Maritime and cybersecurity… At first glance, two areas that seem unrelated. But that is not the case at all! The International Maritime Organization (IMO) has taken the potential impacts of cyber risks on maritime seriously and published an important guide to raise awareness and protect the sector. I have read this 6-page guide and I am summarizing it in this article for you to easily digest.
IMO Cybersecurity Guide: Cyber Risks Threatening Maritime
The urgent need for awareness of cyber risk threats and vulnerabilities was discussed at the IMO’s Differentiation Committee (April 4-7, 2017) and Maritime Safety Committee (June 7-16, 2017) meetings. As a result of these meetings, the publication of Maritime Cyber Risk Management Guides was approved.
So, what does this guide do?
These guides offer a superficial approach and recommendations on cyber risk management in order to protect maritime from current and emerging cyber threats and vulnerabilities. They also include functional elements that support effective cyber risk management. So it doesn’t just say “be careful”, it also provides practical information on how to manage these risks.
Who is it addressed to?
IMO invites its member states to bring the content of this circular to the attention of all relevant stakeholders. This means that it is of great importance for everyone in the maritime sector, from ship owners to operators, from ports to maritime technology providers, to be aware of this guide and implement its content.
Cyber Risk Management: A New Requirement in Maritime
Risk management is the cornerstone of safe and secure operations for the maritime sector. Traditionally, risk management has focused more on operations in the physical domain. However, with the increasing reliance on digitalization, integration, automation and network-based systems today, the need for cyber risk management in the maritime sector has also increased significantly.
Why is Cyber Risk Management So Important?
Today’s ships are entrusted with digital technologies in many areas, from navigation systems to engine control units. This situation opens new doors to cyber attacks and can pose a wide range of threats, from operational disruptions to serious security breaches. A cyber attack can cause the ship to go off course, systems to shut down or even dangerous situations to arise. This is where cyber risk management comes into play.
Recommendations that can be integrated into existing processes
This guide, prepared with the aim of supporting the maritime sector to achieve operationally resilient, safe and secure navigation against cyber risks, offers recommendations that can be incorporated into existing risk management processes. In other words, it is possible for companies in the sector to add these new cyber risk management elements to their existing security and safety management practices without having to establish a new system from scratch. These guides complement the security and safety management practices determined by the organization.
Page 3
– Background
2.1.1 Cyber technologies have become essential for the operation and management of many systems that are critical for the protection of shipping and the maritime environment. In some cases, these systems must comply with international standards and Flag Administration requirements. However, vulnerabilities created by accessing, connecting, or networking these systems can lead to cyber risks that must be addressed. Vulnerable systems may include, but are not limited to:
- Bridge systems;
- Cargo management systems;
- Propulsion and machinery management and power control systems;
- Access control systems;
- Passenger service and management systems;
- Passenger-facing public networks;
- Administrative and crew welfare systems; and
- Communications systems.
The Difference Between Information Technology (IT) and Operational Technology (OT) Cybersecurity
When it comes to cybersecurity, it is critical to understand the distinction between information technology (IT) and operational technology (OT) systems. Both systems use data, but the purposes for which they use that data, and therefore their security needs, are quite different.
Information Technologies (IT): Using Data as Information
IT systems generally focus on using data as information. Systems such as your emails, customer databases, financial records or websites fall under the scope of IT. A cybersecurity breach in these systems can lead to data loss, privacy violation or disruption of business continuity. The main purpose of protecting IT systems is to ensure the integrity, confidentiality and accessibility of information.
Operational Technologies (OT): Data Controlling Physical Processes
On the other hand, operational technology systems use data to control or monitor physical processes. Industrial control systems (ICS), SCADA systems, a ship’s engine control units, navigation systems or a port’s loading and unloading equipment are examples of OT systems. A cyberattack on these systems can have much more serious consequences that can cause physical damage, equipment failures, operational disruptions and even loss of life. The priority in OT security is to ensure physical security and operational continuity.
Protecting Data and Information Exchange
In both types of systems, protecting both information and data exchange is vital. While sensitive data in communication between IT systems must be encrypted and protected from unauthorized access, in OT systems, the integrity and reliability of control signals are essential for operational security. With increasing integration between these systems, a security vulnerability in one area can affect the other. Therefore, a comprehensive cybersecurity strategy should take an integrated approach, considering the unique needs of both IT and OT environments.
Cyber Threats and Vulnerabilities: A Comprehensive Overview
Threats in the cyber world can generally be divided into two main categories: malicious actions and unintended consequences of benign actions. Malicious actions include activities such as hacking or malware infection, where cyber attackers attempt to infiltrate or damage a system. On the other hand, unintended consequences of benign actions can result from seemingly innocent actions such as software maintenance or misconfiguration of user permissions. In both cases, these actions often expose or exploit vulnerabilities in systems (such as outdated software or ineffective firewalls). Effective cyber risk management must consider both of these threats.
Vulnerabilities and Their Impact
Vulnerabilities can arise from deficiencies in the design, integration, and/or maintenance of systems, as well as from lack of cyber discipline. When exploited directly (such as weak passwords allowing unauthorized access) or indirectly (such as lack of network segmentation), vulnerabilities in operational technology (OT) and/or information technology (IT) systems can negatively impact security and the confidentiality, integrity, and availability of information.
Furthermore, when exploited, OT and/or IT vulnerabilities can have serious safety implications, especially when critical systems such as bridge navigation or main propulsion systems are compromised. A cyber attack can not only result in data loss, but can also disrupt physical operations or cause dangerous situations.
Scope of Security: Impact of Vulnerabilities in IT Systems
An effective cyber risk management should also consider the safety and security impacts resulting from the emergence or exploitation of vulnerabilities in IT systems. This can result from improper connections to OT systems or procedural errors by operational personnel or third parties (for example, improper use of removable media such as a memory stick). Such vulnerabilities can compromise critical OT systems, jeopardizing overall operational safety and security.
Scope of Application of IMO Cybersecurity Guidelines
These guides primarily address all organizations in the maritime sector. Their main purpose is to promote safety and security management practices in the cyberspace. In other words, it is aimed to ensure that not only technology companies but also the entire maritime ecosystem, from ship operating companies to port authorities, pay attention to cybersecurity.
We know that every organization in the maritime sector is unique. Therefore, the guides are written in general terms and thus have a wide range of applications. While a simple implementation may be sufficient for ships with limited cyber systems, ships with more complex cyber systems may need to take extra care and seek additional resources from trusted industry or government partners.
From Senior Management to Continuous Assessment
Effective cyber risk management must begin at the senior management level. Senior management must ensure a culture of cyber risk awareness at all levels of the organization and ensure a holistic and flexible cyber risk management regime that is continuously operational and regularly assessed through feedback mechanisms.
A widely accepted way to achieve this goal is to comprehensively assess and compare the organization’s current and desired cyber risk management postures. This comparison can reveal gaps that can be addressed through a prioritized cyber risk management plan. This risk-based approach enables an organization to make the most effective use of its resources.
Functional Elements of Cyber Risk Management
These guidelines present the functional elements that support effective cyber risk management. These elements are not sequential; they should be concurrent and continuous in practice and appropriately incorporated into a risk management framework:
Define: Identify personnel roles and responsibilities for cyber risk management; identify systems, assets, data, and capabilities that, if disrupted, pose a risk to ship operations.
Protect: Implement risk control processes and measures and contingency planning to protect against cyber incidents and ensure continuity of maritime operations.
Detect: Develop and implement activities to detect a cyber incident in a timely manner.
Respond: Develop and implement activities and plans to restore systems and provide resilience for maritime operations or services disrupted by a cyber incident.
Recover: Identify measures to back up and restore cyber systems necessary for maritime operations affected by a cyber incident.
These functional elements encompass the activities and desired outcomes of effective cyber risk management across critical systems affecting maritime operations and information exchange, and form an ongoing process with effective feedback mechanisms.
Effective cyber risk management should ensure appropriate awareness of cyber risks at all levels of an organization. The level of awareness and preparedness should be appropriate to the roles and responsibilities within the cyber risk management system.
Best Practices in Implementing Cyber Risk Management
The cyber risk management approach described here provides a foundation for better understanding and managing cyber risks. This enables you to take a risk-based approach to cyber threats and vulnerabilities. For more detailed guidance on cyber risk management, users of these guides should consult relevant international and industry standards and best practices, in addition to the requirements of member states and flag administrations.
What Additional Guidance and Standards Might Be?
Additional guidance and standards may include, but are not limited to:
“Shipboard Cybersecurity Guides” prepared and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) by the National Institute of Standards and Technology (NIST) of the United States.
Please note that all guidance and standards used must be referenced to the most current version.
Decompress Sec 