The rapid digitalisation of the maritime industry is transforming how this industry operates. However, of concern is that with all the many benefits digitalisation brings, it also brings new threats and regulatory requirements. The competitive nature of maritime means the optimisation of operations is critical to remaining economical. Maritime organisations that utilise new technologies and digital solutions efficiently will have the upper hand over those organisations that fail to achieve this.
Modern ships are floating cities with electric power generation, fuel dissemination, water treatment, and networked systems like HVAC, video surveillance, and automated safety controls. The rapid shift to automation and digitisation of ships has brought many advantages, but it also has opened ships networks to increased cyber and operational threats.
Ships operate both IT (standard information systems) and OT (operation and control systems). Once these systems operated in isolation and closed environments, but recent years have seen the convergence of these systems in open operating environments.
IT systems are typically more mature when it comes to cyber security. As these systems have been operating in an open environment for much longer, they have had time to develop reasonably established procedures, technology and training controls. A breach of maritime IT systems can significantly damage the organisation’s reputation, and have a significant financial impact, but usually, it will not impact the safe operation of shipping.
OT systems, in contrast, have less mature cyber security controls. An attack against onboard OT systems can jeopardise the vessel and crew’s safety as OT systems control numerous parts of the ship’s integrated digital systems, from the engine and cargo controls to ship navigation.
The maritime industry is a highly safety-conscious industry, following strict classification rules and operational regulations. Automation plays a significant part in the safe operation of a ship. This automation includes a myriad of sensors and monitoring systems that enable the ship to operate. Maritime operators must continually collect and aggregate security and operational data from the entire ship’s control and automation systems. Safely securing these systems and the information that these systems generate is a monumental task.
The impact of a cyber-attack can be safety-related, financially impacting, environmentally horrific, stop operation of the ship and damage the organisation’s reputation.
At its 98th session in June 2017, the Maritime Safety Committee adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to address cyber risks in existing safety management systems appropriately (as defined in the ISM Code) by no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.
During this session, in considering the urgent need to raise awareness on cyber risk threats, approved the “Guidelines on maritime cyber risk management”. The guidelines provide high- level recommendations on maritime cyber risk management. The link to the report is below.
The report aligns closely with the NIST Cyber Security Framework that shipping companies should understand and consider as part of their Cyber Security Maturity Framework.
The National Institute of Standards and Technology (NIST) published a set of security guidelines called the “Cyber Security Framework”, consisting of five major functions: Identify, Protect, Detect, Respond, and Recover. The Cyber Security Framework’s prioritised, flexible, and cost-effective approach helps to promote the protection and resilience of critical data and infrastructure.
The NIST Framework
Generally speaking, NIST guidance provides the set of standards for recommended security controls for information systems. These standards are endorsed by the government, and companies comply with NIST standards because they encompass security best practices controls across a range of industries – an example of a widely adopted NIST standard is the NIST Cyber Security Framework. NIST standards are based on best practices from several security documents, organisations, and publications, and are designed as a framework for programs requiring stringent security measures.
What are NIST Cyber Security Framework Profiles?
Profiles are an organisation’s unique alignment to their business requirements and objectives.
Profiles are about optimising the Cyber Security Framework to best serve your organisation. There is no right or wrong way to use it, as it is a voluntary framework and largely based on your organisation’s management of cyber security risk, risk tolerance and organisational understanding of appropriate safeguards.