Cyber Security in Maritime Industry: A Comparative Study by Stefanos Spanos, Director, CTO & Lead Assessor of ISONIKE Ltd
Cyber attacks make no favours. No industry is exempted!
The growing utilization of advanced Information & Communication Technology (ICT) and Operational Technology (OT) onboard ships has taken -as expected- an exponential course. This is increasing the effectiveness and efficiency of operations both onboard and ashore. However, a ship that was traditionally considered as being a relatively 'closed' - hence 'isolated' & 'protected' system, has opened up to the cyberspace and consequently is vulnerable to a number of significant cyber security threats.
The major stakeholders of the Maritime Industry are well aware that ineffective cyber security protection may lead to major safety, environmental and commercial issues! This is raising a new 'domain' of challenges in maritime: The cyber security challenge.
In response to the Cyber Security challenge, IMO ( International Maritime Organization ), the global standard-setting authority for the safety, security and environmental performance of international shipping, had adopted on 16th of June 2017 the Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems as part of the mandatory regulatory framework for the shipping industry. The IMO Resolution MSC.428(98) is supplemented with IMO Guidelines on Maritime Cyber Risk Management MSC-FAL.1/Circ.3 and took full effect on 1st of January 2021 as part of the mandatory International Safety Management Code (Resolution A.741(18)).
Both IMO Resolution MCS.428(98) and IMO Guidelines MSC-FAL.1/Circ.3 do take a clear stand with recommending 'a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices' (MSC-FAL.1/Circ.3, §2.1.8.). Further, the best practices recognized for implementation of cyber risk management may include, but are not limited to:
- The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.
- ISO/IEC 27001 standard on Information technology -Security techniques -Information security management systems -Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- United States National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity(the NIST Framework).
As the title of the publication indicates, BIMCO's "Guidelines on Cyber Security Onboard Ships" provide a set of cyber security guidelines for ships to respond and protect themselves against cyber security risks. In particular, the main body of the guidelines provide the guidelines for implementation of cyber protection controls. Annex 1 of the guidelines recognises and lists a summary of the systems, equipment, technologies and data onboard that could be potentially vulnerable to cyber risks; Annex 2 of the guidelines provide the minimum measures that all companies should consider implementing so as to address cyber risk management in an approved Safety Management System (ISM Code) and Annex 3 provide guidelines for onboard networks.
A comparison of compatibility made by ISONIKE with clause cross referencing from "Guidelines on Cyber Security Onboard Ships" by BIMCO to ISO/IEC 27002 Information technology - Security techniques - Code of Practice for Information Security Controls identified some differences.
The core differences identified between the frameworks fall under the following main domains:
- ISO/IEC 27002 is associated with ISO/IEC 27001. The former provide a code of practice for the latter. But most importantly the latter provide the Information Security Management Systems - Requirements for certification of organizations to ISO/IEC 27001 Accredited Certification Schemes. The BIMCO's "Guidelines on Cyber Security Onboard Ships" is not associated with any accredited certification scheme.
- The "Guidelines on Cyber Security Onboard Ships" is taking an approach that is specifically focusing on Maritime Industry and terminology (e.g. providing guidance for relationships: between the manager and ship owner, between ship owner and the agent etc) while ISO/IEC 27002 takes a generic approach that can be applied to all industry sectors (e.g. looking at the relationships generically and allow the organisation to define them).
- ISO/IEC 27002 is including certain controls objectives (such as for Human Resources Security, mandatory Security Policies, Classification etc) on a more rigid manner.
- The "Guidelines on Cyber Security Onboard Ships" is considering OT (e.g ISA/IEC 62443) on a more direct manner while ISO/IEC 27002 is more focused on ICT and considers OT indirectly.
- The "Guidelines on Cyber Security Onboard Ships" applies directly to ships (which in turn can be considered as an 'operating site'). Any application to other stakeholders (e.g. ship management organisation) is indirect. ISO/IEC 27002 applies directly to both the organisation as well as to all their operating sites.
- The "Guidelines on Cyber Security Onboard Ships" is based on NIST. ISO/IEC 27002 is supplemented by a Risk Assessment methodology of the same family of standards (ISO 27005) - but is open to any other risk assessment methodology (CRAMM, Mehari, NIST, STORM, ISO 31000 etc).
The three important findings from IMO Resolution MSC.428(98) framework combined with the comparison of compatibility between the "Guidelines on Cyber Security Onboard Ships" and ISO/IEC 27002 are the following:
1. The two frameworks have a noteworthy 'common ground' and are compatible to a significant extent. Nevertheless,there are some technical areas where they complement each other. Therefore integration in a coherent model is at the benefit of the maritime industry.
2. Although a risk management approach is highly recommended in the maritime industry, the associated maritime regulatory framework does not require any accredited third party assessment or certification in cyber security and protection. The current mandatory requirement is in practice for a 'stand alone' Cyber Security Manual (without third party accredited approval requirement) onboard ships or for a migrated Safety Management System Manual with the Cyber Security provisions.
3. With the recognition and inclusion of ISO/IEC 27001 within the best practices in MSC-FAL.1/Circ.3, it may be argued that accredited certification to ISO\IEC 27001as being indirectly encouraged. However, it remains purely on a voluntary basis.
On another aspect, EU Regulations such as theGDPRandNIS Directive have a significant impact on the maritime industry. The former because the maritime industry is using Personal Data and Privacy Information of passengers, crew and visitors; the latter because water transport is a sector that falls under the provisions of the NIS Directive and as a result certain maritime companies may have been identified as Operators of Essential Services (OES). In parallel, certain State Authorities have already started to impose tough Port State Control measures on Cyber Risk in order to ensure that cyber risk management is appropriately addressed and implemented onboard as part of their safety management system (e.g. see BIMCO News ). Otherr Port State Control Authorities are expected to follow very soon the intensification of inspections at the same level.
The Maritime and EU regulatory framework described above together with the emerging industry standards for cyber risks protection and business continuity are viewed as being a 'de facto' necessity for maritime companies to implement management systems that conform to international standards such as ISO/IEC 27001:2013 (Information Security Management Systems) and ISO 22301:2019 (Business Continuity Management Systems).
A model that combines the Implementation of the aforementioned management system frameworks together with third party assessment by cyber security experts and accredited certification to ISO/IEC 27001:2013 delivers substantial value to the maritime industry.
Main (but not limited to) benefits of this model are :
- A holistic approach to Risk Management in maritime, which is not only fully aligned with IMO Resolution MSC.428(98), but serves and contributes vitally in the protection from cyber security incidents & breaches - hence in the preservation of security, safety, environment and commercial aspects in shipping.
- Improve confidence of maritime industry stakeholders (flag states, port authorities, insurance & underwriters, P&I clubs, oil majors, charterers, freight forwarders, etc).
- Proactive model focusing on 'Prevention' rather than 'Correction'. (Notably, Correction costs are higher than Prevention)
- Reduce the risk of deficiencies (even detentions) on Cyber Security measures during Port State Control inspections.
- Has a positive impact on compliance and consequently reduce the risk of fines.
- May introduce additional cost benefits in the insurance / underwriting costs due to reduction of cyber risk.
- Positive impact on Image and Reputation.
- Provide a competitive advantage for the pioneers who choose to apply it.
Maritime is a highly regulated industry. The challenge of the model described above is not to be viewed as an attempt to 'add on' more requirements on an industry which is highly regulated already. Therefore it is important that the model preserves it's voluntary nature for the pioneers at the present time. The advancements of the technology however brings remarkable new benefits to businesses and societies. But these benefits introduce new responsibilities. Thus it is believed that such a model will become the norm in the near future .
We should not forget that ... better standards mean better and safer lives for everyone!
The comparison of compatibility made by ISONIKE with clause cross referencing from "Guidelines on Cyber Security Onboard Ships" by BIMCO to ISO/IEC 27002 Information technology - Security techniques - Code of Practice for Information Security Controls, is available upon request. Interested parties may submit their request for a free copy by email to firstname.lastname@example.org .