Navigating Cybersecurity with the IMO and New NIST Frameworks

In the bustling port of a major city, a cargo ship laden with consumer goods is preparing to dock. The port's automated crane system is ready to offload the freight containers, and the crew is eager to complete this routine procedure. But then, suddenly, all systems freeze. Onboard the cargo ship, an alert pops up on the Electronic Chart Display and Information System (ECDIS) with the ship’s location now showing the ship is at 0N 0W.  Additionally, bow and stern thrusters are not responding and require the crew to perform manual interventions. Almost simultaneously, the port's crane operation systems begin to fail, locking the boom in the down position.

The ship is stranded in the shipping channel after drifting aground to a shallow section of the shipping channel, unable to dock, creating a bottleneck that delays other vessels. The port's operations grind to a halt, causing a ripple effect of disruptions across the supply chain. Within hours, news of the cyber-attack spread, shaking investor confidence and causing stock prices for the shipping company to plummet. Bond issuers of the port begin to question the port’s operations.

As executives scramble to contain the situation, cybersecurity experts trace the source: a sophisticated malware that exploited vulnerabilities in the ship's navigation software and the port's crane operational technology and cargo tracking systems. What appeared to be isolated, secure systems were, in reality, a playground for attackers, costing the shipping company and the port millions in damages, not to mention the erosion of trust that took years to build.

This chilling episode is not drawn from a screenplay. Still, it is a composite of actual events that spotlight the interconnected risks that the maritime industry and port infrastructure now face in this digital age. From 2016 to 2021, 13 major cyber incidents were reported and impacted the maritime industry, including malware on an ECDIS system, GPS spoofing, ransomware, and a direct attack on a port (Akpan, 2022).  It serves as a stern wake-up call for maritime executives and port authorities alike: Cybersecurity is not a luxury or an afterthought; it's a necessity.

In our interconnected world, the efficient movement of goods and resources is the lifeblood of the global economy. With over 80% of international trade by volume and more than 70% by value transported by sea (United Nations, 2023), the maritime industry and port infrastructure act as the arteries of this global circulatory system. Their roles are complementary yet distinct, each vital in keeping the pace of trade steady and robust.

Oceans, seas, and navigable rivers have always been natural highways for trade. With the advancement of technology, the maritime industry has evolved into an intricate network of shipping routes connecting every corner of the world. Today's merchant fleet comprises various vessel types—container ships, oil tankers, bulk carriers, and more—all specialized to carry different kinds of cargo.

Each year, the maritime industry moves billions of tons of goods, including essentials such as food, fuel, raw materials, and manufactured products. This industry doesn't just facilitate trade; it also generates employment opportunities, contributes to economic growth, and plays a crucial role in the energy supply chain.

Ports are more than just a point of arrival or departure for ships; they are complex ecosystems that integrate various forms of transport—sea, road, rail, and air. These logistical hubs streamline the import and export of goods, making them available for domestic consumption or sending them onward to international destinations.

Modern ports are evolving into 'smart' facilities, utilizing digital technologies for real-time data tracking, cargo management, and even autonomous equipment for loading and unloading. Beyond shipping, ports often play a key role in other economic activities, including manufacturing, commerce, and tourism.

Maritime routes are only as effective as the ports that anchor them. In turn, ports rely on an efficient maritime network to sustain operations. This symbiotic relationship is further enhanced by global supply chains, where delays or disruptions at sea or in port can have cascading effects on production lines, retail operations, and, ultimately, the global economy.

In an age where digital transformation is the norm, the maritime industry and port operations are not immune to the manifold risks posed by cyber threats. The very technologies that enable efficient operations also open doors to potential vulnerabilities that nefarious actors can exploit. Given the significant role these sectors play in global trade, cybersecurity is not merely an operational concern but a critical element in safeguarding global economic stability.

Charting the Risks

For maritime executives, the priority has always been to ensure the safe and efficient transit of goods across the world's oceans. Yet, in a world that is increasingly interconnected and dependent on digital systems, it's no longer enough to focus solely on the physical elements of shipping, such as vessels and infrastructure. The realm of bits and bytes has a direct bearing on the world of ships and ports, impacting operations both ashore and at sea. This makes cybersecurity risk not just an IT issue but a strategic imperative for maritime executives, no matter the company's size.

The NIST Cybersecurity Framework v2.0: A Guiding Light

The original NIST Cybersecurity Framework (CSF) was released in 2014 as a method to guide organizations that identify as critical infrastructure, which the maritime industry is classified as, to a basic level of cybersecurity. 

On August 8, 2023, NIST released a new version of the framework that is more general in nature and can be applied broadly across industries.  While the CSF is not specifically tailored for maritime operations, its core principles, now updated to include Governance in addition to the original Identify, Protect, Detect, Respond, and Recover—are universally applicable and provide a solid foundation for cybersecurity risk management.

Although the framework originates from the United States, it has gained worldwide recognition. According to a recent online review of the updated version, over 7,200 people registered for the workshop. Aside from the United States, the countries with the most attendees included Canada (181), India (89), United Kingdom (89), Brazil (34), Germany (31), Mexico (31), Colombia (20), Singapore (19), and Italy (16) (NIST 2022, September 9).

The introduction of the "Govern" feature in CSF 2.0 aims to provide a more organized approach to handling cybersecurity risks. This is a significant move towards incorporating cybersecurity into the wider objectives and legal obligations of an organization rather than just being a technical issue. The feature will enable any organization to adopt a more strategic approach to cybersecurity and include it in their overall risk management plan (NIST 2023, January 18).

Maritime companies can use the framework to assess their current cybersecurity posture, identify gaps, and develop action plans to improve resilience against cyber threats.

IMO Standards: Tailored for Maritime Security

The International Safety Management (ISM) Code, bolstered by the IMO Resolution MSC.428(98), is a foundational framework for risk management in the maritime industry. The ISM Code mandates that shipping companies establish a Safety Management System (SMS) that outlines procedures, responsibilities, and actions to ensure safety at sea and prevent environmental harm. Significantly, IMO Resolution MSC.428(98) elevates cybersecurity to the same significance level as other safety risks governed by the ISM Code.  

The Way Forward: Integrating Frameworks

While NIST provides a broad base, sector-specific guidelines like those from IMO offer detailed instructions tailored for maritime activities. By integrating these frameworks, maritime and port operations can develop a comprehensive cybersecurity strategy that addresses both general and industry-specific vulnerabilities.

IMO, in MSC-FAL.1/Circ.3/Rev.2, recommends the NIST Cybersecurity Framework, among others, as a best practice for implementing a cybersecurity risk management framework (IMO 2022, June 7).  Therefore, it is beneficial for maritime organizations to align the NIST CSF with industry-specific regulations and guidelines, such as those provided by the International Maritime Organization (IMO). By doing so, organizations can develop a comprehensive cybersecurity strategy addressing general and industry-specific concerns. Given the increasing reliance on digital technologies for navigation, communication, and operations management both at sea and in port, applying a robust, flexible framework like the NIST CSF is a valuable approach to enhancing cybersecurity in the maritime industry.

The mandate for robust cybersecurity in maritime and port operations has never been clearer in a world increasingly defined by digital interaction. Implementing recognized frameworks like NIST and IMO standards can provide the strategic direction needed to navigate this complex landscape safely.

With cyber threats looming larger each year, maritime executives and port authorities can ill afford to overlook cybersecurity in their risk management strategies.

Methodologies for Assessing Cybersecurity Risks in Both Sectors

1. Gap Analysis – Perform an initial analysis to determine the gaps in the existing cybersecurity infrastructure. This involves comparing current practices against industry standards such as NIST CSF or IMO guidelines to identify vulnerabilities.

2. Threat Modeling – Identify potential threat vectors, including both internal and external sources. Consider risks associated with navigation systems, communication channels, cargo management software, and port logistics infrastructure.

3. Impact Assessment – Estimate the financial, operational, and reputational impact of potential cyber incidents. This involves running hypothetical scenarios to understand the implications of different types of attacks.

4. Risk Prioritization – Based on the impact assessment, prioritize risks in their likelihood and severity. Allocate resources accordingly to manage these risks effectively.

5. Periodic Reviews – The cybersecurity landscape is ever-changing. Periodic reviews are essential to update the risk assessment and adapt strategies per emerging threats and technologies.

Checklist and Recommended Actions for Maritime Executives and Port Authorities

Maritime Executives

• Adopt Industry Standards: Familiarize yourself with NIST CSF, IMO guidelines, and other relevant frameworks. Integrate these standards into your existing Safety Management System (SMS).
• Regular Training: Ensure that the crew and onshore staff undergo regular training in cybersecurity awareness and best practices.
• Access Controls: Implement stringent access control for onboard systems and ensure the crew follows proper authentication protocols.
• Incident Response Plan: Develop a robust incident response plan for potential cyber-attacks and run regular drills to test its effectiveness.
• External Audits: Periodically bring in third-party experts to audit your cybersecurity measures and offer recommendations for improvement.

Port Authorities

• Infrastructure Audit: Conduct an exhaustive audit of the digital infrastructure for cargo management, logistics, and communication.
• Firewalls and Encryption: Implement advanced firewalls and encryption techniques to protect sensitive data and control systems.
• Multi-Factor Authentication: Use multi-factor authentication to access key control systems and databases.
• Collaborate with Stakeholders: Work closely with shipping companies, customs agencies, and other stakeholders to develop a coordinated approach to cybersecurity.
• Emergency Protocols: Establish and regularly update emergency protocols for various cyber incident scenarios, ensuring all staff members are familiar with the procedures.

By understanding the methodology for risk assessment and following best practices, maritime executives and port authorities can build resilient systems capable of navigating both the physical and digital challenges of today's maritime landscape.

Chris Wolski is an experienced cybersecurity professional with over two decades of diverse industry experience, specializing in safeguarding critical infrastructure within various regulated sectors.

References:

Akpan, F., Bendiab, G., Shiaeles, S., Karamperidis, S., & Michaloliakos, M. (2022). Cybersecurity Challenges in the Maritime Sector. Network, 2(1), 123–138. https://doi.org/10.3390/network2010009

IMO (2022, June 7). Guidelines on Maritime Cyber Risk Management. Retrieved September 1, 2023, from https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/MSC-FAL.1-Circ.3-Rev.2%20-%20Guidelines%20On%20Maritime%20Cyber%20Risk%20Management%20(Secretariat)%20(1).pdf

NIST (2022, September 9). Summary Analysis - Journey to the NIST Cybersecurity Framework (CSF) 2.0 | Workshop #1. Retrieved September 1, 2023, from https://www.nist.gov/system/files/documents/2022/09/08/Journey%20to%202.0%20Workshop%20Summary%20Analysis%20Final%5B47%5D.pdf

NIST (2023, January 18). NIST Cybersecurity Framework 2.0 Concept Paper: Potential Significant Updates to the Cybersecurity Framework. Retrieved September 1, 2023, from https://www.nist.gov/system/files/documents/2023/01/19/CSF_2.0_Concept_Paper_01-18-23.pdf

United Nations (n.d.). REVIEW OF MARITIME TRANSPORT 2022 Navigating stormy waters. United Nations Conference on Trade and Development. Retrieved September 1, 2023, from https://unctad.org/rmt2022