality, integrity, and availability of the information? My perspective is that very few organisations ask the (additional) key questions:
  • What is the risk to the system itself and the wider environment? (I.e. Is it the system itself which is the target, rather than it information it processes?)
  • What is the risk to the people using the system or those who are reliant on its undisrupted operation?

With the rapidly increasing prevalence of the internet of things and cyber-physical systems, this consideration needs to be considered by all industrial sectors. Let’s not forget that it was the compromise of programmable logic controls by Stuxnet that caused a series of centrifuges to rotate rapidly outside of their set parameters resulting in their physical destruction. If that effect can be achieved on a standalone system, then what can happen on a networked system?

What is important is that I am not suggesting that organisations need to conduct considerably more work to understand the safety considerations of their systems, but instead they need to understand the potential hazards that may be introduced should safety-critical functions be disrupted due to a cyber event. Once these hazards have been identified they can be assured through existing cyber security standards and frameworks. The key is we need to ensure that our cyber systems are not just ‘Secure to Operate’ but also ‘Safe to Operate’.

For the purpose of this article, I’ve made the broad assumption that organisation have taken a system-level approach to understanding the overall threats to the organisation (System) rather than focussing on a component-driven approach and building up (further advice on this is available from the National Cyber Security Centre (NCSC). Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

Why should an organisation care?

I’d urge you to read a short article written by Nick Richards in Tripwire during 2018 ‘Why Cyber security is the New Health and Safety’ Nick argues that in order to prevent serious damage that could be caused by a cyber-attack, including the risks to individual safety, organisations should pay as much attention to cyber-security as they do to Health and Safety (H&S).

The ultimate aims of cyber-security and H&S are aligned. They are all designed to prevent loss to the organisation, its assets, and its personnel. There is another point to make which is that all assurance teams have an obligation to work together since all are trying to prevent the same types of losses albeit through different causes.

What happens if a building management system is compromised during a period when H&S is vital? The consequences of a ‘hack’ on this system which causes security doors and barriers to fail closed when they should fail open could be catastrophic. Ultimately, the H&S consequences directly relate to IT and mitigations should be employed with the input of both specialist functions.

It wouldn’t be an article on safety without mentioning the HSE

The TRITON malware, designed to disable safety-critical functions within the industrial setting, was discovered during 2017 within a Saudi Arabian petrochemical plant. Although the malware was discovered and contained before it was able to do any actual damage. One aspect which may have enabled this is the convergence of IT and operational technology (OT). I’m not going to speculate on what vulnerabilities may have afforded access to the attackers in this instance, instead I’m going to say something that should be obvious. We need to understand the risks posed by the convergence of these different technologies; that are beyond the scope of this article.

The NCSC recognise that there is a need to apply an integrated approach which adapts and applies best practice from both the safety and security communities. The 14 principles within the NCSC Cyber Assessment Framework (CAF) provides useful guidance for ‘organisations managing cyber-related risks to public safety’ (one of the three broad areas where NCSC believe the guidance is useful).

We can’t talk about safety without mentioning the Health and Safety Executive (HSE). Back in March 2017, the HSE published its guidance OG86 ‘Cyber Security for Industrial Automation and Control Systems (IACS)’. Although this guidance is primarily aimed at HSE Inspectors, particularly around applying a consistent approach to regulation, this document is freely available to all organisations and provides useful guidance on how compliance might be achieved. If you know me, you know how much I hate a compliance-based approach as it encourages a ‘do-minimum’ mentality, but I fully support that this is guidance that takes us in the right direction.

International Maritime Organisation (IMO) resolution on cyber risk management

What has prompted me to write this article is the imminent enforcement of the International Maritime Organisation Resolution MSC.428(98) – ‘Maritime Cyber Risk Management in Safety Management Systems’. If you haven’t guessed from the title, what this resolution requires is that organisations within the maritime industry ensure that cyber risk is appropriately included within their respective safety and environmental management systems (SEMS). I’m not intending to go into the detail of the resolution, it is easily searchable on the IMO website. Instead, I want to focus on the core message.

We need to be able to ensure that we can safeguard shipping from cyber-attacks and have processes in place to improve resiliency for when these are successful. The IMO resolution provides a massive step forward as it allows shipping companies to simply complement existing safety and security management practices already established by the IMO with cyber risk management practices.

What we do need to remember is a ship may be in service for some decades and therefore will have been designed and built during a period when the cyber threat was different. That does not preclude the organisation, however, from having the appropriate policies and processes in place to respond to a cyber-event.

The resolution is an excellent step forward to ensuring that maritime organisations consider the impacts that cyber events could, and would likely have, on safety. The resolution, however, is not prescriptive on how this should be achieved but it does provide guidance on how a maritime organisation should approach the assessment of cyber risk. Interestingly, the supporting document MSC-FAL.1/Circ.3 maps some of the considerations, which are not exhaustive, to the NIST Cyber Security Framework function areas (identify, protect, detect, respond, recover).

You might sense a bit of repetition in this article as this takes me back to an earlier point. I am not suggesting that organisations that already have cyber risk management processes have to conduct a significant amount of further work. Existing methodologies can be used to help assess the impacts that a cyber event can help on safety. This is possible through the use of ISO27001 and the NIST CSF, as well as other frameworks, to ensure that systems are both designed and operate in a manner that is safe and secure. They just have to be conducted and viewed through a safety lens; i.e. what would prevent that system from operating safety?

But another question I have is: Has cyber been considered as apart of the SEMS for the other sectors, namely rail, aviation, automotive? If the answer is they haven’t, then maybe they need to.

What is the takeaway?

Organisations need to ensure that both cyber security and cyber safety risks are understood, documented, and ensure that processes are in place to manage these at a level which is ALARP for both H&S and security. The mitigations should be planned jointly to maximise effectiveness. The message is simple. Gone are the days of considering cyber security and H&S separately. We must ensure that we follow an integrated approach that ensures that our systems are both secure and safe to operate.
Source: bcs


Nippon Kaiji Kyokai (“ClassNK”) joined the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) as part of a growing list of maritime community partners. This is an innovative relationship between the two nonprofit organizations aimed at strengthening vessel and shoreside cyber risk management. The partnership provides ClassNK with actionable insights from community-sourced cyber threat intelligence to reinforce ClassNK’s Cyber Security Guidelines to help prevent cyber incidents from negatively impacting the safety and security of maritime operations. ClassNK is the first classification society and the first non-U.S. organization to formally join the MTS-ISAC, helping broaden the reach of the MTS-ISAC’s efforts to support the maritime community.

Both vessel and shoreside cybersecurity efforts will be under increasing scrutiny starting in 2021. The International Maritime Organization (IMO) has a deadline of January 1, 2021 for Maritime Cyber Risk Management to be addressed in Safety Management Systems. Meanwhile, the U.S. Coast Guard will be inspecting Maritime Transportation Security Act of 2002 regulated facilities for cyber risk management efforts for the first time starting with annual inspections occurring on or after October 1, 2021. Both of these organizational efforts have signaled to maritime stakeholders that cybersecurity is a priority that must be addressed to ensure safe and secure MTS operations.

Hirofumi Takano, Executive Vice President at ClassNK, explains, “We have been working with the International Association of Classification Societies (IACS), maritime stakeholders and cyber security professionals to understand and promote cybersecurity best practices across the maritime transportation system (MTS). By joining the MTS-ISAC, we will have increased visibility to current, real-world examples of cyber threats targeting MTS stakeholders. This provides us an opportunity to reinforce how, and periodically update, ClassNK’s Cyber Security standards to provide our stakeholders with the latest security recommendations to protect their assets from cyber threats. With IMO 2021 right around the corner, this relationship is perfectly timed to add increasing value to our stakeholders, and we are excited to be a part of the active and growing MTS-ISAC community. We hope ClassNK stakeholders will quickly understand the value of this partnership.”

“We are excited that ClassNK is bringing a proactive, classification society perspective into the MTS-ISAC community,” adds Scott Dickerson, the MTS-ISAC’s Executive Director. “The MTS community’s resiliency is improved when we can quickly address cyber risks with meaningful cybersecurity controls. ClassNK joining the MTS-ISAC is a perfect example of how community partnerships provide win-win situations while reinforcing to stakeholders how the implementation of guidelines and recommended security controls can reduce their exposure to risks the community is actively seeing. The MTS-ISAC’s Board of Directors understands the importance of cyber risk prevention efforts and are supportive of the inclusion of class societies into our information sharing ecosystem as a key component to building a stronger culture of community cybersecurity.”

The MTS-ISAC, which was formed in February of this year, has seen rapid adoption of its Cybersecurity Information Sharing Services, and has produced a number of maritime cybersecurity advisories sourced from member shared information. The MTS-ISAC strives to incorporate best practices into their intelligence products so that MTS critical infrastructure stakeholders can be better protected. While ClassNK is the ISAC’s first international member, it anticipates additional international stakeholders to be joining the community.

Source:
hellenicshippingnews.com

Maritime Cyber attack !

Australian ferry and defense shipbuilder Austal reported Thursday that it has been hit by a cyberattack. An unknown offender managed to steal internal data, including some staff contact information and unspecified data affecting a “small number of stakeholders.” The firm emphasized that its ship design drawings for vendors and customers are neither sensitive nor classified, without specifying whether any drawings may have been taken.

Austal said that the attacker attempted to engage in extortion using the stolen information and tried to sell it online. In line with its company policy, Austal did not respond to extortion offers, the firm said.

The firm, which builds the U.S. Navy’s Independence-class Littoral Combat Ship and the Expeditionary Fast Transport, said that there were no indications that the data breach had national security implications. “Austal’s business in the United States is unaffected by this issue as the computer systems are not linked,” the company said.

The Australian Cyber Security Centre and the Australian Federal Police are investigating the attack, and the Australian Department of Defence is providing technical assistance. “This incident reinforces the serious nature of the cyber security threat faced by defence industry, and the need for industry partners to put in place, and maintain, strong cyber defences,” said the Department of Defence in a statement. Austal holds the contract to build and maintain two patrol boat classes for Australian military and government operators.

Austal said that the attack had no effect on its day-to-day operations, and that its data systems have been secured and brought fully back online.

Source – Read full article


Company DETAILS

SHIP IP LTD
VAT:BG 202572176
Rakovski STR.145
Sofia,
Bulgaria
Phone ( +359) 24929284
E-mail: sales(at)shipip.com

ISO 9001:2015 CERTIFIED