Maritime Cyber Security and the SMS
As of 01 January 2021, IMO asked all flags to check the implementation of maritime cyber security requirements by companies during their first DOC audit in 2021. IMO published the maritime cyber security requirement vide MSC Circular 482. Within the requirements IMO highlights measures that organizations need to implement and recommends ISO 27001 as one the frameworks that companies can usee to implement cybersecurity controls within their organization.
The MSC circular also lists NIST controls, however many companies that QMII works with have chosen to go the route of ISO 27001. Maritime cyber security ISO 27001 controls are to be implemented within the SMS however for security reasons some companies may choose to keep the plans secure just as they do the security plan. With an increase in GPS spoofing attacks, interference with AIS and hacks into shore side computer networks the need for cyber-security controls is ever more important.
Why Cyber Security Can’t Be an IT-Only Issue
When we think of cyber-security we often associate it with the protection of the device and prevention of hackers gaining access to the device. However cyber-security is primarily about the confidentiality, integrity and the availability of information and the device on which the information is stored. Organizations can think of cyber security in these four broad categories. Organizational controls such as policies and procedures, technical controls such as anti-virus, malware prevention software, firewalls etc., Personnel controls to include background checks and limiting authority where needed and Physical controls to prevent unauthorized access.
However, cybersecurity controls are not just limited to IT devices. There also extend out to any Operational equipment or operational technology (OT) such as the AIS, GPS, ECDIS, machinery remote control panels etc. With the increase in IoT devices and use of technology on ships, the maritime industry is more vulnerable now to a cyber threat then it has ever been in the past. Maritime cyber security ISO 27001 identifies controls for organizations to consider and then implement at office ashore and on ships.
ISO 27001 Controls in a Maritime Context
ISO 27001 is an internationally recognized standard that identifies a structured approach and framework to managing information security risks. The standard is aligned with the harmonized structure used by other ISO management system standards such as ISO 9001 and ISO 14001. This makes it easier to integrate into existing systems.
The ISM code at its inception was based on ISO 9002. As such it uses the same Plan Do Check Act Cycle approach. ISO 27001 dovetails perfectly into the ISM code and the underlying Safety Management System as it is built on the same PDCA cycle. Both the ISM Code and ISO 27001 require the following: policy, defined roles and responsibilities, operational controls based on a risk assessment, emergency preparedness, internal audit and system review to name a few.
Integrating Cyber Risk into Safety Management
To understand where to start companies need to start with a vulnerability assessment. This is preferably best done by an experienced third party. Primarily this would be done for technical controls. For the people and physical controls the majority of the required controls per maritime cyber security ISO 27001 will be covered under the Vessel/Company security plan as required by the ISPS code.
For identifying the organizational controls, a consultant such as QMII may be used to conduct a gap assessment of the existing management system policies and procedures. Based on the identified gap, new policies and procedures will need to be drafted for both the office and vessel team. These may include defined controls such as password policies, access controls, retention policies to name a few. In addition to this companies will need to conduct cyber security awareness training for all their personnel so they are aware of cyber risks and know what to do in a potential breach of cyber security or a cyber security event.
How to Audit Cyber Preparedness in Maritime Operations
During SMS (DOC and SMC) internal audits, auditors will want to evidence controls in place and the effectiveness of these controls. The auditors may sample the company clear screen and clear desk policies, policies for use of memory sticks on board, selection of vendors that will work on OT systems, physical security controls, segregation of networks, testing of awareness of users via phishing email tests. These are other measures that auditors may take is covered in QMII’s ISM auditor course and in greater depth in our ISO 27001 lead auditor course.
Common Mistakes Observed by QMII Trainers
Over 40% of cyber breaches are caused due to avoidable errors. The most common of these is weak password controls. Including where the password is on a sticky note by the device to be protected. Additionally having a single person with admin rights can pose a risk to the organization. When personnel don’t know what to do in a cyber security event they are unable to mitigate the consequences and may by their actions worsen the issue.
Maritime cyber security ISO 27001 helps address these common issues through clearly identified controls. Simple actions like not leaving devices open to access by unauthorized personnel, escorting visitors, controlling restricted areas, updating security patches regularly, and creating guest access for the vessel/office wireless network can help prevent cyber threats. Companies must use a defense in depth approach to make it difficult for potential unwanted access.
Wrapping up
In conclusion maritime cyber security threats are an ever-present reality. Action to address this threat is needed now. Aware personnel help prevent the majority of threats. Leadership must integrate controls within their management system quickly. The first step is a risk assessment followed by a gap assessment. Learn how to do this yourself in QMII’s maritime cyber security ISO 27001 lad auditor course. Add value to your system though internal audits that provide actionable insights.
