Time to Take a New Approach to Maritime Cybersecurity

Cyber security within the maritime space offers both challenges and opportunities.  Both are reasonably apparent to anyone operating in the maritime sector, but some are more serious than others – for example, high costs, a lack of available resources, inconsistent guidance, and an unclear way ahead. However, this opinion piece is more about the opportunities presented and the first step along that journey.

The first step begins in the supply chain and its gradual digitalization. Traditionally, the transportation sector has been divided according to its infrastructure. Trucking, rail, and maritime sectors have been treated within their own regulatory domains. The result has been a patchwork of imperfectly connected subsystems.

The opportunity becomes clear when we consider the transportation network to which each of these modes belongs. The transportation network and the supply chain are nearly synonymous. The supply chain converts raw products into a final product through a journey that ultimately ends with the customer. This involves activities such as collection, processing, manufacturing, or assembly at specific nodes and then movement to the next phase until the consumer or client ultimately receives the product.

The transportation network’s mission is the movement of persons or goods to arrive at their intended destination on time, in acceptable condition, and at a reasonable cost. By considering the whole transportation network at the beginning of this process (as opposed to an entity within a sector like a ship), we can align what the transportation network is intended to accomplish with its primary purpose. This also reveals the threads that must connect the different modes of transportation.

The current acceptance of relatively broad frameworks like the NIST Cyber Security Framework (soon to be version 2) expands on this opportunity by presenting a framework that operates across modes of transportation. This simplifies the challenge as compared to those that arise when each mode’s regulations are treated individually.

But this is where the wrinkle occurs. Do we have people who can adequately speak to the current requirements and operational challenges of multiple modes of transportation? The simple answer is that they are in short supply. Within security subdomains such as cyber security, we have a shortage of people that have experience within both the cyber security domain and maritime operations.

Why is this? Firstly, the need to find the quick fix that manifests itself in the blind or arbitrary application of checklists and so-called “best practices.” This is not to say that the “best practice” is wrong. However, they have become a sort of crutch in that their adherence is (erroneously) assumed to be sufficient to indicate that risks were adequately identified and appropriately mitigated.

Secondly, the frameworks have often been put ahead of individual sectors' operations and other requirements. The challenge in this case is that those applying the frameworks often need to understand the various requirements (including legal, regulatory, operational, and technical) that permeate the sector. This may or may not be true. They may have become adept at applying the framework but not necessarily the analysis that underpins the appropriate application.

The journey to cyber security within the maritime space (if not the broader transportation network space) has to be examined in two parts. The first part (currently underway) is an interim approach that buys the industry time to conceptualize, design, and implement a longer-term solution.

The building of a long-term solution requires several combinations of factors. First, an understanding of the maritime sector and its operations is needed. Then, how the effect of events and conditions manifest themselves both in operations and infrastructure must be understood. Finally, it needs to know how to influence those impacts by appropriately applying sound practices and approaches.

Conceptual knowledge and understanding offers only a starting point. This needs to be more for the task at hand. The industry requires practical solutions that can be brought into operations, consisting of two steps. The first step is understanding what needs to be done in the immediate sense. The second step involves understanding what needs to be done to fix some of our systemic challenges.

This leads to a third major shift. There has been a temptation for participants to push their approach to maritime cyber security or market a product to market quickly and solidify it such that it becomes unassailable or at least challenging to disengage. This attitude needs to change as well. Solving the more complex challenges in maritime security (including cyber security) will take a coordinated community effort by industry, government, and academia.

To help meet this challenge, after several years of development, The International Association of Maritime Security Professionals (IAMSP) and Acadia University in Nova Scotia, Canada with financial support of Irving Shipbuilding have developed the Professional Certificate in Maritime Security Program. While the certificate courses are currently available, there is always room for improvement, and diverse viewpoints will only improve the industry. It is time to expand the partnership concept outwards more broadly into the industry and build a wider base of understanding that will move the entire maritime industry past “security by rote” and prepare us for the challenges ahead.

Allan McDougall is a Senior Security Analyst and Chief Technical Officer for Mariner Innovations' Maritime Security efforts. In addition to having co-authored four books on Critical Infrastructure, he holds a Master’s Degree from the American Military University and Bachelor’s Degrees from the University of Western Ontario and the Royal Military College of Canada. He has over 30 years’ experience including a blend of policy and operational roles focusing on maritime security across Canada’s Department of Fisheries and Oceans, Canadian Coast Guard, Transport Canada, and Canada Border Services Agency within the public sector, Information Technology and Network Security within the private sector, and security project management. He holds numerous certifications across security management (CPP), physical security (PSP), Critical Infrastructure Protection (PCIP), anti-terrorism (CMAS), and Information Systems (CISSP). He is currently one of the lead instructors in the IAMSP / Acadia University Professional Certificate in Maritime Security.