10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

Controlling Sub-Sea Infrastructure


The recent implosion of the 
Titan, a sub-sea submersible used for taking elite, high-paying tourists to see the wreck of the Titanic, brought the safety protocols of both vessels into focus. There were no statutory requirements for regulating the Titan and neither were there any when the Titanic sank in 1912! As a reactive measure, the maritime community came up with the Safety of Life at Sea (SOLAS) Convention soon after the sinking of the Titanic. Ironically, after the Titan submersible imploded, we have come to realize there are no requirements covering this vessel. Perhaps with time, the involved counties will react.

The question is, why was nothing done proactively? Tourists go up in hot air balloons all the time. Is there any statutory requirement that these tourist companies must meet? Is there even a requirement to have a management system in place so that these companies work systematically, appreciate the risks in the context of the organization, and plan their operations keeping risks in mind? It is true that entrepreneurs do not like regulations and consider requirements a hindrance in a free business environment. And yet the Titanic, which was declared to be “unsinkable,” did, in fact, sink! In the United States, the domestic towing vessel industry functioned without statutory requirements until recently. The industry avoided regulation, but tragedies occurred, and now the industry is regulated under the U.S. regulatory framework. A process-based management system is the best systematic structure to produce conforming products and services, ensure continual improvement, and implement the statutory requirements if available.

The intent of this article is to proactively start a discussion on the need for regulating sub-sea infrastructure to reduce its affect on the marine transportation system. The phrase “sub-sea infrastructure” refers to equipment and technology placed on or anchored to the ocean floor. This infrastructure may include, but is not limited to, cables for telecommunication, cables for power transmission, pipelines for transmission of fluids, and other stationary equipment for scientific research.

The growth of sub-sea infrastructure is a global phenomenon. As an example, is in the interest of all nations, and particularly here in United States, to promote wind farms, which are a source of renewable energy. When these wind farms are placed in selected geographical locations along the continental shelf, they need sub-sea cables. But are there any laws controlling the systematic development of the industry to enable an effective marine transportation system and its protection of maritime community interests and environmental interests? Is there a central agency responsible for this coordination to allow for a balanced approach to risks? The amount of cabling piling up needs management and oversight.

Sub-sea infrastructure, the definition of the problem

Numerous industries have a stake in sub-sea infrastructure. Examples include oil and gas, telecommunications, fishing, scientific research, and perhaps military/defense applications such as sonar and other arrays and obstacles. This infrastructure is a requirement, but it also faces various challenges including those that can lead to accidents, environmental damage, and possible breaches in national security. All these bring out very significant concerns related to sub-sea infrastructure and the lack of comprehensive and globally accepted standards, requirements, obligations, and assurance mechanisms. It is not that organizations such as the United States Coast Guard, the National Oceanic and Atmospheric Administration, the Bureau of Safety and Environmental Enforcement, the U.S. Army Corps of Engineers, the Environmental Protection Agency, and other federal and state agencies do not look at these issues.

Nevertheless, it remains a concern that there is no single agency or overarching requirement to provide a framework to the industry on harmonized implementation of requirements. This lack of harmonization can mean inconsistencies in design, installation, and maintenance practices which may not address risks uniformly. This can generate consequential risks, leading to increased accidents, mechanical failures, and costs to the industry and the nation.

Recent tragedies and accidents

Recent tragedies and accidents involving sub-sea infrastructure have been limited, and yet must not lead to complacency by the agencies involved. The few that have occurred indicate the challenges and trends pointing to the need for proactive requirements. The recent tragedies include:

  • Deepwater Horizon. The potential consequences and challenges inherent in deep-water oil drilling were brought out by the Deepwater Horizon tragedy in 2010. The oil rig explosion in the Gulf of Mexico caused a massive oil spill and resulted in the loss of 11 lives. Although not technically a sub-sea incident, it highlighted a series of failures in design, maintenance, and company oversight—all factors pointing to the importance of robust safety standards and requirements, and the implementation thereof. The Deepwater Horizon incident was not directly related to sub-sea infrastructure; however, it heightened the risks associated with offshore oil and gas production and the potential for catastrophic environmental damage.
  • Nord Stream 1 and Nord Stream 2. Occurring in September 2022, the damage to these gas pipelines in the Baltic Sea highlighted concerns around sub-sea infrastructure. These pipelines transport natural gas from Russia to Europe; in this incident, they sustained multiple leaks. The exact cause of the damage is unclear, though deliberate sabotage was suspected and is still under investigation. Regardless of the ultimate findings, this incident exposed the vulnerabilities of sub-sea infrastructure to sabotage, and the potential for significant environmental and economic consequences are real. Intentional attacks to the sub-sea infrastructure have the potential for widespread disruption of energy supplies. Apart from the Nord Stream, there have been other sub-sea incidents affecting the gas and oil industry. In 2021 a fire broke out on a sub-sea production control umbilical off the coast of Brazil, causing significant damage to the underwater equipment and resulting in a major oil spill.
  • English Channel Internet Disruption. In 2021, a ship dragging its anchor on the seabed in the English Channel cut the three main internet cables to the Channel Islands. Although this only resulted in slower broadband speeds in this instance, there remains the possibility that it could have resulted in a complete outage.

Looking ahead

These incidents represent leading indicators of a tragedy in the making should proactive action not be taken. The critical importance of safety for sub-sea infrastructure underscores the need for a more comprehensive and rigorous approach to standards and assurance. Industry stakeholders together with regulatory bodies within the United States and global organizations such as the International Maritime Organization must work together to establish a harmonized set of safety standards, implement robust assurance mechanisms, and foster a culture of safety throughout the sub-sea industry.

The increasing reliance on sub-sea infrastructure for various industries (including wind farms) necessitates a proactive approach to safety and risk management. There is definitely a need to invest in research and development to enhance the resilience and monitoring capability of sub-sea infrastructure. The various companies in the sub-sea industry are holding their proprietary information close to the vest. This is understandable. However, these organizations are in competition with totalitarian governments, in which control of business practices is the exclusive dominion of the state. It is necessary to enhance transparency and information-sharing among industry stakeholders to facilitate better risk assessment and incident prevention.

Conclusion

Promoting a culture of safety that prioritizes risk identification, risk mitigation, and continual improvement is essential. There is no common ISO standard for sub-sea management systems. Of course, ISO 9001 is interpretable and can be used as the basis for now. Environmental protection is a challenge for a developing industry, and as such, even greater urgency is needed for statutory requirements encompassing all aspects of stakeholder interests, the marine industry in general, and the protection of the environment for generations to come.

Marine transportation remains the most important way for goods to be shipped across the world, as approximately 80 percent of the world’s goods are transported by ships. Vessels need a place to anchor in normal operating conditions as also in emergencies. A crowded seabed in harbors makes this a challenge for the entire maritime industry.

Without adequate and effective regulatory oversight, it may be too late to take action once cables and other sub-sea equipment have already been laid. Further, multiple agencies regulating the same aspects of the industry can potentially lead to bureaucratic delays.  There is therefore an urgent need to create a single statutory body to regulate the sub-sea infrastructure industry, which will greatly benefit all parties invested in the maritime transportation system.

Exemplar Global Publication “The Auditor”

Why we need ISO 9001

Quality! Who does not want it. We read through hundreds and thousands of reviews each day just so we can buy a quality product or service. Even those searching for an ISO 9001 training are looking to identify a training provider that will provide a quality training. ISO 9001 is an international standard set by the International Organization for Standardization (ISO) that defines the framework for a quality management system. Organizations looking to deliver a quality product or service can use the framework to build a management system that helps them attain this goal.

So why do we need ISO 9001? Why not rely on this framework of reviews. After all many people have not even heard of ISO let alone ISO 9001. However, those who relied on reviews will find that they are not a sure-shot formula to guarantee success in decision making. ISO 9001 also need not necessarily guarantee this. However, ISO 9001 is not meant for the customer but for the organization implementing it. While it is centered around the customer requirements, with a focus on the customer, the benefit is to the organization implementing it. ISO 9001 training provides an in-depth overview of the standard and how it is to be implemented.

ISO 9001 has come to signify a global base minimum for a quality management system. Inherent in the certification that customers see is a commitment from the organization to continually improve, to identify and segregate non-conforming outputs and to design controls to ensure the process can deliver per requirements. An organization purchasing from another half way around the world has some level of confidence now. ISO 9001 training will demonstrate that ISO themselves say don’t just rely on certification. Determine the type and extent of control on the outsourced provider based on their impact to your processes.

ISO 9001 training can be tailored for all levels of the organization. For management who want to understand their role in the system as also why they should spend the money and invest in it. The workforce wants to understand how it benefits them and why they should adapt to the changes as they take place. Auditors need to understand the interpretation so they can assess if the system is being well run. So while an organization may not need ISO 9001 certification they can surely benefit from ISO 9001 and ISO 9001 training.

QMII provides ISO 9001 lead auditor training in a unique format that allows all levels of the organization to sit in on the same class and to leave as and when their relevant section is complete. Join us in a class and learn more about what ISO 9001 can do for you.

How is ISO 13485 different from ISO 9001

ISO 13485 released an updated version of the standard in 2016 but it broke ranks with ISO 9001. In the past the two standards were aligned with the ISO 13485 capturing the additional requirements for the medical device industry. An ISO 13485 overview would reveal that it has retained a lot of the documentation requirements and not left the standard as subjective as the revised ISO 9001:2015.
ISO 13485 provides the requirements for quality management systems for use by the medical device industry. While it still remains broadly based on the framework set by ISO 9001 compliance with the standard will not inherently mean compliance with ISO 9001. The standard is published by ISO, an international organization. It is assessed by certification bodies across the globe accredited by IAF.
ISO 13485 overview of the standard will show much more in-depth requirements for rick management. This essentially aligns with the US CGMP regulations as also regulations by international bodies. The standard for further assessing risk is ISO 14971 which specifically deals with risk within the medical device industry. In dues course the US CFRs will get aligned with ISO 13485 and plans are underway for the update.
As a part of risk management of the systems companies will now have to assess add address the risks from outsourced processes, Lack of competent personnel, lack of adequate number of personnel, loss of traceability, failure in testing of the products at relevant stages, Failure to timely address non-conformities, and the documentation of risk itself. Management need to keep an ISO 13485 overview of their system through the planned management reviews and periodic internal audits. To ensure audits add value these must be conducted by trained and competent personnel.
QMII’s ISO 13485 lead auditor training prepares your personnel to not only effectively audit the system but also implement it as needed. An ISO 13485 overview version of the course is also available for senior management, so they understand their roles and responsibilities with respect to the standard. Having discussed this the question often arises if ISO 13485 is mandatory. As with all other ISO standards it is not mandatory to implement ISO 13485 though it is mandatory to meet regulatory requirement such as CFRs and EU MDR. However, implement ISO 13485 provides confidence to customers that the organizations uses a process based approach to continual improvement.
ISO 13485 overview of the standard demonstrates that product quality cannot be guaranteed just from implementing the standard but that it must be vigorously used. The standard can also be applied to all sizes of organizations.

ISO 9001:2015 – Exclusions

Exclusions to what an organization does were integral to the ISO 9001 standard prior to the 2015 version update. After all an organization cannot do all the work. Clause 7.1.1 lays the foundation on this thought by accepting that an organization must determine and provide resources. In doing so it determines the constraints and capabilities of the existing resources and what needs to be obtained from external providers. As such in previous standards, the organization, when seeking certification, requested exclusion on those processes that it did not perform.

The drawback of this was a major flaw. Over the period of time, some of these organizations, sheltered under the exclusion provision even lost the ability to pick the correct outsourced party! For example, if the organization builds highways, but outsources bridges and tunnels, then it must have the ability to be able to pick the correct vendor/ contractor who will not let the customer down. The revised 2015 version of the standard therefore in the wisdom of TC-176, removed this exclusion provision. It does not imply now the organization cannot outsource what it does not do. All that it means that the organization can review the applicability of the requirements based on its size, complexity and decide on the activities it needs to outsource.

With the exclusion provision removed, the organization would need to do due diligence in appreciating the range of its activities and the risks and opportunities it encounters as also the effect if any of the outsourced vendors not performing to accepted requirements. The organization then remains accountable for the outcome of the outsourced processes and products and services externally obtained. To ensure their consistency and levels of acceptance, it would need to take measures as required by clauses 8.4.1, 8.4.2, and 8.4.3 of the ISO 9001 in enforcing monitoring and measuring to protect its customer and clients.

This assurance that an organization can not and will not outsource those activities which by its decision will not result in failure to achieve conformity of products and services. Clause 4.3 of ISO9001 in determining the scope of the quality management system clearly requires that conformity to the ISO 9001 can only be claimed if the requirements determined as not being applicable do not have an adverse impact on the promises made by the organization. The products it provides, based on externally obtained subproducts or services must not affect customer satisfaction.

In terms of auditing, it is incumbent upon auditors that they carefully seek conformity to this requirement when auditing. Internal audits to ISO 9001 must provide the objective inputs to top management to make better decisions and appreciate the risks of outsourcing to nonperforming and or underperforming outside organizations, remembering they remain accountable and answerable for the final product or service. Ensuring the organization’s accountability for the conforming products and services whether outsourced or not is the responsibility of the organization.

QMII’s ISO 9001 EG (Exemplar Global) certified lead auditor training designed carefully to meet the objectives as envisaged in the standard.

UPDATE ON STANDARDS

In the past year there has been a lot of activity in the development and revision of ISO standards. Highlighted below are a few key updates:

ISO 41001 – Facility Management

This new standard applies the concept of the Plan-Do-Check-Act cycle to the discipline of Facilities Management. This standard provides the requirements for a facility management system where an organization needs to demonstrate effective and efficient delivery of services. The standard is aligned with the High Level Structure adopted by ISO thus ensuring easier integration with other standards. Benefits of implementing this standard, per ISO, include improved productivity, communications, service consistency and costs benefits.

ISO 19011 – Guidelines for Auditing

ISO 19001 has become the primary guideline for all audits conducted globally. The FDIS was recently cleared and the updated revision is due to be published in July 2018. One of the main changes lies in the new auditing principle “Risk-based approach: an audit approach that considers risks and opportunities. The risk-based approach should substantively influence the planning, conducting, and reporting of audits in order to ensure that audits are focused on matters that are significant for the auditee and for achieving the audit program objectives.” This approach is evident in all the clauses of the standard which not follows the High level Structure. We will further update our readers as the standard is published.

ISO 9004 – Guidance to achieve sustained success

The standard has been updated to reflect the guidelines to achieve sustained success of and ISO 9001:2015 QMS. Per ISO, factors affecting an organization’s success continually emerge, evolve, increase or diminish over the years, and adapting to these changes is important for sustained success. The document addresses systematic improvement of overall performance and includes a self-assessment tool for reviewing the extent of conformity by the organization.