The United States Coast Guard Marine Safety Alert 06-19 (USCG MSA 06-19) outlines a February 2019 incident aboard a deep draft commercial vessel that called on the Port of New York / New Jersey after experiencing a significant cyber incident that impacted their shipboard network.
The Safety Alert stated in part:
“An interagency team of cyber experts, led by the Coast Guard, responded and conducted an analysis of the vessel’s network and essential control systems. The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.”
This incident provides valuable guidance on how we should evaluate the security readiness of terminals, vessels and associated infrastructure. It also highlights the importance of how security drills and crew training should be developed and conducted. A key take away of the USCG MSA 06-19 is that the Coast Guard strongly encourages all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities. This needs to be a vessel and facility specific review as each asset can have unique exposures.
The good news is that there are very good free assets available to help conduct this review. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) website provides cybersecurity resources and best practices for businesses https://www.us-cert.gov/resources. One resource that should be studied is the Cyber Resilience Review (CRR). The CCR Self-Assessment provides a measure of an organization’s cyber resilience capabilities and provides a helpful User’s Guide that provides information on conducting self-assessments, evaluating cyber resilience capabilities and providing guidance for follow-on activities.
The CRR Self-Assessment also enables an organization to assess its capabilities relative to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and a crosswalk document that maps the CRR to the NIST CSF is included as a component of the CRR Self-Assessment Kit.
A Cyber Security Self-Assessment is the beginning, but it is critical that training and drills are incorporated to help maintain and improve port and vessel security. Cybersecurity training is available on the U.S. Small Business Administration website (https://www.sba.gov/course/cybersecurity-small-businesses/).
All employees have a role in cybersecurity and cyber is a critical component of overall physical security. ID cards and swipe cards are in regular use for facility access and these are just a few of the many operational systems that can be compromised in a cyber incident. Training needs to start with new hires and include all employees. As with any business plan, it is critical that upper management be invested in the success of operational security. It is also important to solicit and respond to rank and file input. The best procedures are those that are developed with robust involvement and communication, as well as being subject to regular review and evaluation. A procedure should not just look good on paper; it also needs to be functional and address a real need.
It is also important to include business partners in security drills to help develop and strengthen relationships and establish a sound training foundation. Having feedback from outside an organization is vital to developing and maintaining a robust security posture. An adequate response plan in the event of an actual incident is critical, and it is important to conduct training in real world conditions. This means not solely relying on IT-based systems to respond to a security incident, but instead to utilize manual backup systems. It also means that operations need to be evaluated and plans made to reduce operations in the event that automated systems are not available, or cannot be relied on.
As was stated in our Allianz Global Corporate & Specialty 2019 Safety and Shipping Review, technology is now widespread in the maritime industry, and critical to the running of ships, ports and logistics. The growing use of connected technology in the maritime sector is expected to be a positive for both safety and claims. Electronic navigation tools, ship-to-shore communications and the greater use of sensors have the potential to improve navigation and help avoid groundings and collisions.
In 2017, the International Maritime Organization (IMO) adopted its Maritime Cyber Risk Management in Safety Management Systems resolution, which requires ship owners and managers to incorporate cyber risk management into ship safety by 2021. However, this is a current threat that needs to be acted on now, not put off until the regulations go into effect. While new technology and the Internet of Things have introduced many new exposures and threats, in many ways current security training reflects the same goals and objectives we had when steaming in piracy waters in the 1980’s; present a hard target and have a plan that can survive a punch in the mouth.