As October is national cyber security awareness month, the US Coast Guard informed that, in partnership with industry associations, class societies, and other Flag States, worked through IMO to develop Guidelines on Maritime Cyber Risk Management, and a subsequent Resolution Maritime Cyber Risk Management in Safety Management Systems.
These documents affirm that safety management systems should take cyber related risks into account in accordance with the objectives and requirements of the International Safety Management Code.
“In the same way the maritime industry developed a robust safety culture, we must now focus on the development of a culture of cyber risk management. Much in the same way crews train for fire and flooding emergencies, crews should also train for cyber incidents,” USCG says.
For instance, on June 19, a vessel transiting the Black Sea reported a crippling GPS disruption.
“Unfortunately, there is a potential for an increase in these types of incidents even with the best protection measures. As electronic navigation systems become increasingly complex, interconnected, and cyber dependent, they could fall victim to bad actors, hackers, and nuisance cyber agents,” USCG notes.
Many of these incidents can be prevented or mitigated by embracing a culture of cyber risk management, without which, technical solutions like virus protection software and firewalls will have limited effectiveness.
“The IMO Guidelines on Maritime Cyber Risk Management stress the importance of a continuous and cyclical process of identifying risks, protecting from those risks, detecting incidents, responding to incidents, and recovery to normal operations. It is vital that shipping companies embrace a culture of cyber risk management at all levels of their organization in order to achieve a robust cyber posture. Training, exercises and drills are a critical component of a cyber risk management regime and should be adopted into Safety Management Systems.”
The Coast Guard Office of Design and Engineering Standards, in partnership with industry associations and class societies, is working to develop additional best-practice guides and industry standards which can be used to assist companies with implementing cyber risk management policies.
In addition, the Coast Guard Office of Port and Facility Compliance is also collaborating with the National Institute of Standards and Technology, National Cyber Center of Excellence to develop sector-specific profiles which adapt the NIST Cybersecurity Framework to specific asset classes. This collaboration has already produced profiles for bulk liquid transfer facilities, offshore platforms, and will soon be kicking-off a profile on electronic navigation and automation systems.