By IJ Arora, Ph.D.
Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.
Understanding cybersecurity in the maritime industry
Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.
Current challenges in maritime cybersecurity
Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:
- Business continuity disruption due to breaches
- Lack of comprehensive response plans
- Growing reliance on automation
- Insufficient awareness
- Vulnerabilities in cloud computing
- Rise in phishing and social engineering attacks
- Internal threats and attacks
Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.
The 10 steps
When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.
Step 1: Leadership commitment
Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:
- Appoint a cybersecurity manager to ensure accountability and garner buy-in.
- Make cybersecurity integral to business processes and consider risks vs. rewards.
Step 2: Use a system framework
Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.
- Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
- Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.
Step 3: Contextualize risk
- Consider the broader context of operations, trade patterns, technology, and legislative factors.
- Identify stakeholders, online networks, assets, critical components, and business-sensitive information.
Step 4: Risk assessment (3D framework)
Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.
- Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
- Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.
Step 5: Build controls into processes
Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:
- Implementing technical security controls like firewalls and intrusion-detection systems.
- Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.
Step 6: Maintain basic measures
Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:
- Keep hardware and software updated.
- Enable automated antivirus and anti-malware updates.
- Limit administrator privileges and control removable media.
- Avoid public network connections without a VPN.
- Regularly backup and test information-restoration capabilities.
Step 7: Employee awareness
It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:
- Educate employees on cybersecurity best practices to minimize human error.
- Train personnel to identify phishing attacks and report incidents promptly.
Step 8: Emergency preparedness
No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.
- Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
- Test and improve your business continuity plan regularly.
Step 9: Assess effectiveness
The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.
- Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
- Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.
Step 10: Continual improvement
- Embrace continual improvement through the PDCA cycle to maintain vigilance.
- Invest in training personnel on cybersecurity standards like ISO 27001.
Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.
Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.
About the author
Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.