A complex ecosystem with many interdependencies, and the trade-off between security and usability
Maritime cybersecurity is of paramount importance for the movement of persons and goods that underpin the global economy, including food, medicine, and energy. Unfortunately, the increasing digitalization and automation, and the efforts to find the right trade-off between security and usability, introduce new cybersecurity risks. This balance can be challenging to maintain in the face of rapidly changing cybersecurity challenges in the maritime industry.
Maritime organizations create, access, process, store, and transmit data. They are involved in significant financial transactions. They manage control systems moving cargo, and security systems that protect persons and the international maritime commerce. This complex infrastructure, consisting of public and private organizations with various networked systems, including systems that use older technologies that are poorly secured, or systems that are old with no security updates available, used by persons without proper cybersecurity awareness training, is connected to port authorities, customs officials, logistics companies, agents, vendor representatives, and many others. One weak link in the security chain can cause significant problems that may affect even the national security.
In 2020, the USA released the Navigation and Vessel Inspection Circular (NVIC) 01-20, with subject: "Guidelines for Addressing Cyber Risks at Maritime transportation Security Act (MTSA) Regulated Facilities". According to the guidelines, the maritime industry continues to increase its use of cyber technology. Facility operators use computers and cyber-dependent technologies for communications, engineering, cargo control, environmental control, access control, passenger and cargo screening, and many other purposes.
Facility safety and security systems such as security monitoring, fire detection, and general alarm installations increasingly rely on computers and networks. Collectively, these technologies enable the Marine Transportation System to operate with an impressive record of efficiency and reliability. While these computer and network systems create benefits, they introduce new vulnerabilities that increase risk. Exploitation, misuse, disruption, or simple failure of cyber systems can cause injury or death, harm the marine environment, disrupt vital trade activity, and degrade the ability to respond to other emergencies.
In 2020, the United Kingdom Department for Transport released the updated Good Practice Guide: Cyber Security for Ports and Port Systems. This guide gives excellent advice to those involved in:
(a) the financial and operational management of the port or port facility;
(b) contractual arrangements with third parties;
(c) determining policies relating to acceptable staff behaviour;
(d) the specification, design, construction and maintenance of ports;
(e) the specification, design, development, integration, commissioning, operation, and maintenance of port systems, including associated software and technologies; and
(f) management of specific security tasks, including incident response and the handling of security breaches.
In the European Union, according to the European Network and Information Security Agency (ENISA), the Maritime Sector plays a key role in the EU economy and society, accounting for a large segment of Europe’s overall freight and passenger transport. However, as the sector has been steadily undergoing a digital transformation with the introduction of innovative solutions based on ICT and the convergence between IT and OT, the cyber risk profile has also changed. Combined with a significant increase in cyberattacks against key maritime infrastructure such as ports and shipping companies, this change highlights the need for maritime cybersecurity to be addressed in more detail.
The Maritime Sector comprises a complex ecosystem with many interdependencies and organisations of different sizes, operational scope, ICT complexity and cybersecurity maturity working in tandem to ensure the unhindered delivery of freight and passenger transport services. Port authorities, terminal operators, other entities operating within ports, shipping companies, classification societies, shipbuilding companies and more each play a key role in this ecosystem and their individual cybersecurity posture is key for the Maritime Sector. The NIS 2 Directive recognises this fact by identifying a plethora of maritime operators as Operators of Essential Services.
The 2nd Maritime Cybersecurity Conference in October 2022, hosted by the European Maritime Safety Agency (EMSA), organised by the European Union Agency for Cybersecurity (ENISA), sought to explore the dynamics behind the cyber threat landscape and the challenges faced by the maritime sector. It revealed that the attack surface changes as we move from traditional ships to Maritime Autonomous Surface Ships (MASS), where the focus shifts from on-board security policies such as password management and social engineering to network aspects.
Particular emphasis was placed on attacks on supply chain becoming more common and on the cyber-physical aspects of security, especially in the context of port operations. Given the volume of people and cargo served by major ports in the EU, a supply chain incident could have a cascading effect disrupting key port operations resulting in significant economic and societal impact.
According to the European Maritime Safety Agency (EMSA), due to the constant increase in cyber threats and cyber attacks aiming at disrupting the maritime domain, EMSA will be active in enhancing maritime cyber security awareness and information exchange. On the basis of the gap analysis undertaken, the Agency will further assess whether more guidance to Member States is needed addressing cyber security challenges.
Following the establishment of a dedicated Task Force, EMSA supports the European Commission and the Member States to facilitate a better understanding of the cyber threats and cyberattacks aimed at disrupting the EU maritime domain. EMSA will keep on enhancing maritime cybersecurity awareness and information exchange, notably by exchanging with the main stakeholders (e.g. ENISA) to provide Commission and Member States with technical support to better address maritime cyber risks. The agency will also follow the work started with its “mapping and gap analysis of maritime cybersecurity in the ecosystem of ships and port facilities” and develop the appropriate projects and actions.
Good Practices and Security Measures tailored to Maritime Transport, from the European Commission
Governance to Identify Cybersecurity Threats
Governance: Organisations in maritime transport need clear understandings on emerging threats in order to define management policies and processes to govern their approaches in order to enhance cybersecurity of services and systems in operations, including Information Technology (IT) and Operational Technology (OT).
Good practices for organisations of any size involve:
1. Ensuring that senior management levels report cybersecurity concerns to executives and boards, who can make informed decisions on resource allocations.
2. Appointing a senior role with overall management responsibilities for the security of Information Technology (IT) and Operational Technology (OT). This role should be accountable for cybersecurity as well as physical security.
3. Defining clearly, roles, responsibilities, competences, and clearances related to cybersecurity, defining levels of authority and lines of communication between, and amongst, shore and shipboard personnel, and agreeing on them with relevant personnel. This is necessary, in particularly, for members of Computer Emergency Response Teams (CERTs).
Personnel with roles relating to EU maritime security and safety legislations, such as Port Facility Security Officers, Port Security Officers or Company Security Officers or the Designated Person Ashore (DPA) and the Master on board, should at least be familiar with the cybersecurity measures taken by the organisation.
4. Ensuring cybersecurity governance throughout the entire security supply service chain, including both physical and digital interfaces, from technology manufacturers and installers to security providers.
5. Agreeing on activities and controls, including shared responsibilities, to manage cybersecurity risks, and ensuring that these responsibilities are sustained throughout the lifetime (e.g. by service agreements) of security solutions and services.
6. Defining governance mechanisms (e.g. policies) in order to comply with obligations drawn from relevant regulations and directives, for example, Regulation 2019/1239 establishing a European Maritime Single Window environment (EMSWe), Regulation 725/2004 on enhancing ship and portfacility security, Directive 2005/65/EC on enhancing port security, and Regulation (EC) No 336/2006 on the implementation of the International Safety Management (ISM) Code, and Resolution A.741(18) adopting the ISM Code for the Safe Operation of Ships and for Pollution Prevention.
In this context, it is also relevant mentioning the Common Information Sharing Environment (CISE), an EU initiative that aims to make European and Member States surveillance systems interoperable to give all concerned authorities access to the classified and unclassi{1ed information they need to conduct missions at sea.
Examples of services and systems in maritime transport:
Examples of IT are those accessible to employees (e.g. personal computers, mobile phones, office peripherals, etc.) as well as passengers (e.g. public Wi-Fi routers and connections, etc.).
Examples of OT are Supervisory Controls and Data Acquisition (SCADA) systems, heating, ventilation, and air conditioning (HVAC) systems, Global Positioning Systems (GPS) systems, access control, monitoring, surveillance, alarm response, screening technology, on-board navigation systems, SafeSeaNet, bridge systems, cargo handling and management systems, propulsion and machinery management and power control systems, access control systems, passenger servicing and management systems, passenger facing public networks, administrative and crew welfare systems, communication systems, and others.
Risk Management to Identify Cybersecurity Threats
Risk Management: Maritime organisations need to take appropriate steps to identifying, analysing, assessing, and communicating cybersecurity risks, and accepting, avoiding, transferring, or mitigating them to an acceptable level. This requires an overall organisational approach of risk management, which involves:
1. Ensuring a clear overview over the various hardware and software systems deployed for delivering different services. In the context of maritime transport, such systems involve Information Technology (IT) as well as Operational Technologies (OT), and how these systems connect and integrate with the shore side, including public authorities, marine terminals and stevedores.
2. Identifying and evaluating key ship board operations, which are vulnerable to cyber-attacks, and performing cybersecurity risk assessments (including assessing potential operational impacts and likelihood of occurrence) which should take into account emerging threats, known vulnerabilities, and operational data in relation to the systems in scope.
Where appropriate, making the link to security assessments carried outfor ships (SSAs), port facilities (PFSAs), and ports (PSAs) as set out by EU maritime security legislation. These identify possible security threats to port infrastructure and security weaknesses. Additionally, maritime organisations such as the International Maritime Organisation (IMO) and maritime ISACs may provide insights on threats targeting maritime transport.
3. Ensuring that risk assessments also cover the risks related to personnel daily activities ( e.g. social media usage, personal device usage, data processing, information sharing, etc.).
4. Identifying and implementing risk treatment measures and plans mitigating cybersecurity risks. For example, implementing a comprehensive Information Security Management System (ISMS) and a Privacy Information Management System (PIMS), aligned with other management systems such as Safety Management Systems (SMS) in accordance with the International Safety Management (ISM) Code.
Such management systems (i.e. ISMS and PIMS) involve implementing security (as well as data protection and privacy) controls in order to mitigate and prevent emerging threats affecting security of maritime services and systems (including their data).
5. Taking into account any constraints concerned with asset management and resource planning (that is, constraints that may affect the delivery, maintenance and support of critical systems for operations of essential functions in maritime transport). As for assessments, make a cross-reference where appropriate to requirements of the ISM code, Safety management Systems (SMS) and security plans carried out according to EU maritime safety and security legislation.
Examples of risk management frameworks:
Different frameworks (e.g. the ISM Code or standards in the ISO/ IEC 27000 family, NIST cybersecurity framework, MITRE ATT&CK Framework, 851 IT-Grundschutz, etc.) may inform and underpin a tailored risk management approach for maritime transport.
The NIST cybersecurity framework has been also tailored to address the cybersecurity of Maritime Bulk Liquids Transfer (MBLT), Offshore Operations, and Passenger Vessel Operations. Similarly, the Baltic and International Maritime Council (BIMCO) has issued "The Guidelines on Cyber Security Onboard Ships" and the International Maritime Organization (IMO) has issued specific "Guidelines on maritime cyber risk management" (MSCFAL.1/Circ.3).
ENISA has conducted several studies concerned with good practices for maritime cybersecurity, in particular, port cybersecurity. EMSA provides services to the maritime community, including cybersecurity awareness trainings. Standards (e.g. IEC 61162-460:2018 on safety and security of maritime navigation and radio communication equipment and systems, ISO 16425:2013 on ships and marine technology, IEC 62443-4-1:2018 on security for industrial automation and control systems, etc.) define also specific security and safety requirements for systems and networks in maritime transport.
Our training programs
Cyber Risk GmbH, a private company incorporated in Horgen, Switzerland, is not affiliated or connected to the entities referred above in any way. Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the maritime industry, and programs that assist the Board of Directors and the CEO in understanding cybersecurity challenges.
The Board of Directors and the CEO of entities in the maritime industry must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.
Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.
Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.
With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.
For our training programs, you may visit:
Maritime Cybersecurity Training.
The NIS 2 Directive as it applies in the maritime industry.
Cybersecurity Training for the Board of Directors in the maritime industry.