Maritime ports, port facilities and vessel operations are increasingly seen as high value cybersecurity targets. Well-funded nation state actors pose a near-term threat, and risks to these operations can result in enormous losses as well as threaten large supply chains or disrupt a nation’s economy.
It can be challenging to conduct a complete risk assessment of these complex infrastructures, with so many converging operational entities and processes—from port operations, to logistics and transportation, to vessel operations. Fortunately, newer maritime regulations and industry advisories are providing some guidance to address concerns.
Below, I give an overview of current maritime regulatory guidelines, along with best practices to protect maritime operations from risk and meet compliance requirements.
Important Industry Guidelines for Cybersecurity Readiness
Increasingly, cybersecurity attacks are moving from the information technology (IT) networks that run a business’s data to the operational technology (OT) networks that physically control the facility operations. In response to growing cyber threats, it’s important to perform a vulnerability and risk assessment that applies to Maritime Transportation Security Act (MTSA)-regulated facilities. MTSA-regulated facilities typically handle shipments as diverse as bulk cargo, petroleum and LNG shipment and storage—when addressing cyber risk there can be a lot to consider.
Given that maritime facilities operate directly in the middle of the supply chain, a persistent cyberattack could result in significant financial losses, not only to the facility itself but to its upstream and downstream customers. Implementing a solid cybersecurity program is critical to demonstrating proper due diligence. The U.S. Coast Guard (USCG) in its Navigation and Vessel Inspection Circular (NVIC) 01-20 is calling for increased cybersecurity and cyber risk management controls across maritime facilities regulated under the 33 CFR 105 and 106 code of federal regulations.
Some of the detailed regulatory guidelines maritime operators should be aware of include:
PORT AND TERMINAL FACILITIES
U.S. Regulation and Guidance for Cybersecurity Implementation
- Maritime Transportation Security Act (MTSA) Facilities and Outer Continental Shelf (OCS) Facilities
- 33 CFR 105 – Maritime Security: Facilities
- 33 CFR 106 – Maritime Security: Outer Continental Shelf (OCS) Facilities
- USCG NVIC 03-03 – Facility Security Policy
- USCG NVIC 01-20 – Facility Cyber Policy
- USCG MSIB’s related to cybersecurity
- MSIB 10-19: Cyberattack Impacts MTSA Facility Operations
- MSIB 18-20: Urgent Need to Protect Operational Technologies and Control Systems
- MSIB 25-20: Urgent Notice: Active Exploitation of Popular Network Management Software SolarWinds
- MSIB 03-21: Continued Awareness: Active Exploitation of SolarWinds Software
IMO 2021 Maritime Cyber Risk Management in Safety Management Systems
- IMO released Cyber Recommendations in 2017
- 428(98), Maritime Cyber Risk Management in Safety Management Systems
- IMO MSC-FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Management
BIMCO’s Guidelines on Cybersecurity Onboard Ships v4
- Provides a clear cyber mapping to ISM Code and alignment to NIST CSF
- Includes documentation and implementation of security measures
- ISM audit will require more than updating the SMS – companies must demonstrate implementation and operation
Cyber regulations will continue to expand, and the regulatory environment is starting to focus on security issues, including visibility and control over the OT and IT networks, systems, and devices. Operators will also have to consider both compliance and security requirements.
Start with Best Practices: Security Assessments, Asset Inventory, Audit Risk
- Conduct Cybersecurity Assessments – It’s possible to use the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to determine the grading score of the cyber stance of each facility. For consistency with industry best practices and to assist the facility integration of cybersecurity into an existing physical security plan outlined in the Facility Security Plan (FSP), the NIST CSF subcategories were aligned to the 15 cybersecurity recommendations from United States Coast Guard’s (USCG) Navigation and Vessel Inspection Circular NVIC 01-20 and requirements outlined in 33 CFR 105.
- Determine Cybersecurity Maturity Levels – Cybersecurity maturity levels help to distinguish the robustness of cybersecurity implementations for each NIST CSF subcategory. Using a cybersecurity maturity model provides an analysis of current posture and a path forward to achieve the desired level of maturity. It also enables facilities to periodically assess where they are on the path.
- Technology and Risk Audit, Asset Inventory and Vulnerability Assessments – Technology platforms that can provide ongoing information about asset management, vulnerabilities and hardening of the assets, and monitoring solutions should be a necessary component of a complete solution. One that can tie together visibility, reporting and analytics across the entire spectrum of OT and IT resources, sites, and organizations.