What is a successful Cybersecurity Program for Maritime Assets?
In 2017, the shipping giant Maersk Line became victim of the NotPetya malware. Like ransomware, this malware propagated through networks, encrypting data rendering 4,000 servers, 45,000 PCs and 2,500 apps useless.
Except NotPetya was not really ransomware. It was not designed to decrypt upon reception of payment only to spread damage. The target was Ukrainian organizations, but due to the efficient spreading mechanisms, Maersk’s reported $300M loss became part of vast collateral damage
How to Secure Maritime Assets from Cyberthreats?
The examples above illustrate how vulnerable maritime operational technology (OT) assets become when they are connected with IT units.
If you are an owner of maritime assets, how can you secure them from cyber threats?
A successful cybersecurity program is crucial for OT security. Roughly, a ‘cybersecurity program’ refers to an organization’s processes, technology, and awareness with respect to cybersecurity. What are the key elements of a successful cybersecurity program?
Key to a Successful Cybersecurity Program
The first step is to understand the scope of a successful program. Protecting maritime infrastructure from cybersecurity attacks requires the right processes, the right technology and sufficient awareness among key personnel. All these elements must play together in order to develop and maintain a secure environment capable of handling all types of events – from targeted attack like GPS spoofing of ships, or attacks where critical OT infrastructure is a random victim of carefully designed damaging malware like NotPetya.
Many asset owners and operators are looking for one or a few technical solutions to secure their assets and fail to sufficiently embrace the need for having the right competencies and processes.
As we note in a different article (Norwegian), a strategy encompassing all three dimensions – technology, processes and competence – is crucial for securing assets in critical infrastructure in general. To stay secure, it is important to continually maintain an overview of the situation, periodically revisit all security measures and improve as required to stay ahead of the attackers.
Once the required organizational support and scope of the Cybersecurity Program is in place, the strategy and requirements for the program must be established. The ISA/IEC 62443 standard series is particularly relevant for the maritime industry. The International Association of Classification Societies (IACS) will require ships constructed on January 1st, 2024, and onwards to satisfy a set of minimal cybersecurity requirements, in order to be classified. These “unified requirements,” as they are called, draw upon foundational requirements and system requirements from the ISA/EEC 62443 standard.
Second, a Security Policy must be established. The policy defines the goals specific to your organization or asset to implement the strategy in compliance with the relevant requirements. When defining a Security Policy, ownership and responsibilities of the various elements required should be determined.
Cybersecurity standards typically contain requirements to assess and manage cyber-risk. When planning the actual implementation of the cybersecurity program, it is a good idea to start with a Risk Assessment. The results from this assessment will guide later efforts to where they have the most impact. Cyber-risk management and assessment will become important elements for the maritime industry going forward, as they are featured in IACS’ unified requirement E26.
Securing maritime assets against cyberthreats is not easy. A good cybersecurity program, though, is an important starting point place for OT security.