Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.

Cyber risk management means the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders

The overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks.

IMO guidance

IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management.

The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by IMO.

The Maritime Safety Committee, at its 98th session in June 2017, also adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

Other guidance and standards

(IMO is not responsible for external content)

Guidelines on Cyber Security on board Ships issued by BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, OCIMF, IUMI and WORLD SHIPPING COUNCIL.

ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).

Source: imo

The U.S. Department of Homeland Security has awarded Port Canaveral a $908,015 grant to help the port beef up its security.

The port said the grant will help pay for a $1.2 million project to improve Port Canaveral’s risk prevention, threat mitigation and security response service capabilities.

The grant award comes at a time when threats against seaports are evolving and becoming more sophisticated.

Cary Davis, government relations director and general counsel for the American Association of Port Authorities, said that, “whether it’s attempted supply-chain disruption, sophisticated and coordinated cross-border attacks, or novel cyber-threats that transcend national borders, ports have security challenges like never before.”

Port Canaveral Chief Executive Officer John Murray said the grant Brevard County’s seaport is receiving “will help us invest in some new technologies to broaden our capabilities to protect our people and assets with an enhanced ability to detect and respond to threats.”

Port Canaveral has been the world’s second-busiest cruise port, behind PortMiami, in terms of passenger volume, although the coronavirus pandemic has halted multiday cruises since mid-March. Port Canaveral also has a multifaceted cargo sector, with an increasing business involving space-related components, including SpaceX rocket boosters.

The grant Port Canaveral received is part of Department of Homeland Security’s Federal Emergency Management Agency Port Security Grant Program.

Port Canaveral was one of more than 30 U.S. ports awarded fiscal year 2020 federal funding from FEMA’s $100 million Port Security Grant Program, which provides grants to ports on a competitive basis. Some of that money also goes to terminal operators, municipalities and policing entities throughout the country.

Davis said these grants are crucial to the nation’s seaports.

“The Port Security Grant Program protects our country, our workers and our supply chains,” Davis said. “Ports large and small use these grants to stay vigilant; to ‘harden’ their facilities and networks; and to prepare for attacks. Even though it’s grotesque and difficult, critical infrastructure ports are targeted daily by terrorists around the world.”

The program’s priority is to protect critical port infrastructure, enhance maritime domain awareness, improve portwide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities.

This is the second major grant Port Canaveral has received for security projects in the last two years. In September 2018, Port Canaveral was awarded $1.15 million in federal and state grants for upgrades to its port security operations and cybersecurity detection and prevention systems.

Murray said ensuring the safety and securing of the port and surrounding community is a top priority.

Source: floridatoday

ABSG Consulting Inc. (ABS Consulting), a subsidiary of ABS focused on safety and risk management, and American Steamship Owners Mutual Protection and Indemnity Association, Inc. (the American Club) have joined forces to provide education, training and insurance guidance that address maritime cyber security.

As digital transformation in the maritime industry brings both opportunities and new challenges, owners and operators are relying more on smart technologies and operational data to drive decisions and run their businesses. Comprehensive cyber security programs are not only necessary to protect operations but are also critical to protect the overall safety of crew and the environment. More frequent cyber attacks, increased digitalization and emerging global regulatory focus are adding to immediate demands to address and reduce cyber risk across the industry’s value chain. Cyber security has become a business imperative and new measures will have an impact on how maritime vessels and facilities will be covered by insurers.

“The safety and security of our members is a priority. Having a better understanding of the tools available, the programs that can be implemented and the integration of these in the marine industry will help us provide better services to shipowners and charterers globally,” says Dr. William Moore, Director of Loss and Prevention at the American P&I Club. The work we are going to do with ABS Consulting is going to help us identify how to enhance our policies, and the offerings we need to incorporate to improve the coverage and services we offer to our members.”

“Collaborating with the American Club to build education programs for their members and industry will give us a better understanding of the real challenges we are collectively facing,” says Ian Bramson, Global Head of Cyber Security of ABS Group. “This alliance enables us to develop the tools, training and services that support compliance and help ship owners and operators put protections in place to secure their vessels – from the design and construction phases through continuous operation over their service life.”
Source: tankeroperator

In the Spring Edition of ITNOW, I wrote an article on why we should be moving away from traditional cyber security and focussing on cyber mission assurance and cyber resiliency techniques. This meant framing cyber security in a manner that focussed on the outcomes the organisation needs to achieve with the preparedness to expect, and the ability to respond and recover in response to an adverse cyber effect.

NIST SP 800-160 defines cyber resiliency as: ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.’

What do we mean by cyber safety?

Cyber Safety is a relatively new term but for this article The Royal Academy of Engineering, in their March 2018 document ‘Cyber Safety and Resilience’, defines cyber safety as ‘the ability of digital systems to maintain adequate levels of safety during operation, including in the event of a cyberattack or accidental event, protecting life and property’.

What this means is we have to understand and incorporate into our risk assessment, a consideration of what the potential impact is of a cyber event on the safe and secure operation of a safety-critical system, and therefore what controls and mitigations we need to introduce to ensure that the risk is as low as reasonably practical (ALARP).

What this approach doesn’t cover is recognising the overlaps between cyber security and Safety. We know all too well that we need to adopt an approach of layered security, or defence-in-depth, to protect and defend our systems; making it hard for our adversaries to achieve their goals. It would be wrong of us, however, to believe that we can stop every single attack. It is for this reason why our systems have to be resilient and have to be able to continue mission-essential functions during periods of attack. This means ensuring that these systems remain safe to operate and can continue their safety-critical functions. Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

So, what is new?

A key question you might ask is whether there is anything new by considering safety as part of the totality of cyber risk. The answer is quite simple: Yes. My major concern with current cyber security approaches is that they focus almost entirely on the risks to information, and therefore the risks this presents to the organisation (business objectives):

• What is the risk to the confidentiality, integrity, and availability of the information? My perspective is that very few organisations ask the (additional) key questions:
• What is the risk to the system itself and the wider environment? (I.e. Is it the system itself which is the target, rather than it information it processes?)
• What is the risk to the people using the system or those who are reliant on its undisrupted operation?

With the rapidly increasing prevalence of the internet of things and cyber-physical systems, this consideration needs to be considered by all industrial sectors. Let’s not forget that it was the compromise of programmable logic controls by Stuxnet that caused a series of centrifuges to rotate rapidly outside of their set parameters resulting in their physical destruction. If that effect can be achieved on a standalone system, then what can happen on a networked system?

What is important is that I am not suggesting that organisations need to conduct considerably more work to understand the safety considerations of their systems, but instead they need to understand the potential hazards that may be introduced should safety-critical functions be disrupted due to a cyber event. Once these hazards have been identified they can be assured through existing cyber security standards and frameworks. The key is we need to ensure that our cyber systems are not just ‘Secure to Operate’ but also ‘Safe to Operate’.

For the purpose of this article, I’ve made the broad assumption that organisation have taken a system-level approach to understanding the overall threats to the organisation (System) rather than focussing on a component-driven approach and building up (further advice on this is available from the National Cyber Security Centre (NCSC). Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.

Why should an organisation care?

I’d urge you to read a short article written by Nick Richards in Tripwire during 2018 ‘Why Cyber security is the New Health and Safety’ Nick argues that in order to prevent serious damage that could be caused by a cyber-attack, including the risks to individual safety, organisations should pay as much attention to cyber-security as they do to Health and Safety (H&S).

The ultimate aims of cyber-security and H&S are aligned. They are all designed to prevent loss to the organisation, its assets, and its personnel. There is another point to make which is that all assurance teams have an obligation to work together since all are trying to prevent the same types of losses albeit through different causes.

What happens if a building management system is compromised during a period when H&S is vital? The consequences of a ‘hack’ on this system which causes security doors and barriers to fail closed when they should fail open could be catastrophic. Ultimately, the H&S consequences directly relate to IT and mitigations should be employed with the input of both specialist functions.

It wouldn’t be an article on safety without mentioning the HSE

The TRITON malware, designed to disable safety-critical functions within the industrial setting, was discovered during 2017 within a Saudi Arabian petrochemical plant. Although the malware was discovered and contained before it was able to do any actual damage. One aspect which may have enabled this is the convergence of IT and operational technology (OT). I’m not going to speculate on what vulnerabilities may have afforded access to the attackers in this instance, instead I’m going to say something that should be obvious. We need to understand the risks posed by the convergence of these different technologies; that are beyond the scope of this article.

The NCSC recognise that there is a need to apply an integrated approach which adapts and applies best practice from both the safety and security communities. The 14 principles within the NCSC Cyber Assessment Framework (CAF) provides useful guidance for ‘organisations managing cyber-related risks to public safety’ (one of the three broad areas where NCSC believe the guidance is useful).

We can’t talk about safety without mentioning the Health and Safety Executive (HSE). Back in March 2017, the HSE published its guidance OG86 ‘Cyber Security for Industrial Automation and Control Systems (IACS)’. Although this guidance is primarily aimed at HSE Inspectors, particularly around applying a consistent approach to regulation, this document is freely available to all organisations and provides useful guidance on how compliance might be achieved. If you know me, you know how much I hate a compliance-based approach as it encourages a ‘do-minimum’ mentality, but I fully support that this is guidance that takes us in the right direction.

International Maritime Organisation (IMO) resolution on cyber risk management

What has prompted me to write this article is the imminent enforcement of the International Maritime Organisation Resolution MSC.428(98) – ‘Maritime Cyber Risk Management in Safety Management Systems’. If you haven’t guessed from the title, what this resolution requires is that organisations within the maritime industry ensure that cyber risk is appropriately included within their respective safety and environmental management systems (SEMS). I’m not intending to go into the detail of the resolution, it is easily searchable on the IMO website. Instead, I want to focus on the core message.

We need to be able to ensure that we can safeguard shipping from cyber-attacks and have processes in place to improve resiliency for when these are successful. The IMO resolution provides a massive step forward as it allows shipping companies to simply complement existing safety and security management practices already established by the IMO with cyber risk management practices.

What we do need to remember is a ship may be in service for some decades and therefore will have been designed and built during a period when the cyber threat was different. That does not preclude the organisation, however, from having the appropriate policies and processes in place to respond to a cyber-event.

The resolution is an excellent step forward to ensuring that maritime organisations consider the impacts that cyber events could, and would likely have, on safety. The resolution, however, is not prescriptive on how this should be achieved but it does provide guidance on how a maritime organisation should approach the assessment of cyber risk. Interestingly, the supporting document MSC-FAL.1/Circ.3 maps some of the considerations, which are not exhaustive, to the NIST Cyber Security Framework function areas (identify, protect, detect, respond, recover).

You might sense a bit of repetition in this article as this takes me back to an earlier point. I am not suggesting that organisations that already have cyber risk management processes have to conduct a significant amount of further work. Existing methodologies can be used to help assess the impacts that a cyber event can help on safety. This is possible through the use of ISO27001 and the NIST CSF, as well as other frameworks, to ensure that systems are both designed and operate in a manner that is safe and secure. They just have to be conducted and viewed through a safety lens; i.e. what would prevent that system from operating safety?

But another question I have is: Has cyber been considered as apart of the SEMS for the other sectors, namely rail, aviation, automotive? If the answer is they haven’t, then maybe they need to.

What is the takeaway?

Organisations need to ensure that both cyber security and cyber safety risks are understood, documented, and ensure that processes are in place to manage these at a level which is ALARP for both H&S and security. The mitigations should be planned jointly to maximise effectiveness. The message is simple. Gone are the days of considering cyber security and H&S separately. We must ensure that we follow an integrated approach that ensures that our systems are both secure and safe to operate.
Source: bcs