In order to better understand the evolutionary trend of worldwide shipping and port facilities from 2007 to present, it is necessary to talk again about cyber risk in the maritime and port setting.
It is not the purpose of this article in any case to retrace the several cyber security attacks that, starting with A.P. Moller-Maersk, involved the world’s most important shipping companies, as well as the biggest port hubs in Europe and the United States of America.
MARITIME CYBER SECURITY
Although acknowledging previous relevant cases, the chosen starting point will be June, 16th 2017, when the International Maritime Organization (IMO) formally adopts the recommendations included in the three declarations of principles in the Resolution MSC.428 (98) entitled Cyber Risk Management in Safety Management System.
In this sense, the cyber security risk assessment becomes integral part of the objective (Art.1.2) included in the ISM Code; according to which the management of the cyber security risk must be included in the general objective, for this reason shipping companies must “…ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular to the marine environment and to property“. In particular, these objectives are identified in the pursue of the following obligations:
1. provide for safe practices in ship operation and a safe working environment;
2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and
3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.
In the declarations related to the MSC.428 (98), the IMO introduces for the first time the date of Jan., 1st 2021, stating that: “…Administrations (are encouraged) to ensure that cyber risks are appropriately addressed in safety management system no later than the first annual verification of the company’s Document of Compliance after 1 January 2021“.
The second date to remember is Jul. 5th 2017, when the IMO, through the Maritime Safety Committee released the Guidelines on Maritime Cyber Risk Management included in the MSC-FAL.1/Circ.3. These guidelines suggest recommendations identified as “high level“ for the management of cyber risk in the maritime sector, with special reference to shipping. The pursued aim is to promote the mitigation of cyber risks, through the adjustment of the safety management system, included in the ISM Code framework.
In the Italian context, a third important date to remember is Dec. 13th, 2019, when the Comando Generale del Corpo della Capitanerie di Porto (The General Command of Italian Harbor Masters) with the Circolare Titolo Sicurezza della Navigazione, Serie Generale 155/2019, which refers to the Circolare Titolo Security n. 35/2017 (the Circolare n. 40/2017 has the same content, but is addressed to the port sector and port facilities) and with it resumes the Resolution and the circular of 2017 issued by the IMO and the NIS Guidelines, underlining the existing connection between the Ship Security Plan and the procedures of cyber risk prevention (included in the Safety Management System of the ISM framework). The Annex “Cyber Risk Management” is a relevant part of the “Circolare” and it suggests a model of identification and management of the cyber risk, in the field of the required assessment of the specific risk.
Cyber Security in Ports and Port Facilities
Cyber security in Ports and Port Facilities has developed in a different way. At present, although acknowledging that port infrastructures have a strategic role in the global commerce, as well as a growing use of dedicated technologies which are expanding the IT system network (also by integrating them with OT systems) and the subsequent interconnection with the land transport infrastructures, no formal measures have been issued regarding cyber risk management.
As mentioned before, the ISPS Code, which regulates the security model of ports receiving ships coming from international voyages with tonnage over 500 GT (so not all ships), does not address the risk scenarios in terms of IT, and except for the generic call for the protection of IT infrastructures, it does not provide directions or guidelines for the development of a cyber risk management model. Thus, the ISM Code only concerns the ship world and so the possible extension to the port facilities world, besides being incorrect on a conceptual level, could also be dangerous, as the underlying concepts are only pertinent in relation to ships.
In the absence of IMO guidelines on the management of cyber risks, we have to highlight the work of the ENISA “European Union Agency for cybersecurity”, that from Dec., 19th 2011, has focused the attention also on shipping, cruise lines and ports.
This was developed in a first report of 2011 Cyber Security Aspects in the Maritime Sector and later in November 2019 in a second one entitled Port Cyber Security – Good practices for cybersecurity in the maritime sector.
In December 2020, the ENISA published a new report titled Cyber Risk Management for Ports; which aims to introduce a specific approach for the cyber risk assessment in ports, regarding both IT and OT systems and based on the basic principles of risk management. This approach was written in compliance with the security risk assessment method in port and maritime domain as per ISPS Code and thus compliant with the main European regulations on port and port facilities security. The topics discussed in the report are not presented as purely IT orientations, but also as process orientations, relating in a gender to species way with the standard risk assessment methods, used in the management systems of the interested ports.
The recent USA Government maritime cyber security provision
It is finally relevant, always in December 2020, the approval of the National Maritime Cybersecurity Plan by the Trump Administration. The document indicates some priority measures, that the Government commits to approach in order to mitigate the IT- related risks and menaces, which impact on the under-branches of the Maritime Transportation System (MTS).
Among these actions, it is relevant the acknowledgement on national level of more than 20 government entities have jurisdiction on maritime and port security matters. This aspect does not favor the consolidation and diffusion of the shared maritime cybersecurity standards and thus calls for a revision in term of roles and responsibilities of the interested entities. The action interests also the development of shared procedures for the identification and mitigation of cyber risks for the identified ports (with special reference to the OT infrastructures in the maritime sector, which so far have not benefited of analysis and audit programs of the vulnerabilities that could be borrowed from the experience of similar sectors). Thus, there is the possibility of allowing the Department of Homeland Security (DHS) and the Department of Defense (DOD) to implement sector cybersecurity assessment in order to contribute to the protection of port facilities and ships against IT risks.
The definition of a framework dedicated to the Port Cyber Security Assessment could then be included in the regulatory systems already in place, such as the ISPS Code. In this sense, a IT security component (so far missing) could be added to the sector assessment procedures (Port Facility Security Assessment).
The topic of maritime cybersecurity (different from the port and port facilities cyber security) could instead be solved by the integration of the cyber security assessment process and the specific risk management, including it among the objectives of the ISM Code and thus in the Safety Management System. This action will be combined with an activity of analysis and study of the main IT attack carrier, referring to the reports on IT incidents of maritime and port operators to fill the culture and awareness gap on cybersecurity, by the MTS.
Not least, it is essential that on the general plan of public and especially private operators, who supply the services connected to the port infrastructures, there be uniformity in the contract requirements (cybersecurity contracting clauses); this is to create a first level of contract standards suitable to participate in the creation of a shared model of sector cybersecurity. An activity that could be made possible with the participation of the General Services Administration (GSA), on the level of the development and implementation of contract frameworks which can be applicable to critical maritime infrastructures, under the direct management or control of the relevant public administrations.
Another relevant topic is the data sharing in the partnership between public and private, as base on which to structure an intelligence system which is shared and efficient for the whole MTS. Here were also identified some priority actions, among which the creation of hubs and talking points, in order to facilitate the proposed data sharing in operations, while maintaining the privacy of data which compose the shared information. The standard will be created and thus it will have to be information security by design. Lastly, it is necessary to educate the relevant professionals on the maritime cybersecurity because,
“Port and vessels systems are unique and not as ubiquitous as commercial office systems“.
As a consequence, the commitment to develop career paths, incentives and continuous education programs and lien talent plans, in order to develop concretely sector professionals with demonstrated expertise.
About the author: Giovanni Campanale
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Maritime Port cybersecurity)