New Delhi, Jun 2 (IANS): India once again asserted its leadership role in the recently concluded Quad Summit in Japan. The second in-person Quad Summit attended by Prime Minister Anthony Albanese of Australia, Prime Minister Narendra Modi of India, Prime Minister Fumio Kishida of Japan, and US President Joe Biden in Tokyo on May 24 was significant to showcase steadfast commitment to a free and open Indo-Pacific that is inclusive and resilient.

The four leaders in a significant move launched new maritime domain awareness initiative, the Indo-Pacific Partnership for Maritime Domain Awareness (IPMDA), designed to work with regional partners to respond to humanitarian and natural disasters, and combat illegal fishing.

Quad partners bring decades of skills and experience together to catalyse infrastructure delivery to the region and are committed to working closely with partners and the region to drive public and private investment to bridge gaps. To achieve this, the Quad will seek to extend more than USD 50 billion of infrastructure assistance and investment in the Indo-Pacific, over the next five years.

Reviewing Quad’s ongoing efforts to combat the COVID-19 pandemic, the leaders welcomed the enhanced manufacturing capacity of Biological-E facility in India and called for the expeditious grant of EUL approval by the WHO so that delivery of vaccines can commence. The leaders welcomed the gift of 525,000 doses of Made in India vaccines by India to Thailand and Cambodia in April 2022 under the Quad Vaccine Partnership.

They will continue to pursue a holistic approach to pandemic management by addressing last mile delivery and distribution challenges, augmenting regional health security through cooperation in genomic surveillance and clinical trials, and bolstering global health security architecture, the Quad joint statement said.

A Quad Climate Change Action and Mitigation Package (Q-CHAMP) was announced to strengthen efforts towards green shipping, clean energy, including green hydrogen and climate and disaster resilient infrastructure. Prime Minister Modi reiterated the importance of assisting countries in the region with their COP26 commitments through mobilisation of climate finance and technology transfer.

In an increasingly digital world with sophisticated cyber threats the Quad members recognised an urgent need to take a collective approach to enhancing cybersecurity. To deliver on the Quad Leaders’ vision for a free and open Indo-Pacific, the forum committed to improving the defence of its member nations’ critical infrastructure by sharing threat information, identifying and evaluating potential risks in supply chains for digitally enabled products and services, and aligning baseline software security standards for government procurement, leveraging our collective purchasing power to improve the broader software development ecosystem so that all users can benefit.

The Quad partners will coordinate capacity building programmes in the Indo-Pacific region under the Quad Cybersecurity Partnership, and will initiate the first-ever Quad Cybersecurity Day to help individual internet users across the nations, the Indo-Pacific region and beyond to better protect themselves from cyber threats.

As part of ongoing work related to critical and emerging technologies, Quad’s Common Statement of Principles on Critical Technology Supply Chains was launched. The four countries will coordinate capacity building programmes for the Indo-Pacific region to bolster critical cyber security infrastructure of the region.

The Prime Minister called for greater Quad collaboration to build trusted global supply chains and spoke of the national framework being adopted in India to create a semiconductor ecosystem in India.

A Quad Partnership on Humanitarian Assistance and Disaster Relief (HADR) for the Indo-Pacific was announced by the Leaders to enable more effective and timely responses to disasters in the region. The Leaders agreed to provide countries in the region resources on earth observation data through a Quad satellite data portal to help track climate events, disaster preparedness and sustainable use of marine resources. India will play a proactive role in this effort given its longstanding capabilities in using space-based data and technologies for inclusive development.

The members said they will build high-standard, inclusive, free, and fair trade commitments and develop new and creative approaches in trade and technology policy that advance a broad set of objectives that fuels economic activity and investment, promotes sustainable and inclusive economic growth, and benefits workers and consumers. The efforts include, but are not limited to, cooperation in the digital economy.

The Summit talked about commitment to improving transparency, diversity, security, and sustainability in its supply chains to make them more resilient and well-integrated.

“We seek to coordinate crisis response measures; expand cooperation to better prepare for and mitigate the effects of disruptions to better ensure business continuity; improve logistical efficiency and support; and ensure access to key raw and processed materials, semiconductors, critical minerals, and clean energy technology,” the statement on Indo-Pacific Economic Framework for Prosperity.

“In line with our Paris Agreement goals and efforts to support the livelihood of our peoples and workers, we plan to accelerate the development and deployment of clean energy technologies to decarbonize our economies and build resilience to climate impacts. This involves deepening cooperation on technologies, on mobilizing finance, including concessional finance, and on seeking ways to improve competitiveness and enhance connectivity by supporting the development of sustainable and durable infrastructure and by providing technical assistance.”

Vessels are now more integrated with the shore organisation, and more are connected to the internet — and that creates vulnerabilities on the vessel.

Drug dealers have tricked shipping cargo tracking systems to think drugs are “bananas” and unknown actors have jammed GPS signals in northern Norwegian waters. Fixing these problems requires understanding how seafarers themselves perceive cyber risks — so they can do a better job protecting themselves and their vessels.

It was the afternoon of June 27, 2017, when nearly every computer serving the Danish shipping giant Maersk went dark. A piece of malware called NotPetya, created by Russians to attack the Ukraine, had accidently snuck into the company’s system when a Maersk finance executive in Odessa asked his IT Department to install accounting software that  — unbeknownst to them — opened the door to the cyber attack.

Vessels are now more integrated with the shore organisation, and more are connected to the internet — and that also creates vulnerabilities on the vessel.

While Maersk wasn’t the target — the bug had been created by Russian hackers to cripple Ukrainian businesses and government infrastructure — the shipping company, along with thousands of other companies across the globe, were collateral damage. Merck, the pharmaceutical manufacturer, lost $870 million while FedEx’s European subsidiary lost $400 million.

The thing that set Maersk apart, however, was that this was by far the biggest cyberattack on the maritime industry.  As reported by Andy Greenberg in Wired magazine, Maersk, “responsible for 76 ports on all sides of the Earth, and nearly 800 seafaring vessels… representing close to a fifth of the entire world’s shipping capacity, was dead in the water.”

The attack ended up costing Maersk an estimated $300 million, but cybersecurity experts widely agree that’s likely an underestimate.

Yet there was one component in the Maersk system that managed to escape the attack: its ships.

While the malware shut ports, it didn’t affect the ships themselves. All of Maersk’s ships at sea were essentially isolated from the cyber attack.

“But it is a real risk,” says Marie Haugli Larsen, a PhD candidate studying maritime cybersecurity at the Department of Ocean Operations and Civil Engineering at NTNU in Ålesund. “Vessels are now more integrated with the shore organisation, and more are connected to the internet — and that also creates vulnerabilities on the vessel.”

The importance of human behaviour

Larsen’s research focuses on the human side of cybersecurity — that is, figuring out how to get seafarers to take the steps necessary to protect themselves and their ships from malware and other cyber attacks. While most people think of cybersecurity as mainly an IT issue, human behaviour frequently causes cyber incidents, Larsen said.

That means finding out how seafarers perceive the problem, she said.

“I’m trying to understand how seafarers — the operational crew —experience cyber risk in order to give them proper training,” she said.  “I’ve been interviewing the people in charge on ships, deck officers and captains, about how they experience cyber risks towards their vessels today. Then I’m trying to see what influences this perception in order to develop targeted risk mitigation measures. The idea is that you meet people where they are, and give them the tools they need to protect themselves.”

Larsen has a secret weapon when it comes to meeting seafarers “where they are”. She herself is educated as a deck officer, and has worked for two years aboard different vessels before beginning her research.

“Part of my journey has been thinking about how little I’ve thought about cyber risks,” she said. “When I worked at sea, I never thought maybe I shouldn’t use this USB stick, or maybe I shouldn’t charge my phone in this equipment. Or maybe I need to be more careful what I’m connecting to the internet or what I’m using the bridge computer for, because I didn’t think about vulnerabilities or what kind of cyber risks that could be there. So I’ve used my own experience to think about how to talk to others in the same situation.”

Hackers controlling ships

Larsen says shipping companies have known for some time that they could be victims of a cyber attack, much like what happened to Maersk. “It’s no longer a question of if it is going to happen, but when it will happen,” Larsen said.

If hackers want to, they can target the vessels’ operational systems so they can steer the ships. We haven’t seen it happening yet. But the tools are there.

A recent research paper looked at 46 cyber attacks in the shipping industry from 2010 to 2020, and noted that there was a 7-fold increase in attacks over the reporting period — which makes addressing the problem all the more important.

It was here that researchers described incidents where shipping systems that were fooled into thinking that smuggled drugs were bananas, and where GPS systems were hacked or jammed, including on the northern Norwegian coast.

The increasing availability and use of the internet aboard ships themselves opens the possibility for new, increasingly unnerving situations, Larsen says.

“If hackers want to, they can target a vessel’s operational system so they can control it. We haven’t seen it happening yet. But the tools are there,” she said.

Imagine, Larsen says, that hackers get control of an oil tanker, the largest of which can hold more than 2 million barrels of oil, or nearly 320 million litres.

“If hackers take control of the ship and open the valves, then you have an environmental catastrophe,” she said. “Or what if the ballast tanks of a cruise ship are hacked, and the hackers cause it to list, so that it tilts? I’m not sure you can actually capsize it, but it can have enormous safety consequences for the people on board.”

Unrealistic optimism

There’s a whole branch of behavioural psychology that deals with perceived risk, which Larsen is relying on for her research.

No, this is something that’s happening elsewhere. It’s not happening on my ship.

“A part of decision making is how we perceive risk,” Larsen said. “If you don’t think there is any risk for your systems on the ship, if you don’t think it will be attacked by hackers, then you’re probably not being too careful with your systems. Or maybe you are a bit careless, because you’re not thinking about the risk. And if we can help people by giving them more information and enhanced awareness then we can also affect their risk perception.”

When people perceive various risks, they can often rely on something called cognitive biases. One well-documented bias is the optimistic bias, which has to do with people thinking that they themselves are not at risk, even if the activity they are involved in has risks. One classic example of this, is why people smoke, she says.

“If you ask someone why they smoke since they can get cancer, they tend to say, ‘that’s something happening to others, not to me’,” she said.

Mariners have the same cognitive biases as other people, and since cyber incidents may occur in regions far from where the mariners work, they can experience unrealistic optimism, Larsen said.

“All the people I have interviewed have said, ‘I believe the cyber risk to be low in the areas I’m working in, and it’s not likely that a cyber-attack will happen on my ship. That is something happening elsewhere, like the Gulf of Aden or around the Cape of Good Hope’,” she said.

People are also less likely to worry about something if they or people they know haven’t actually experienced the problem, she said. But of course, that doesn’t make the risk go away.

The Internet of Ships

The “Internet of Things” is a phrase used to describe how more and more of our appliances and other items contain sensors that are connected to the internet and can be controlled and interacted with digitally.

It’s common to find this technology in everything from your washing machine to the lock on your front door or in different components in your electric car.

The same trend is happening at sea, Larsen said, which increases a ship’s exposure to cyber risk. At the same time, however, instead of making a mariner’s work easier, digitalization can actually make their work harder, she said.

“Before, a ship was more autonomous or free from impacts from shore, but now, you have sensors that monitor the vessel’s performance in different settings, and you have a shipping company that needs to save money, for example, or has green values,” she said. “And all of these factors mean that ships need to be more efficient.”

While that’s a good thing, it can put crews in a difficult situation, she said. For example, if a captain feels like the ocean conditions aren’t safe, he or she may decide to stop, or go to port. But both customers and the shipping company can now monitor this behaviour and question the captain’s judgement.

“By use of these new parameters, companies are now suddenly making statistics for their vessels’ daily operations. And captains have to address this, they experience getting questioned about why they are using more fuel than other captains, for example,” she said. “They have much less self-governance. And that they don’t feel very good about that.”

Digitalization can be seen as red tape

This situation also can increase cyber risks, she said, because deck officers can be overwhelmed. More and more systems are being digitalized, which increases the reporting required of seafarers.

You think that digitalization means efficiency, but that’s not their experience.

“And this is connected with increased digital exposure, because seafarers can feel overwhelmed because they experience that there is more and more information that needs to be processed digitally, for example,” she said. “They have to report numbers in five different places now because there are so many systems and still they have to print it out and hang it up on the whiteboard.”

“You think that digitalization means efficiency, but that’s not always the seafarer’s experience. Their experience is that digitalization can create more administrative work, or bureaucratic red tape, as some of them called it. So they feel like technology and this increase in utilisation gives them less freedom and flexibility.”

Identifying these issues will allow Larsen and her colleagues to develop measures that can educate mariners and the companies they work for to protect themselves against cyber risks.

“We have to implement mitigation measures on different levels in the shipping companies,” Larsen said. “We need to target the individuals, the vessels and management to the maritime industry improve their cyber security.”

Source: NTNU

The growing use and reliance on information technology, of data networks, transmissions and connectivity in the daily work within the marine and energy sectors increases exposure to cyber related risks. Ransomware attacks may result in economic loss or costs of rebuilding lost data. The consequential damages to hull, cargo and third-party liabilities from a cyber-attack on board a vessel or mobile offshore unit poses a different and more costly risk. The limited data on the frequency, severity of loss or probability of physical damage, is a challenge to underwriters.

In view of this growing risk, IACS has amplified its work on the reliability and functional effectiveness of onboard, safety-critical, computer-based systems. The need to take a holistic approach which includes the perspectives of various maritime stakeholders was a priority, hence IACS set up a Joint Working Group (JWG) on Cyber Systems. The objective was to help identify best practices, appropriate existing standards in risk and cyber security, and a practical risk-based approach.

Previous work included the development of Recommendations as well as efforts at the IMO such as IMO Resolution 428(98), applicable to in-service vessels since 1 January 2021. On this basis and in cooperation with the JWG on Cyber Systems, IACS adopted two new IACS Unified Requirements[1] (URs) on the cyber resilience of ships in April 2022:

UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.

UR E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for the cyber resilience of onboard systems and equipment and provides additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.

These URs are to be uniformly implemented by IACS Societies on ships contracted for construction on or after 1 January 2024 and may be used for other ships as non-mandatory guidance. They help to establish a common set of minimum functional and performance criteria to deliver ships which can be described as cyber resilient.

IUMI has participated in the JWG on Cyber Systems to provide input from the insurance perspective. In light of the growing reliance on digital solutions in the maritime industry, the publication of the URs is a welcome step toward the development of a proper cyber risk management strategy on board today’s vessels.
Source: International Union of Marine Insurance

On the occasion of its sixth participation in the International Cybersecurity Forum (FIC) on June 7, 8 and 9, 2022 at the Grand Palais in Lille, Naval Group will present its latest innovations in the cyber field and its recruitment ambitions.

Meet the company on stand F35 to learn more about its cyber defense offer as well as job offers.

Cybersecurity is now a leading field of struggle with a constant increase in the number of cybernetic operations conducted in theaters of operations and on the various players in the defense ecosystem. Today, it is no longer just a question of managing cyber risks, but of anticipating them and above all of demonstrating robust and appropriate performance in this area to ensure the success of the digitization of systems and spaces.

Marine operational superiority depends on it. This robust and reliable protection, adjusted to the cyber needs of each customer and the type of mission of the boats, offers modularity throughout their life cycle. Naval Group’s cyber defense offer is the result of constant innovation, reconciling the imperative need for ship protection with the imperatives of operational continuity and crew safety at sea.

Cybersecurity: a strategic priority for Naval Group, partner of navies throughout the entire life cycle of ships

In order to ensure the resilience of its ships and its infrastructures in the face of these cyber challenges, Naval Group has made cybersecurity a strategic issue in its development and its products.

Naval Group integrates safety aspects at all stages of the ship’s life cycle. From their design, Naval Group combat ships and their digital systems are designed and protected natively (cyber by design). Cybersecurity is also integrated into the development, production and operational maintenance phases of ships. This begins with supporting the supply chain to strengthen the consideration of the cyber threat.

Naval Group brings in its wake a large number of suppliers and subcontractors in the naval and maritime sector. Guarantor of the economic dynamism of this sector and its growth, the group is also concerned about the maturity and the increase in skills of its players in terms of cybersecurity, for the benefit of the entire maritime ecosystem.

Naval Group’s cyber offer: a resilient and proven offer at sea

Laid down in December 2021, the first of five defense and intervention frigates (FDI) that will contribute to the French Navy’s leading fleet opens the era of resilient and cyber-secure ships natively (cyber-by-design), thanks to its capabilities to combat asymmetric threats and its cyber protection system (CyMS) integrated from the design stage and at each stage of its life cycle.

Operational heart of the cyber strategy of armed ships, the Cyber ​​Management System (CyMS) detects possible attacks in real time by the simultaneous analysis and control of the digital exchanges of the ship’s systems. In the event of an anomaly, the CyMS offers reaction scenarios to the operators who, thanks to simple and intuitive interfaces, have immediate access to the data necessary to adapt the reaction to the context and thus make the best choice. Upgradable, the CyMS is updated throughout the vessel’s life cycle and constantly enriched with improvements developed in partnership with the French Navy, in order to better meet the needs and operational constraints of users.

In addition, faced with the intensification of cyber challenges in naval defence, Naval Group showcased its Cyber ​​Lab in Brussels in April 2022. This center of excellence is dedicated to the development of cybersecurity technologies for naval application, in particular for ship and drone systems as well as for onshore infrastructures. The Cyber ​​Lab is specialized in the implementation of cybersecurity measures developed for the benefit of the Belgian-Dutch mine action program rMCM but also a key promoter of the development of technologies and solutions in the naval and maritime sectors in Europe.

K2 Informatics, a company specializing in cybersecurity and IT systems integration has been recently certified by RINA for its “K2 Secure Solution”. RINA followed a strict methodology to evaluate the compliance of K2 Secure Solution against a strict set of international standards, based on IMO Resolution, IACS requirements and RINA Rules. The importance of the process is in providing assurance that certain hardware and software tools comply with the Marine Regulatory Framework and are suitable to be used in the marine environment, offering cybersecurity for systems & networks onboard.

Today vessels at sea, are more connected and vulnerable to cyberattacks than any given moment in the past. The average ransom paid by shipowners due to cyber-attacks is currently estimated at $ 3 million, but the true cost of business and service disruption is even higher.

Mr Spyridon Zolotas, Senior Director of RINA Marine Southern Europe & Africa, mentioned that: “Cybersecurity certification of companies does not only prove compliance with minimum acceptable scientific principles but assist companies in following high safety standards to protect seamen and help maintain a safe business environment for shipping”

Mr Michael Vrettos, Senior Cyber Security Expert of RINA, mentioned that: “Digitalization and Cyber Security go hand in hand, and their aim is to assist, not hamper shipping with complexity and extravagant costs. Systems that offer high security standards in a straightforward manner, like K2 Secure, can only benefit shipping”.

Mr Georgios Gkorgkolis Managing Director of K2 Informatics mentioned that: “working with RINA and complying with their Cyber Security regulations, was a great experience for us, as RINA team has in-depth knowledge and adheres to an easy to follow, yet strict and realistic methodology on Cybersecurity”.

Mr Philip Nielsen, Co-Founder of Oriani Hellas, mentioned: “we are proud to have K2 Secure solution certified as we thrive to keep our products and services to the higher standards possible and working with a recognized classification society as RINA was the best option for that”.

K2 Informatics, together with Oriani Hellas that specializes in Maritime digital applications have developed a maritime Cyber Security solution called K2 Secure Solution, which is based on global best practices and incorporates:

• security devices, for network segmentation, Quality of Service and VPN connections
• cloud management software for email and network protection
• remote maintenance and management software, for systems & networks onboard and ashore.
Source: Oriani Hellas, K2 Informatics

Cyber Threats – like ransomware or other types of malwares – are evolving, pervasive, and ubiquitous. They endanger both individuals and organizations across several communities worldwide. They run through addresses networks, information systems, and services, which represent the backbone of contemporary digital societies and the premises for their industrial, economic, and social development. Overall, cyberthreats undermine the potential benefits that stem from the use of new or emerging digital technologies in many sectors, e.g., transport, energy, health, telecommunications, finance, democratic processes, education, space, defence, and national security. Tackling cyber threats requires organizations to acquire, maintain, and further develop adequate cyber capabilities.

As far as countries are concerned, this entails assigning clear responsibilities and mandates to existing or newly established institutions, as well as sustaining their functioning through both the allocation of sufficient resources – human, financial, technological -, and the definition of efficient operational procedures. To prevent and counter cyberthreats, states should also adopt concrete measures and actions that are multidisciplinary and multi-layered in their essence. These can range from enacting specific policy and legal instruments, supporting the establishment of cybersecurity stakeholders’ communities or cooperation fora, financing technological research and development, to sustaining cyber-related education, and promoting educational campaigns in the field of cybersecurity. Altogether, the above-mentioned actions aim at building a cyber-resilient and cyber-secure community.

However, given the transnational nature and reach of cyber threats, countries cannot limit the scope of their preventive and counter initiatives to the domestic realm. They should act at the international level, too, promoting and contributing to universal, regional, and bilateral cooperation in the field of cybersecurity.

Cyber capacity building as international cooperation

International cooperation initiatives can take several forms, involve various partners, and focus on different elements or aspects. Some of these initiatives fall within the scope of so-called “cyber capacity building” (CCB).

Put it simply, CCB is a growing field of cooperation whose boundaries and content continue to evolve.[1]It is a tool comprising a rich set of activities and projects aimed at developing capabilities to mitigate risks and promote opportunities vis-à-vis cyberspace and digital technologies.

CBB initiatives’ topics and items can vary according to their promoters’ goals and needs. They can span from cyber policy and law-making, institution building, strategic planning, incident response, information sharing, critical national infrastructure protection, the promotion of information and awareness campaigns, to education and training. Since it is intrinsically based on a win-win logic, CCB can strengthen partners’ cyber resilience and sustain their technological and industrial development.

From a multilateral perspective, it can improve the overall cybersecurity of regional and sub-regional areas as well as boost their economic and social growth. To be truly beneficial, CCB initiatives should be coordinated and not fragmented. Furthermore, they should be premised upon transparent and shared goals and rely on effective resources for their implementation.

The role played by the Italian National Cybersecurity Agency

By acknowledging CCB’s value in terms of trust-building and strategic partnership, Italy aims at resorting to such tool to establish and reinforce close relationships and collaborations with its partners in the field of cybersecurity. The recently established Italian National Cybersecurity Agency has a clear mandate and functions in this field.[2]

The Agency is Italy’s cybersecurity authority, which ensures coordination between the domestic public entities having a stake in cybersecurity nationwide as well as promotes the implementation of common actions aimed at strengthening national cybersecurity and resilience. It is also responsible for safeguarding Italy’s national security and interests in cyberspace.

Among its assigned tasks, the Agency coordinates, in partnership with the Ministry of Foreign Affairs, international cooperation in the field of cybersecurity. In particular, it can stipulate bilateral and multilateral agreements – also through the involvement of the private and industrial sectors – with institutions, entities, and bodies of other countries for Italy’s participation in cybersecurity programmes. These agreements can be framed within the context of CCB initiatives. Among CCB partners, there are institutions from countries of the wider Mediterranean Region (North Africa and the Middle East), most of which have long-standing friendship ties with Italy.

In line with what is described above, CCB initiatives with these countries should aim at improving regional cyber resilience and promote technological innovation and development. Initiatives may have either a broad or narrow scope. Among others, they may include the sharing of best practices and experiences in the field of cybersecurity (for example, with a focus on the maritime, health or energy sectors); the exchange of data and insights on cyberthreats and other cyber-related malicious activities; the promotion of educational or training programmes aimed at filling skills or labour force shortages; or the support to institution building as well as policy and law-making in the field of cyber.

As per the latter, for example, Italy could share with its partners the experiences it has developed so far from the adoption and progressive implementation of the National Security Perimeter Law for Cyber[3], as well as from the domestic application of the Directive EU 2016/1148[4]. It could provide insights on the content and main features of the recently adopted National Cloud Strategy, which has the goal of providing strategic direction for the implementation and control of cloud solutions in public administration[5].

In conclusion, cybersecurity is transnational by nature. Safeguarding domestic cybersecurity and cyber-resilience requires states to act jointly at the international level. CCB can represent a useful instrument in this regard. It is an opportunity for Italy and its Mediterranean partners to prompt regional security, innovation, and growth.

SOURCES:

[1] R. Collett and N. Barmpaliou, International Cyber Capacity Building: Global Trends and Scenarios, Luxembourg: Publications Office of the European Union, 2021.

[2] The Agency was established by the Law Decree No. 82, 14.06.2021. See https://www.acn.gov.it/en.

[3] Law Decree No. 105, 21.09.2019, in the Italian Official Journal No. 222, 21.09.2019 (in Italian).

[4] The so-called “Network and Information Systems (NIS) Directive”, in European Official Journal L 194, 19.7.2016.

[5] See https://assets.innovazione.gov.it/1634299755-strategiacloudit.pdf (in Italian).

The global maritime industry continues to embrace information technology and operational technology in automating its processes. Increased digitalisation has brought about cyber vulnerabilities, opening the door for cyber-attacks. Cyber-attacks can have serious consequences for crews, ships, and cargos, including casualties, loss of control of ship and ship or cargo hijacking. This research paper examines and discusses the limitations of the current IMO framework. The paper calls for a comprehensive legal framework on cyber risk management through the strengthening of the ISM Code and potentially through creation of a Cyber Code.

Source: marsafelawjournal

Facing “very substantial threats against the maritime critical infrastructure every day,” the Coast Guard has operationalized cybersecurity and “made it part of our prevention and response framework to make sure that we’re getting after this threat at the speed and pace at which it demands,” USCG Assistant Commandant for Prevention Policy Rear Admiral John Mauger told the House Transportation and Infrastructure Committee during a hearing on cybersecurity last month.

The marine transportation system, or MTS, is an integrated network of 361 ports and 25,000 miles of waterways and supports one quarter of U.S. GDP and one in seven American jobs, and “any substantial disruption to marine transportation can cause cascading effects, to our economy and to our national security.”

“Cyberattacks are a significant threat to the maritime critical infrastructure, and while we must continue to work to prevent attacks, we must also be clear-eyed that attacks will occur, and we must ensure that the MTS is resilient,” Mauger said. “Protecting maritime critical infrastructure and ensuring resiliency is a shared responsibility.”

That has included establishing Coast Guard Cyber Command, with cyber forces that “are manned, trained, and equipped in accordance with joint DoD standards, but have a broad range of authorities to address complex issues, spanning national defense and homeland security, including protecting the MTS.” USCG stood up a maritime cyber readiness branch within Coast Guard Cyber Command “as a focal point for maritime threat monitoring, information sharing, and response coordination.”

“The Coast Guard’s approach to protecting the MTS leverages our proven prevention and response framework,” he said. “To prevent incidents, we leverage our authorities in the nation’s ports to set standards and conduct compliance. We refer to this as cyber risk management, and require accountability, assessments, mitigations, exercises, and incident reporting. To prepare for and respond to cyber incidents, Coast Guard sectors are leading field-level exercises with Area of Maritime Security committees, and have established unified commands with FBI and CISA to lead the federal response to cyberattacks in the ports.”

“Cyberattacks will increasingly have physical impacts, beyond computer networks. By incorporating cybersecurity into our prevention and response framework, we provide a comprehensive, all-hazards approach to this threat, but we cannot do this alone. As the co-sector risk management for transportation, we look to both TSA and CISA as key partners.”

Mauger stressed that cybersecurity is “a shared responsibility with the private sector” and “collaboration with the industry is paramount, and focused on information sharing and good governance.” USCG established the National Maritime Security Advisory Committee “to facilitate consultation with industry on standards development” and works with the International Maritime Organization to address the risks posed by foreign vessels. “We are committed to a transparent approach, as we balance the urgency of cyberthreats with informed rulemaking,” he added. “The cyberthreat is dynamic.”

Asked for an update to the Coast Guard’s efforts to improve its own IT systems, the assistant commandant noted that the USCG “approach to protecting the maritime transportation system relies on us having our own ability to defend and operate our networks.”

“Through investments in the CARES Act, with over $65 million in funding, we’ve been able to make significant investments to modernize our infrastructure, and push more information out to our mobile users out in the field, and our cutters underway,” Mauger said. “But all of this is premised, our security is premised, on it being an operational imperative. And so the key thing that’s really driven us forward is the establishment of Coast Guard Cyber Command as an operational command, under the purview of a two-star commander, that oversees our daily mission execution in the IT space. And then the coordination with our CIO, who is driving those investment and modernization projects forward.”

At the port level, Mauger said the Coast Guard is “really focused on working across the prevention and response framework to ensure that we have the ability to defend and then also respond resiliently from attacks.”

“This is a shared responsibility between the private sector and the federal agencies involved, and so we’re doing a number of different things,” he said. “First of all, we put in standards in place that require them to conduct assessments, have an accountable person, develop a plan, mitigate that plan, exercise it, and report incidents. All those pieces are really important. Through those assessments, we then have the opportunity to drive investments through the Port Security Grant Program, to update security posture in the ports. And so last year, $17 million was allocated from the Port Security Grant Program for Cybersecurity.”

“Which side is winning, the increased cyberthreats or increased digital-based safety operational enhancements?” asked Rep. Bob Gibbs (R-Ohio). “How are we doing in this fight, who’s winning?”

“Congressman, it’s not an either/or proposition for us, it’s really an all-of-the-above,” Mauger replied. “And so as the Assistant Commandant for Prevention Policy, we make sure that we bring together the best of our ability to secure private industry, but then be able to respond as well.”

“And so, leveraging our prevention and response framework, we’ve made sure that we’ve taken a multilayered approach to engaging with the industry, sharing information with them at the local level, through the Area Maritime Security Committees, and conducting compliance activities,” he added. “And then at the national level, engaging across the interagency with our National Maritime Security Advisory Committee, with the MTS ISAC, and then with other interagency partners, to make sure that we’re tied together, and providing a comprehensive network, and comprehensive approach to this problem.”

Mauger emphasized to lawmakers that “overall risk management approach, within both the private sector and the federal government” requires accountability.

“You have to have an accountable person; they have to be able to do an assessment and to understand the risks,” he said. “They have to be empowered to manage those risks. And then it also comes back to exercising and reporting. Where it comes to reporting right now, we have to change the paradigm from ‘what is the minimum I need to disclose’ to ‘how can I help protect others’… these incidents cut across so many different infrastructures, and reporting really helps us to make us all stronger.”

Asked how threats and risk-management assistance is communicated to individual ports and throughout the MTS, Mauger replied that “unity of effort within the Coast Guard is part of our DNA, and so we take a multi-level approach to share information at the speed of cyber here with the industry.”

“But this is a dynamic threat environment, and going forward we need to use a combination of both existing tools and new tools, or new methods, to get after the information sharing,” he added. “So for this multi-level approach at the local level, we work through our Area Maritime Security Committees; each of those have established cyber subcommittees that are responsible for that day-to-day sharing of information, for conducting the exercises, for reviewing best practices and understanding how to move forward. Those same people then are integral to response efforts when they occur in the ports. At the national level, we work through a number of different means. We’ve established a maritime cyber readiness branch within our Coast Guard Cyber that really becomes a focal point for threat information dissemination, technical assistance in the field, and connection to the interagency.”

“We’ve embedded folks in CISA, we meet regularly with the other Sector Risk Management Agencies. We engage with the MTS’s information sharing and analysis center. And we look for every opportunity to continue to share information and communicate threats, and understand the vulnerabilities in this industry, so we can protect the MTS.”

Source: hstoday

Cyber attacks targeting the marine sector, and critical infrastructure more broadly, are growing rapidly across the world and in Asia. As the maritime industry undergoes rapid digitalization, ransomware attacks continue to escalate. In fact, hackers are narrowing their focus on organizations in the sector, which are seen as tempting targets due to a perceived lack of cyber security investment and potential for significant operational disruption.

The marine industry being an attractive target for hackers is not new. Since Maersk suffered a devastating US$300 million ransomware attack in 2017, the maritime industry has earned the unfortunate distinction of being the only sector to have all four of the world’s largest shipping companies being hit by cyber attacks in the last four years, namely – Maersk, Mediterranean Shipping Company, CMA CGM and COSCO.

As the industry strives for greater technological efficiency, new vulnerabilities emerge as a result of the growing integration of information and operational technology.

International and national regulatory organisations, as well as industry trade associations, take these threats seriously and call on ship owners and operators, charterers, ports, and other maritime businesses large and small to take action.

We offer technological and scientific expertise to assist you in safeguarding and advancing your critical interests. We are a trusted, independent advisor and security partner for clients who understand that cyber resilience can provide a competitive advantage in a highly regulated and crowded environment.

Source: hackersera