10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.


Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

ISO 27001:2022 – what are the changes?

ISO 27001:2022, the international standard for information security management systems (ISMS), was updated in October of 2022 to reflect the latest developments in the field of cybersecurity. These changes are aimed at helping organizations better manage their information security risks and protect their sensitive data.

What are the key changes?

The majority of changes to the standard were in the Annex A controls which went through a re-structuring to include a change to how the controls were organized and the controls in total were reduced from 114 to 93.

Of the old 114 controls, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added. The controls are split into the following domains: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technology (34 controls).

ISO 27001:2022 introduced new requirements for managing the risks associated with emerging technologies such as cloud computing and Internet of Things (IoT). These technologies bring significant benefits to organizations but also introduce new risks that must be managed.

The updated standard also has a new control on threat intelligence that will enable organizations to remain proactive in their approach to information security as also controls to address data masking and web filtering.

The order of the main mandatory clauses remains the same with clauses from 4 through 10 and the structure aligning with the harmonized structure of other ISO management system standards. The clauses with significant changes include those to:

  • Clause 4.2 requires the ISMS to conduct an analysis of which of the interested party requirements are relevant to the system and will be addressed by it.
  • Clause 4.4 aligns with that of ISO 9001 to require the organization to identify necessary processes and their interactions within the ISMS. As such, those essential for the organization to achieve ISMS objectives.
  • Clause 6.2 provides further clarity about planning to achieve objectives and documenting them.
  • Clause 6.3 was added to reflect the need to systematically plan for system changes.
  • Clause 8.1 now requires the ISMS to establish criteria for mitigating action for risk identified in Clause 6 and to implement control in accordance with the criteria set.

There are a few more minor changes to the wording of some of the mandatory clauses

How can you upgrade your system to conform?

The first step would be to gain an understanding of the changes and the new requirements. Consider taking an updated Lead Auditor training or transition course that has been recognized by a personnel certification body. In choosing your training provider consider their reputation, the experience of the instructor, as also virtual course options.

With the new knowledge conduct a gap analysis of your existing system against the requirements of ISO 27001:2022 and draw up a list of priorities and owners for each. Assign deadlines for the items to be completed and conduct at least one internal audit and management review before approaching a certification body.

Update your existing SoA, should one exist, to reflect the new/updated controls. Train all system personnel in the changes to the system and drive awareness of information security among all personnel.

In conclusion, the changes to ISO 27001:2022 reflect the changing context in the field of information security. The QMII team would like to understand your system needs and support your goals of attaining conformity to ISO 27001 and a competent workforce trained in the requirements.

How Did September 11th Affect Security?

Two decades ago, the United States was involved in a horrendous tragedy on September 11th, 2001. On September 11th (9/11) four planes flying over the eastern US were seized simultaneously by small teams of hijackers. They were used as giant missiles to crash into well-known landmark buildings in New York and Washington, DC. This attack changed America forever.

The next terror attack will not be perhaps via airplanes, but cyber-attacks. The Department of Homeland Security has geared its focus towards cyber threats and domestic terrorism. A recent Presidential Executive Order has asked all agencies to focus on securing the cyber networks of our nation. Although the United States is more secure than twenty years ago, it is important that we keep track of our cybersecurity. The majority of security risks today are viewed as targeting the networks and hardware that planes and airlines rely on.

The most common cyber threats that we have encountered are phishing, ransomware, and supply chain attacks. It is important to make sure that your organization has a strong cyber security system. Taking an ISO 27001 lead auditor training will provide many benefits to an individual that is seeking to keep information assets secure. This standard is the only auditable international standard that defines the requirements of an information security management system. ISO 27001 contains a set of policies, procedures, and systems that manage information risks such as cyber-attacks, hacks, data leaks, or theft. This specific lead auditor training can help improve your organization’s cybersecurity strategy. Big companies, as well as small and medium firms, should be interested in the ISO 27001 standard.

At QMII, we offer an ISO 27001 (information security) lead auditor training course. Information Security is important to any business. It helps protect companies’ data which is secured in the system from malicious purposes. The goal of information security management is to ensure businesses have balanced protection of confidentiality, integrity, and availability of data. It is important to identify all potential risks to information security in your ISO 27001 risk assessment. Terrorist attacks are one of these threats. By enrolling in an information security course with QMII, students will be given an understanding of the requirements on ISO 27001 as well as how to relate those requirements to an Information Security system. Lead Auditor training gives students an understanding of the requirements of this standard and how to relate it to an Information security management system. Organizations need an effective information security management system in order to effectively manage challenges. To learn more information about ISO 27001 lead auditor training, visit our website and join us in our next course.


As technology advances, there are a growing number of providers that are developing products and services based on the IoT (Internet of Things) framework. In the maritime industry, it is increasingly common for vessel containers to be tracked from ashore and even machinery performance metrics, providing remotely automated readouts, to those ashore. With the increased use of technology, the risk of these networks being compromised also increases. There are a growing number of incidents in the maritime industry where systems were compromised leading to losses in millions of dollars.

On an average when these breaches occur it may take over 100 days before they are even detected! Various maritime organizations and associations have published guidelines on measures to be taken to prevent/deter such a compromise, but history has shown that the maritime industry tends to be more reactive than proactive. Even the ISM code now includes as an appendix a circular on guidelines for maritime security. As part of the implementation of the ISM Code measures for cybersecurity should be included in the system. From the security of networks to machinery to contingency plans in case of breaches occur.

The implementation of cyber-security measures includes the need for protection of three aspects of the system; the IT aspect, the human aspect, and the physical aspect. Organizations need to consider the cyber-security risks at the planning stage of the system and determine where vulnerabilities lie and how to address them. Instead of reinventing the wheel organizations may consider the implementation of an information security management system based on ISO 27001. ISO 27001 lays the framework for the IT security of the system. Once implemented and used, based on industry feedback the standard includes an annex of controls for implementation to secure the system. ISO 27001 has a total of 114 controls split across 35 control categories.

If an organization already has an ISO management system framework in place, for example, an ISO 9001 based system, integration of ISO 27001 into the existing management system would be a simple exercise. This integration has been made easier by ISO through the use of the High-Level Structure across standards. QMII has over 30 plus years encouraged its clients to “appreciate your management system”. As such we build upon your existing measures and documentation to fill the gaps for requirements set by the standard. This ensures continuity in system acceptance by the users, the changes to the system are minimal and easier to implement. For successful implementation of your system beware of templates that promise conformance to the requirements. They may enable you to gain certification but will not ensure any long-term success least of all cybersecurity.

Learn more about how you can improve your management system and integrate the requirements of ISO 27001 into your existing management system.