Please adhere to on line etiquette during our presentations.  We kindly ask you to mute your microphone and video upon commencing the link and to use the Chat application for any  questions, which will be addressed by the speaker at the end of the presentation. We suggest dialling in at least 5 mins before the start of the webinar.

Please note that any recording of this event will be available post-event in DropBox format, subject to speaker authorisation.

Protecting Maritime Assets in a Cyber World delves into the biosphere of cyber-security in the maritime industry. Due to the challenges posed to the maritime industry including ports, terminals, ships, refineries, and support systems which are vital components all nations’ critical infrastructure, national security, and economies, these parties look to insurance as a way to “fill the gap”. This is because cyberattacks on industrial control systems could kill or injure workers, damage equipment, expose the public and the environment to harmful pollutants, and lead to extensive economic damage. The loss of ship and cargo scheduling systems could substantially slow cargo operations in ports, leading to backups across the transportation system. A less overt cyberattack could facilitate the smuggling of people, weapons of mass destruction, or other contraband into a country.

Many cyber security experts believe attacks on maritime related infrastructure has increased by over 900%. Because there are as many potential avenues for cyber damage in the maritime sector as there are cyber systems, all stakeholders must identify and prioritize risks, take this threat seriously, and work together to improve our collective defenses. Fortunately, the process for doing so is parallel in structure to that of other security and safety efforts: assess risk, adopt measures to reduce that risk, assess progress, revise, and continue. These processes, taken together, can significantly improve an organization’s risk reduction efforts and increase resilience through continuity of business planning. This includes implementing IMO 2021 (along with specific flag state guidance), where on the first annual verification of a shipping company’s Document of Compliance (DOC), cybersecurity will be part of the safety management audit, where a shipping company must demonstrate that appropriate measures for handling cyber risk are an integral part of its safety management system.

At this market briefing, our speakers will explore cyber security issues within the maritime industry, case examples for study and discuss the keys to cyber security planning and cyberattack “avoidance”.

Source: iua.co.uk

Seaports are fixed infrastructures of maritime transportation systems. Through Industry 3.0 and Industry 4.0, ports have faced with digital transformation based on networked cyber physical systems to be a part of smart and intelligent transportation systems. However, besides the advantages, this transformation has brought cyber security gaps and threats which can be resulted in breakdowns in maritime transportation domain. Therefore, port and port facilities should be prepared for cyber threats through holistic risk assessment frameworks for developing proactive actions. Based on these facts, this study has proposed to apply an integrated cyber risk assessment method for a container port with a cyber-physical perspective through analyzing four exemplary cyber-attack scenarios. For each cyber-attack scenario, risk assessment methodology has been applied using integrated cyber security management approach by taking into account the cyber physical assets of the container port. Results show that for the specified cyber threats, the risks have been evaluated non acceptable. Mitigation strategies have also been presented briefly in conclusion.

Source: sciencedirect

The Department of Homeland Security (DHS) plans to spend more than $7 billion on its portfolio of major acquisition programs—with life-cycle costs over $300 million— in fiscal year 2021 to help execute its many critical missions.

Since 2015, the Government Accountability Office (GAO) has reviewed DHS’s major acquisitions on an ongoing basis. In its January 19 report, GAO notes both positive actions taken and areas of concern from its sixth review.

As of September 2020, 19 of the 24 DHS programs GAO assessed that had DHS approved acquisition program baselines were meeting their currently established goals. However, of the 24 programs, ten had been in breach of their cost or schedule goals, or both, at some point during fiscal year 2020. A few programs experienced breaches related to external factors, such as the COVID-19 pandemic, while others breached their baseline goals because of acquisition management issues. Five of these programs rebaselined to increase costs or delay schedules, but the remaining five were still in breach status as of September 2020. These were the National Cybersecurity Protection System program ($5,908 million), the Homeland Advanced Recognition Technology program ($3,923 million), the Grants Management Modernization program ($289 million), the National Bio Agro-Defense Facility program ($1,298 million), and the Medium Range Surveillance Aircraft program ($15,187 million). All were in breach of schedule. The Homeland Advanced Recognition Technology and Grant Management Modernization programs were also found to be in breach of cost.

GAO’s review also found that some of the 19 programs that were meeting their currently established goals are at risk of future cost growth or schedule slips.

U.S. Customs and Border Protection’s (CBP) Border Wall System Program is at risk for additional schedule slips as a result of continuing issues acquiring land necessary to construct the border wall. Specifically, program officials told us that as a result of the outbreak of COVID-19 and social distancing requirements, there have been challenges meeting with land owners, In addition, some courts have been closed, which limits the ability to search county records and hold hearings related to land possession. CBP’s Integrated Fixed Tower program is also at risk of additional schedule slips, which officials attribute in part to time needed to allow for the preservation of archaeological sites that were uncovered while building access roads to tower sites.

GAO found that the U.S. Coast Guard’s Polar Security Cutter will likely experience a schedule slip because planned delivery of the lead ship is two months after its acquisition program baseline (APB) threshold date. Further, during a briefing to Coast Guard leadership in April 2020, program officials reported that the program’s aggressive schedule continues to be one of its most significant risks. In September 2020, DHS officials told GAO that the program plans to rebaseline in late calendar year 2020 or early 2021 to update its cost and schedule goals based on contractor information not available when the baseline was established.

In addition, Coast Guard’s Offshore Patrol Cutter is at risk of additional schedule slips and cost growth. GAO reported in October 2020 that the Offshore Patrol Cutter program “continues to move forward in the acquisition process with an immature design as well as cost and schedule risks”. After the shipbuilder requested relief from certain requirements under contract following widespread disruptions from Hurricane Michael in October 2018, the Coast Guard divided the program into two stages and a revised baseline in March 2020. Under this revised plan, the current shipbuilder will build up to four cutters in the first stage, while the acquisition of the remaining 21 cutters will be awarded under one or more new contracts in fiscal year 2022 in the second stage. GAO notes however that the program’s revised baseline does not include a schedule or a refined cost estimate that fully account for these changes.

The COVID-19 pandemic has inevitably put a spanner in several acquisition efforts. For example, CBP’s Biometric Entry-Exit and U.S. Citizenship and Immigration Services’ Transformation programs reported shortfalls in fees the government collects from immigration services that are used to fund these programs. According to officials, collection of fees for these services has been significantly reduced, in part because of the COVID-19 pandemic. CBP officials told GAO that they have prior year funding available to mitigate funding shortfalls in fiscal year 2020, but they are coordinating with component and DHS officials to address anticipated funding gaps in fiscal year 2021. Similarly, Transformation program officials said they are coordinating with U.S Citizenship and Immigration Services officials and also are assessing staffing needs based on workload and fees collected.

In other instances, programs reported that social distancing requirements—the practice of maintaining physical distance from others and avoiding large gatherings to reduce the rate of infectious diseases— as well as travel restrictions have resulted in schedule delays and limited the ability of some contractors to perform work as expected. For example, the Cybersecurity and Infrastructure Security Agency’s Next Generation Networks – Priority Services program reported delays in testing due to social distancing requirements, which limited the number of officials allowed within lab spaces.

Meanwhile, the Transportation Security Administration’s (TSA) Electronic Baggage Screening Program reported delays in testing due to social distancing requirements. According to program officials, the TSA Systems Integration Facility prioritized testing of certain technologies, but the delays have not had a significant effect on the program’s schedule.

During the course of its sixth review, the watchdog found that supplemental guidance for the development of acquisition documents generally aligned with requirements in DHS’s acquisition management policy. However, its report notes that “guidance for developing acquisition documentation in DHS’s Systems Engineering Life Cycle Instruction and accompanying Guidebook does not reflect current requirements in DHS’s acquisition management policy”. DHS officials told GAO that the information related to development of acquisition documents—including the systems engineering life cycle tailoring plan—should be consistent across all of DHS’s policies, instructions, and guidebooks.

The Joint Explanatory Statement accompanying a bill to the DHS Appropriations Act, 2019, directed DHS to provide quarterly briefings on summary ratings for all major acquisition programs. While GAO found that DHS is meeting this direction with summary ratings, the ratings do not include contextual information, such as programs’ cost, schedule, or performance risks. Without more information on the current status of DHS’s major acquisition programs and the risks these programs are facing that might affect future performance, congressional decision makers lack key information to inform their critical oversight responsibilities and budgetary decisions.

GAO is making one recommendation for DHS to align acquisition guidance with policy – with which DHS concurs – and one matter for Congress to consider determining what additional information it needs to perform oversight.

Source: hstoday

Source: thedigitalship

The Maritime Cyber Environment

With International Maritime Organization’s (IMO) mandate “to ensure that cyber risks are appropriately addressed in existing safety management systems” and the increasing number of cyber-attacks against maritime and shipping organizations, cybersecurity of maritime and shipping organizations is a top priority. In fact, cyber-attacks on the maritime industry’s operational technology (OT) systems are reported to have increased by 900% over the last three years.

The maritime and shipping sector plays a vital role in national and global economy; 90% of global trade is being carried by shipping, while in the U.S. it contributes about $5.4 trillion to the national gross domestic product. Hence, cyber-attacks against critical national infrastructure such as the maritime industry can have crippling effects on the national economy.

The maritime organizations are increasingly depending on IT and OT to maximize the reliability and efficiency of maritime commerce. These cyber-enabled systems assist vessel navigation, communications, onboard engineering management, cargo management, safety, physical security, and environmental control. However, the proliferation of internet-facing systems across the maritime sector is introducing unknown risks and expanding the threat surface. The 2017 NotPetya cyber-attack was a warning call of the disastrous effects, which crippled the global maritime industry for more than a few days.

The Plan’s Objectives

According to the statement from National Security Advisor Robert C. O’Brien “[t]he National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders, and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security. The Plan identifies government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.”

The Maritime Cybersecurity Plan would help the federal government to “buy down the potential catastrophic risks to our national security and economic prosperity” inherited by the dependence of the maritime sector organizations on emerging technologies, said O’Brien. To achieve this goal, the Plan defines three objectives:

• Risks and Standards
• Information and Intelligence Sharing
• Create a Maritime Cybersecurity Workforce

Prioritized Action List

The Plan includes a prioritized list of actions to help government and private actors meet the above objectives. The National Security Council (NSC) will oversee the completion of these priorities and will reassess the plan at least once every five years.

Risks and Standards

The U.S. Government recognizes that although cybersecurity standards and frameworks are widely available, maritime and shipping businesses often lack the resources or expertise to implement them effectively, leaving them open to vulnerabilities which can be exploited to disrupt operations. To mitigate these risks, the following actions are foreseen:

• Identify gaps in legal authorities and de-conflict government roles and responsibilities for the implementation of maritime cybersecurity standards.
• The US Coast Guard will analyze cybersecurity reporting guidance between 2016 and 2020 to identify trends and attack vectors. The analysis will increase maritime sector situational awareness and decrease maritime cyber risk.
• Develop and implement mandatory contractual cybersecurity requirements for maritime critical infrastructure owned, leased, or regulated by the Government to decrease cybersecurity risk because of supply chain attacks.
• Develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical onboard and shore-based systems.

Information and Intelligence Sharing

Information sharing across public, private, and international maritime stakeholders that relies on transparency and existing partnerships, is the key to bolster maritime cybersecurity resilience. To promote information sharing, the Plan dictates the implementation of the following actions:

• Promote domestic and international engagement to facilitate information sharing and best practices to build a coalition of maritime cybersecurity advocates.
• Share maritime cybersecurity information and intelligence with the international community.
• Develop and prioritize maritime intelligence requirements to guide risk modeling and adversary cyber risk assessments.

Create a Maritime Cybersecurity Workforce

Cybersecurity is a highly technical field requiring competent cybersecurity specialists to monitor and protect IT and OT systems and assets. However, the skills gap is a significant barrier to effective cybersecurity posture. To close this gap, the Plan proposes the following:

• Develop cybersecurity career paths, incentives, continuing education requirements, and retention incentives to build a competent maritime cyber workforce.
• Collaborate with the private sector to increase maritime cybersecurity expertise.
• Field cyber protection teams to support the strengthening of the federal maritime security resilience.

Concluding Thoughts

“The adoption of standards and best practices in the maritime industry in accordance with the IMO guidelines is only the first step” comments Notis Iliopoulos, Director GRC & Assurance at ADACOM. “The National Maritime Cybersecurity Plan takes it a step further, making a country specific mandate for the maritime sector. To my opinion, an effective implementation of the Plan demands a holistic approach for security risk management,” Iliopoulos adds.

The increased dependence of the maritime sector on cyber-enabled systems has implications on both the digital and the physical domains and demands a whole new approach to mitigate the emerging risks. “The convergence of digital and physical security and safety, in terms of processes, technology and roles, needs to become the new era in security risk management not only for the maritime sector,” notes Iliopoulos. “I’m happy to see that the Maritime sector actually demands the implementation of it. We might lack a holistic Security Risk Management framework, but the requirement for ‘information and intelligence sharing’ will make it happen,” concludes Iliopoulos.

As the US Coast Guard noted in a security warning back in 2019, “maintaining effective cybersecurity is not just an IT issue but is rather a fundamental operational imperative in the 21st century maritime environment.”

Source: tripwire

Source: threatpost

President Trump has released the “National Maritime Cybersecurity Plan,” which sets forth how the United States government will defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector, promoting prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce.

President Trump designated the cybersecurity of the Maritime Transportation System (MTS) as a top priority for national defense, homeland security, and economic competitiveness in the 2017 National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion. MTS operators are increasingly reliant on information technology (IT) and operational technology (OT) to maximize the reliability and efficiency of maritime commerce. This plan articulates how the United States government can buy down the potential catastrophic risks to our national security and economic prosperity created by technology innovations to strengthen maritime commerce efficiency and reliability.

The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders, and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security. The Plan identifies government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.

This Administration continues to defend American workers and American prosperity while strengthening our national security. President Trump has taken numerous steps to bolster cybersecurity measures, promote American workers, defend American technology, and lead the world in technological innovation. Today’s release furthers the President’s successes at bridging the private and public technological and industrial sectors to benefit the American people and protect the American way of life.

Source: whitehouse

Maritime transportation systems increasingly rely on IT and OT, which can create vulnerabilities, the plan notes.

“The proliferation of IT across the maritime sector is introducing previously unknown risks, as evidenced by the June 2017 NotPetya cyberattack, which crippled the global maritime industry for more than a few days,” the plan states.

The U.S. relies on ocean-based commerce for about 25% of its gross national product. The plan is designed to help protect the nation’s network of 25,000 miles of coastal and inland waterways, 361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 federal navigation aids and 95,000 miles of shoreline.

“The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security,” says National Security Adviser Robert O’Brien .

The plan, which is designed to unify maritime cybersecurity resources and close defensive gaps, will be reassessed every five years.

Citing a lack of specialists in this field, the plan calls for investing in the training of maritime cybersecurity specialists in port and vessel systems. This will include developing career paths for those who choose this profession along with continuing education and retention incentives.

Uniform Standards

A top priority, according to the plan, is for the government to encourage the use of uniform cybersecurity standards by the 20 federal agencies that have a role in maritime security. These agencies are responsible for vessel and personnel safety, transportation standards, physical security and other maritime industry activities.

“The NSC staff, through the policy coordination process, will identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for MTS cybersecurity standards,” the plan states.

The plan also calls for the U.S. Coast Guard to analyze and clarify the 2016 and 2020 cybersecurity reporting guidance for maritime stakeholders. The Coast Guard also should collect maritime cyber incident reports to identify trends and attack vectors and then share that information with others, the plan says.

The Department of Defense and Homeland Security should work together to examine whether critical port operational technology systems have cybersecurity vulnerabilities, the plan states. Because a framework for conducting such an assessment does not exist, the plan calls for basing maritime audits on practices in other sectors.

“For example, the Department of Energy conducts small-scale vulnerability testing to protect electrical power generation and distribution OT systems. Similarly, maritime OT systems would benefit from vulnerability inspections. Findings from these audits may inform cybersecurity mitigation and remediation for MTS users,” the plan says.

Information and Intelligence Sharing

The plan also calls for the Coast Guard, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI to work together to create a list of cybersecurity issues that can then be shared with domestic and international partners in the maritime industry.

It also calls for the creation of a mechanism for government agencies to share unclassified, and when possible, classified information to protect maritime IT and OT networks with all those in the maritime industry.

Source: govinfosecurity

As the Trump administration in the US draws to a close, the President has released a new ‘National Maritime Cybersecurity Plan’ detailing how the United States government will aim to defend the cybersecurity of the maritime sector through enhanced coordination, policies and practices, aimed at mitigating risks and increasing the nation’s cyber workforce.

The cybersecurity of the Maritime Transportation System (MTS) was listed as a top priority in the 2017 US National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion, with the new plan addressing the potential catastrophic risks to security and economic prosperity that could be created by maritime cyber vulnerabilities.

“The American people elected me on the promise to make America great again. I promised that I would protect American interests and promote the welfare and economy of our great citizens,” writes President Trump, in the plan’s introduction.

“During my first year in office, I designated transportation and maritime sector cybersecurity as a priority for my administration. In keeping with my promise and this priority, I am continuing to promote the second pillar of the national security strategy, promote American prosperity, by approving the national maritime cybersecurity plan.”

“The national maritime cybersecurity plan explains how my administration will: defend the American economy by establishing internationally recognized measures of risks to the maritime sub-sector and standards to mitigate those risks; promote prosperity through information and intelligence sharing; and preserve and increase our great nation’s cyber workforce.”

The Plan aims to unify US maritime cybersecurity resources, stakeholders, and initiatives to mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security, identifying government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.

The full US National Maritime Cybersecurity Plan can be downloaded here.