Safety is integral to the marine industry. From circuit breakers to personal flotation devices, marine operators typically invest significant resources to reduce the risk of accidents, injuries and deaths.
Except for cyberthreats. Put simply, the marine industry is far less prepared for cyberattacks such as hacking, data theft, GPS spoofing and jamming, ghost shipping, malware, phishing, and ransomware. This is despite the fact that the World Economic Forum recently listed cyberattacks as the third most likely significant global threat, topped only by weather events and natural disasters.
Industry participants can better identify and prevent cyberrisks when they gain an understanding of the regulatory and legal frameworks that apply to the marine industry. Cybersecurity guidelines and standards already in place can help company leadership implement more effective tools to minimize exposure, while a full appreciation for legal and litigation risks underscores the value of prevention and response preparedness.
There is no single regulatory framework that applies to cyberrisks in the marine industry. Instead, there are a number of evolving, divergent, and overlapping standards, which reflects the diversity and rapid growth of digital solutions, but also cause confusion.
A good place to start are the IMO’s Interim Guidelines on Maritime Cyber Risk Management, which were issued in 2017 by the IMO and map closely to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). Since NIST was issued, courts and regulators have held that compliance with the framework demonstrates a reasonable level of cybersecurity, which is particularly important in the event of a legal dispute or investigation.
The NIST framework helps maritime operators identify and prioritize cybersecurity risks and align policy, technology, and business initiatives. NIST-based cybersecurity programs focus on five key elements:
- Identify: Identify the data, assets, systems, and capabilities which, if disrupted, would risk ship operations; define personnel responsibilities.
- Protect: Enact processes for risk control and contingency planning to ensure continuity of shipping operations.
- Detect: Implement strategies needed to timely detect a cyberevent.
- Respond: Develop plans to restore systems or run backup systems needed for shipping operations if a cyberevent occurs.
- Recover: Identify measures to make the whole system work better.
In the U.S., the Coast Guard is the primary regulatory agency overseeing the marine industry. The federal Maritime Transportation Safety Act (MTSA) gives the Coast Guard responsibility for port security, which includes marine transportation system cybersecurity.
In a 2017 Navigation and Inspection Circular entitled “Guidelines for Addressing Cyber Risks at MTSA-Regulated Facilities,” the Coast Guard laid out its interpretation of required facility security plans (FSPs), facility safety assessments (FSAs), and vessel security plans (VSPs), and provided detailed cybersecurity parameters, benchmarks, and recommended practices.
Other cybersecurity standards include the Tanker Management and Self-Assessment program introduced by the Oil Companies International Maritime Forum, and “The Guidelines for Cybersecurity Onboard Ships” released by a consortium of more than a half dozen industry groups. Congress is also currently working on legislation designed to strengthen cybersecurity in U.S. ports.
Implementing recommendations provided by these frameworks can help a company defend itself in commercial and regulatory disputes. Cyber wrongdoers are becoming increasingly sophisticated and bold. Maritime operators must be equally proactive if they hope to minimize the cyberthreats they face.