Maritime Cyber Resilience - Just chat or is real?

Maritime Cyber Resilience– conversations are underway, but have we improved our maritime cyber resilience?

Three maritime cyber security articles, shared last week, shine a light on the state of resilience in the maritime sector or do they? The first article (https://www.directorstalkinterviews.com/maritime-industry-now-a-major-target-for-computer-cyber-attacks/412804217 ) suggests that with increased digitisation of the maritime sector, sophisticated cyber criminals are sniffing an opportunity. Whilst there is clearly an increased target area in the maritime sector and ransomware attacks often rely upon unpatched systems and weak protocols, increased digitisation is not evidence in itself that the maritime industry is a major target area for cyber attacks. Criminals target areas where there are rich pickings. In order to understand how attractive the maritime sector is to criminals, we need to understand the opportunities and indeed we need to better understand how much money is being extorted. Publicly available figures are hard to get hold of. The lesson from other sectors is that sharing insights is important and that a vulnerability led approach to cyber security should be replaced by a threat led approach to cyber resilience. Take the financial sector; here the CBEST process (Threat Led Penetration Testing) is used by the Financial regulators as a means of providing evidence of Cyber Resilience and an understanding of business risk not just IT risk. Whilst the IMO “affirms that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code”; the IMO Resolution MSC. 428(98) - Maritime Cyber Risk Management in Safety Management Systems lacks the specificity and clarity of a CBEST style assessment.

The second article (https://www.rivieramm.com/news-content-hub/news-content-hub/why-digitalisation-and-cybersecurity-should-go-hand-in-hand-57714) emphasises that digitalisation (digitisation) and cyber security work hand in hand and highlights how classification societies’ cyber security offerings are being increasingly embraced by the maritime sector. It is an oxymoron that building security at the beginning of Digital transformation programme is a more cost-effective approach, however the drive for efficiencies and speed of implementation for new software programmes often trump the adoption of good cyber security practices. Budgeting for a potential high impact, low probability event rarely happens unless the risk assessment process is mature. Why is that? Most significant investments in cyber security/resilience, particularly secure by design programmes, are initiated post a serious incident or in a regulated environment, as the risk is easier to articulate.

The third article (https://www.gov.uk/government/news/maritime-minister-undertakes-future-of-shipping-industry-tour-as-ports-cyber-security-guidance-is-updated) trumpets the UK Government’s updated Port Cyber Security Guide. The title captures the intent. By publishing a Guide and nor mandating a standard, changing behaviours across the maritime sector will be harder to achieve. Take another sector, the Food sector, which has the beginnings of a standard. How widely implemented is the Publicly Available Specification (PAS) 96 Guide to Protecting Food and Drink from attack? It would be interesting to determine the impact of the Port Cyber Security Guide on Port cyber security programmes? It is laudable that Guides have been published, but key to improvements in the resilience of the maritime sector is the implementation of security standards/guidelines and the subsequent threat led testing of the maritime environment. In sum these articles suggest that there is more interest in maritime cyber security, but whether the sector is more resilient as a consequence of the initiatives remains unclear.

  1. Cyber security is moving up the agenda in the maritime sector.

  2. Real change is forced by regulation and/or experience of cyber attacks that have impacted the bottom line.

  3. Good governance demands a risk based approach to cyber resilience, measured in terms of business impact. Cyber security guidelines/security standards and/ or classification societies’ initiatives are a good place to start, but more focus can be achieved through a threat led approach to cyber risk management in addition to the implementation of an appropriate cyber security framework.

Previous
Previous

CAN YOU DELIVER CRITICAL LOCAL COUNCIL SERVICES DURING AND POST A SIGNIFICANT CYBER ATTACK?

Next
Next

The Maritime Sector and Virtual Stowaways