Navigating Cybersecurity Challenges in Maritime Operational Technology
The maritime industry – including container ships, bulk tankers, drillships, cruise ships, mobile offshore drilling units and the ports and terminals that support them – is critical to the global economy as well as national and international security. The global marine vessels market is projected to reach $220 billion USD by the end of 2026.1
Today, the maritime industry is highly vulnerable to cybersecurity threats due to the integration of previously standalone operational technology (OT) systems, which physically control multiple systems onboard the ship, with information technology (IT) systems that are deployed onboard and on shore. As the maritime industry continues to adopt cloud computing, the Internet of Things (IoT) and autonomous technologies, interconnectivity between OT and IT will rapidly increase, leading to ever-higher cybersecurity risks. In fact, cyberattacks on the maritime industry’s OT systems have already increased by 900 percent over the last three years.
A cybersecurity incident or a successful cyberattack on maritime interconnected IT and OT systems could have massive consequences, both regionally and globally. These include but are not limited to: health and safety impacts, environmental incidents, supply chain disruptions, reputational/brand damage and financial losses.
To make matters worse, cybersecurity is a relatively new focus in the maritime industry, with rapidly evolving technologies and emerging threats. Many maritime organizations may lack the specialized experience and expertise to identify, assess, manage and respond to cyber threats. They may also lack the institutional knowledge needed to comply with cybersecurity requirements from regulatory agencies and standards bodies such as the U.S. Coast Guard, International Maritime Organization (IMO), National Institute of Standards and Technology (NIST) and International Society of Automation/Electrotechnical Commission (ISA/IEC). Further, the maritime industry is facing other challenges including lean staffing and disparities in operational procedures from vessel to vessel, which make it harder to implement and maintain cybersecurity measures.
This article presents a step-by-step work process based on industry standards and best practices for reducing cyber risks to critical infrastructure and complying with regulatory directives. It is advisable for maritime operators, and the consultants they may engage with, to follow this or a similar methodology when creating and implementing a maritime OT cybersecurity program.
The Critical Importance of Maritime OT Cybersecurity
As connected technology replaces or integrates with legacy systems, OT functions including bridge, navigation, communications, and cargo management and handling become more easily accessible by remote threat actors. These cybercriminals can use attack methods such as navigation spoofing and satellite communication hacking to manipulate a ship’s GPS and set it up for a collision or physical attack. Other cybersecurity methods aim to steal sensitive information or hold data or even cargo for ransom.
Over the past several years there has been a steady increase in cyberattacks on terminals and shipping companies. In fact, as shown in Table 1, all four of the leading shipping firms have experienced cybersecurity incidents. In September 2020, the French container shipping line CMA CGM SA reported an encryption malware attack at two of its Asia-Pacific subsidiaries. The company said some of its data may have been stolen during the attack, which forced a shutdown of its electronic booking platform, delayed cargo deliveries and interrupted electronic communications with customs authorities.
Table 1. Recent cyberattacks on maritime targets
Regulations and Standards
Around the world, regulatory agencies, industry associations and standards bodies all recognize the urgency in addressing maritime cybersecurity. Regulatory guidelines that maritime operators should be familiar with are:
International Maritime Organization (IMO) Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems, and MSC-FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Management. The resolution encourages organizations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the company's Document of Compliance after January 1, 2021. The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. They include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by the IMO. Owners risk having their ships detained if they have not included cybersecurity in vessel safety management systems by the deadline.
U.S. Coast Guard NVIC 01-20, Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities. This Navigation and Vessel Inspection Circular (NVIC) provides guidance to facility owners and operators in complying with the requirements to assess, document and address computer system and network vulnerabilities in facilities regulated under the United States Marine Transportation Security Act (MTSA) of 2002. Facility owners and operators are required to address cybersecurity in their Facility Security Assessments (FSAs) and Facility Security Plans (FSPs) by September 30, 2021. The Coast Guard also encourages facility owners and operators to apply the NIST Framework for Improving Critical Infrastructure Cybersecurity and NIST Special Publication 800-82 to improve their facility’s security posture.
To address the twin challenges of IT and OT system protection and regulatory compliance, maritime organizations need to develop a comprehensive cybersecurity strategy—either internally or by working with a consultant. In both cases, it is important to take a systematic, phased approach based on best practices. The following work process can serve as a guide.
Figure 1: Maritime Cybersecurity Methodology
A Proven Method for Navigating Maritime Cybersecurity
The Maritime Cybersecurity Methodology is a four-stage work process (Fig. 1). It is a fusion of the IMO guideline and the U.S. Coast Guard NVIC guidance with the NIST Cybersecurity Framework, and the ISA/IEC IACS Cybersecurity Lifecycle model. This methodology not only covers assessment, planning and implementation, but also makes provisions for monitoring, maintaining and responding to changes in threats, technologies and regulations throughout the lifecycle of the system.
Step 1: Identify & Assess
This step relates to the following aspects of the maritime regulatory guidelines:
- The Identify function in the NIST cybersecurity framework
- The Assess phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle (ref. 62443-1-1)
- The assessment requirements of ISA/IEC 62443-3-2, Security Risk Assessment for Design
- NVIC 01-20 requirements to incorporate cybersecurity in the FSA
Key tasks in Step 1:
- Document the facility’s critical computer and network systems (both IT and OT), including an inventory of assets and “as-operated” drawings
- Perform a vulnerability assessment to identify, classify and score cyber vulnerabilities
- Perform a gap assessment of the IT and OT systems against relevant standards and regulatory guidance
- Conduct a consequence-based assessment (using the Cyber PHA (Process Hazard Analysis) approach, for example) to identify the highest risk scenarios in which a cyber threat might exploit a vulnerability and lead to an unwanted consequence
The assessment should encompass IT and OT systems, data and connections; threats relevant to the organization, its technologies and its geographic location; procedural vulnerabilities such as lack of staff training; and technical vulnerabilities such as software misconfigurations. Each of these elements should be assessed in terms of regulatory compliance, risk exposures and potential consequences of a cyberattack.
Many types of tools can be used for Step 1. These include asset inventory tools such as passive, active and configuration parsing to identify and document systems and dataflows; drawing tools to create network diagrams; and scanning tools to identify weaknesses. Also critical to this step are databases such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) database and the National Vulnerability Database (NVD) to research these vulnerabilities; threat intelligence reports for threat identification; gap assessment worksheets; and risk assessment tools.
The outcomes of Step 1 should be an “as-operated” inventory and series of diagrams; vulnerability, gap and risk registers; and a set of mitigation recommendations. This information should be presented in an internal report and as a cybersecurity annex to the FSA, in the case of regulated facilities.
It is advisable to repeat the Identify & Assess step at least every three years, or as required by local regulations.
Step 2: Plan & Design
The second step in the methodology relates to the following aspects of regulatory guidelines:
- The Protect function in the NIST cybersecurity framework
- The Develop & Implement phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle (ref. 62443-1-1)
- The cybersecurity requirements specification section of ISA/IEC 62443-3-2, Security Risk Assessment for Design
- NVIC 01-20 requirements to incorporate cybersecurity into the FSP
Key tasks in Step 2:
- Prioritize recommendations from Step 1
- Develop short- and long-term implementation roadmaps
- Design solutions to mitigate risk
- Verify that these solutions meet the intent of regulatory guidelines
- Create a cybersecurity annex to the FSP for regulated facilities
This step focuses on ranking risk mitigation recommendations based on benefit/cost ratio and regulatory compliance mandates. Input from engineering, operations, IT and OT staff should guide this prioritization.
Based on the ranking, the team should create a short-term roadmap of tasks that can be quickly accomplished, and a long-term roadmap of more-complex projects. These tasks and projects can involve technology implementations, such as firewalls and intrusion detection systems, and new or updated procedures such as policies, standards and training.
Step 3: Implement & Remediate
This step is tied to these regulatory aspects:
- The Protect function in the NIST cybersecurity framework
- The Develop & Implement phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle
There is no relationship between this step and NVIC 01-20 because NVIC only requires facilities to assess and plan. There is currently no mandate to implement the plans.
The main tasks in Step 3 are implementing the projects in the short- and long-term roadmaps and testing and verifying that they have achieved their intended cybersecurity objectives.
Step 4: Monitor, Maintain & Respond
The final step relates to these aspects of maritime regulations:
- The Detect, Response and Recover functions in the NIST cybersecurity framework
- The Operate & Maintain phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle
- Various categories within the NVIC 01-20 requirements (personnel training, drills and exercises, security system and equipment maintenance, security measures for monitoring and audits)
Key tasks in Step 4:
- Develop and maintain a sustainable cybersecurity program to ensure a constant state of readiness
- Continuously monitor the organization’s cybersecurity posture
- Maintain cybersecurity controls (e.g., antivirus) and perform data backups and software updates
- Conduct incident response drills
- Implement staff training and awareness programs
Note that Step 4 is an ongoing process and should be initiated as soon as Step 1 is completed due to constant changes in cyber threats and regulations and the availability of new tools and processes.
Skills and Knowledge for Maritime Cybersecurity
Understanding the steps needed to create, implement and maintain a maritime OT cybersecurity program is just the beginning. Organizations also need specialized skills and expertise to successfully perform all these steps.
As shown in Table 2, qualifications range from security credentials such as the Certified Information Systems Security Professional (CISSP), the Cisco Certified Network Associate (CCNA) and the ISA 62443 Expert, to specialized knowledge of regulations and standards. Expertise in IT and OT systems, the ability to conduct OT risk assessments and the experience to make pragmatic, risk-based recommendations are also fundamental.
Table 2: Recommended skills and knowledge for implementing the Maritime Cybersecurity Methodology
Maritime operational technology systems are increasingly being integrated with IT systems and connected infrastructures like cloud computing. This integration opens up new opportunities for unintentional employee errors, malware attacks and remote access to OT systems by threat actors for the purposes of data theft, supply chain and transportation disruption, ransom demands, terrorism and more.
Due to the fast-changing threat landscape, emerging regulatory requirements and a shortage of qualified security professionals, many maritime organizations need assistance with their cybersecurity efforts. Working with an industrial cybersecurity consultancy that uses a proven methodology, such as the one described in this article, can expedite the development of comprehensive and effective programs without the need to acquire and train specialized staff.
In the current environment, where a pattern of increasing cyberattacks is raising concerns, maritime organizations should move quickly to learn about standards and regulations and begin the process of securing their OT and IT systems.
John Cusimano is Vice President of Industrial Cybersecurity at aeSolutions.
Marco Ayala is Senior Lifecycle Services Manager – Process Safety, Automation, Controls and Cybersecurity at aeSolutions.
Greg Villano is Senior Specialist Industrial Cybersecurity at aeSolutions.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.