10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

ISO 27001:2022 – what are the changes?

ISO 27001:2022, the international standard for information security management systems (ISMS), was updated in October of 2022 to reflect the latest developments in the field of cybersecurity. These changes are aimed at helping organizations better manage their information security risks and protect their sensitive data.

What are the key changes?

The majority of changes to the standard were in the Annex A controls which went through a re-structuring to include a change to how the controls were organized and the controls in total were reduced from 114 to 93.

Of the old 114 controls, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added. The controls are split into the following domains: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technology (34 controls).

ISO 27001:2022 introduced new requirements for managing the risks associated with emerging technologies such as cloud computing and Internet of Things (IoT). These technologies bring significant benefits to organizations but also introduce new risks that must be managed.

The updated standard also has a new control on threat intelligence that will enable organizations to remain proactive in their approach to information security as also controls to address data masking and web filtering.

The order of the main mandatory clauses remains the same with clauses from 4 through 10 and the structure aligning with the harmonized structure of other ISO management system standards. The clauses with significant changes include those to:

  • Clause 4.2 requires the ISMS to conduct an analysis of which of the interested party requirements are relevant to the system and will be addressed by it.
  • Clause 4.4 aligns with that of ISO 9001 to require the organization to identify necessary processes and their interactions within the ISMS. As such, those essential for the organization to achieve ISMS objectives.
  • Clause 6.2 provides further clarity about planning to achieve objectives and documenting them.
  • Clause 6.3 was added to reflect the need to systematically plan for system changes.
  • Clause 8.1 now requires the ISMS to establish criteria for mitigating action for risk identified in Clause 6 and to implement control in accordance with the criteria set.

There are a few more minor changes to the wording of some of the mandatory clauses

How can you upgrade your system to conform?

The first step would be to gain an understanding of the changes and the new requirements. Consider taking an updated Lead Auditor training or transition course that has been recognized by a personnel certification body. In choosing your training provider consider their reputation, the experience of the instructor, as also virtual course options.

With the new knowledge conduct a gap analysis of your existing system against the requirements of ISO 27001:2022 and draw up a list of priorities and owners for each. Assign deadlines for the items to be completed and conduct at least one internal audit and management review before approaching a certification body.

Update your existing SoA, should one exist, to reflect the new/updated controls. Train all system personnel in the changes to the system and drive awareness of information security among all personnel.

In conclusion, the changes to ISO 27001:2022 reflect the changing context in the field of information security. The QMII team would like to understand your system needs and support your goals of attaining conformity to ISO 27001 and a competent workforce trained in the requirements.