Standardization and Best Practices for Cyber Risk Management in Maritime Operations - EssayCola

Write My Paper
Marine Science
Standardization and Best Practices for Cyber Risk Management in Maritime Operations

Marine Science

Standardization and Best Practices for Cyber Risk Management in Maritime Operations

April 18th, 2020 Ace My Homework

Standardization and Best Practices for Cyber Risk Management in Maritime Operations

1.2. Significance of Cyber Risk Management in Maritime Operations
There are many reasons for the exponential increase in the threat of cyber-attacks against the maritime transportation system. The use of commercial-off-the-shelf technologies, the integration of those technologies into operational systems, and the interconnectivity of those systems with global information and communication systems have introduced vulnerabilities which can be exploited by adversaries. The shipping industry has traditionally been slow to recognize and address the significance of weaknesses in its IT systems. A prevalent mindset is that it is sufficient to switch to manual operations in the event of system failure, and that this posture will provide an acceptable level of safety and security. However, the modern interconnectivity of IT systems and operational technologies means that a failure in IT systems can lead to a failure in operational systems, and loss of critical functions may not be restorable from manual backup. All industries reach a tipping point in IT dependency where the rapid growth of technology outpaces the ability to safely integrate it. The maritime industry has reached that point in an era of rapid automation and IT innovation. International political conflicts and military actions are increasingly extending into the cyber domain and all IT-dependent industries are at risk of collateral impact. A major consideration is the fact that the maritime transportation system underpins every facet of modern society, and that the consequences of a cyber-attack on the system would extend far beyond the immediate impact on ship operators and their stakeholders. Given the increasing frequency and impact of cyber-attacks against all IT-dependent industries, it is no longer a question of if, but when a significant cyber incident will occur in the maritime industry.
2. Industry-wide Standards for Cyber Risk Management
Worldwide, there are currently no industry-wide standards for cyber risk management, and it is suggested that the establishment of such standards is a key element to improve and develop risk management within the maritime industry. The recent International Safety Management Code (ISM) requires companies to create an effective safety management system for their organization. Common best practices and standards will provide a suitable framework for such systems and will also provide a basis for audits and a way of measuring risk management effectiveness.
The advanced and changeable nature of cyber threats makes it difficult for individual shipping companies to stay ahead and develop effective risk management plans and best practices for their own organization. Individual risk management practices are also considered a competitive advantage and result in companies being reluctant to share or implement best practices formulated by others [2].
The literature reviewed in previous sections suggests that the diffusion of best practices and risk management techniques is the most effective way to combat the challenges of cyber risk. It has already been established that shipping is reliant on operations and that information technology and specific control systems can contain vulnerabilities that can be exploited to result in damage, whether it be a systems failure, port operations failure, pollution, personal injury, or in more extreme cases, damage to assets and the environment [1].
2.1. Current Challenges in Cyber Risk Management
A major factor that separates the current state of cyber risk management in the maritime industry from that in other industries is that it is not a priority. This is due to the nature of the shipping industry: making time sensitive deliveries to any point around the globe. Unlike most other industries, the top priority of a vessel operator is on meeting these deadlines. Safety, both for the crew and the assets being transported, is also a high priority; a bulk of the focus is on protecting the vessel from physical threats and ensuring safe transportation of the cargo load. While cyber threats do pose a risk to the cargo and operations, they are generally seen as a less immediate threat compared to physical threats. For example, piracy at sea is a direct physical threat to both the crew and the cargo. This means that resources which could be allocated to managing cyber risk are allocated elsewhere. It is the recent increase in severity and frequency of cyber attacks, particularly on the shipping and logistics industry that has led to the consideration of cyber risk management as a higher priority. As of now, the only time cyber risk management becomes a top priority is in the wake of a cyber attack on a company. Executives will be seeking damage control and preventative measures in response to the attack. A challenge here is by making risk management a short-term high priority task, it often reverts back to a low priority task once the situation has been mediated.
2.2. The Need for Standardization
The cyber threat is one of the most serious dangers facing the shipping industry, if not the most serious. This isn’t just Blue Denmark saying so, it is a view that is becoming widely accepted. In today’s complex operating environment, many ship’s systems rely on digital and satellite technologies. These technologies have enhanced crew and stakeholder safety, environmental stewardship, and the efficiency of moving goods to market. But they have also created potential vulnerabilities. A new ship has on average 35,000 separate digital points on board, according to Lloyd’s Register, and only a small portion of these are likely to be properly protected from the cyber threat.
Cyber attackers can be other states, terrorists, criminals, ‘issue motivated individuals’ or even crew members. A successful attack could have any number of consequences, from compromising sensitive data to causing the smart ship not to function, from polluting the marine environment to injuring crew or passengers. In a worst-case scenario, the ship could be a direct target or hostage of an attacker. The risk is not limited to the ship. Shoreside facilities and activities related to the goods carried by the ship are also at risk. An example is an incident in 2017, where the terminal of the world’s largest container shipping company, A.P. Moller-Maersk, was completely shut down because of the NotPetya ransomware cyber attack which also affected the company’s IT systems on several vessels. A new joint industry report, produced by BIMCO, CSA, IPTA and Witherby Publishing Group, addresses the need for an industry standard on cyber security.
2.3. Key Elements of Industry-wide Standards
Common to all standards is the identification and protection of critical information and systems. Key to this is identifying information and systems that are essential to the safety and operation of the organization and determining the impact of their loss, corruption or unavailability due to a cyber incident on the organization’s safety and ability to conduct its business. Based on the criticality and impact of these systems and information, it can be determined the level of protection and restoration that is required. For example, more robust protection and contingency measures may be required for vital systems as opposed to non-critical administrative systems.
In order to establish industry-wide standards for cyber risk management, there must be a set of common understandings and means of translating high level expectations for cyber risk management into practical and workable controls and objectives. This can be achieved by putting into place cyber risk management standards which provide a common platform and language for cyber risk management. These standards would be addressed at varying levels of granularity, hierarchy and specificity; examples include the International Standards Organisation’s ‘ISO/IEC 27000 Information Security Management Systems series’ or the US National Institute of Standards and Technology ‘NIST’ standards. These standards identify and define specific IT (or cyber) controls (or security safeguards) that need to be implemented to manage and reduce cyber risk, based on a defined risk assessment methodology. Ideally, the maritime industry could work towards a set of industry-specific standards. However, it may be beneficial to begin with a set of standards that are tailored to meet the needs of small to medium-sized maritime enterprises who do not have the same level of resources or expertise in cyber risk management as the larger industry players.
3. Best Practices for Cyber Risk Management
An alternative to this method is the use of a model-based approach. An example of this could involve using attack trees to model the various methods of compromising an asset, leading to an impact assessment at each step using a utility theory model. This then segues into the next best practice of risk assessment for determining the impact of an attacker’s success.
For risk assessment and identification using the US CERT data, a simple impact analysis matrix could be constructed to weigh the probability of a given type of attack occurring against the potential impact on the affected asset or system. This step would provide risk assessment with a quantitative value, useful for prioritizing the protection of different assets and applying the appropriate level of security.
Having identified the assets that need protecting, the next step is to identify the different types of cyber attacks that could harm an asset. At this point, it may be useful to examine the US CERT Cyber Threat and Vulnerability Analysis for common types of attacks and vulnerabilities that lead to the compromise of information. An attacker generally has a specific goal in mind, and the impact of an attack may vary depending on which of the CIA triad (Confidentiality, Integrity, Availability) is compromised for the given asset.
CyberMAR recommends an analysis of what an organization does as a first step in assessing the risk to a particular asset or system. This is considered a necessary step before an organization can identify the various types of cyber risk and move on to decide how to best protect its assets. In the case of a system under development, this would involve an analysis of the system design to identify its components and the dependencies between them. For existing systems and assets, it may simply involve identifying and making a list of the most critical assets to the organization.
A model-based approach: risk assessment to determine the impact of an attacker’s success.
Concrete, specific, and accessible exercises: analysis of what we do; strategy for identifying different types of cyber risk.
3.1. Risk Assessment and Identification
The risk assessment and identification is possessing a vital place in the risk management process. It is a preliminary task and foundation for the decision-making phase. It is an iterative process consisting of a continuous assessment of the risk and the effect of that risk on the risk management process. It is important to have a clear understanding of identifying the asset and then the associated risk with the asset. It begins with the understanding of what is to be protected or what we are trying to protect, aka the asset. The identification of the cyber risk of the asset is used to make decisions and prioritize the risk of the asset. Throughout the process, it’s important to have knowledge of the threat and along with the causation of the risk. A common language and understanding of the risk is developed by using a risk characterization matrix using high and low probability and high and low consequence along with a disaster scale to implementation to best improve and lower risk. Finally, risk assessment concludes with the prioritization of the assessed risk and preparing to either transfer, acceptance, avoid or reduction of the risk.
This is the first step to effectively mitigate and manage cyber risk of the environment. By understanding the primary asset and the risk associated with that asset, it is clear to make a decision on what needs to be done to how the risk is going to be approached and how it can be best reduced. This practice is an effective way to methodically understand and plan the best approach to reducing the risk.
3.2. Cybersecurity Controls and Measures
Technical cybersecurity control measures are changes to a computing device, its software, or its firmware intended to provide security by reducing its risk of attack. The effectiveness of control measures can vary widely depending on how they are implemented. The term countermeasure is also used to describe an action which translates into an effective security control. Measures, by contrast, are there to improve the effectiveness of the control, i.e. spending more on a specific activity as it is deemed useful. Control measures range from low-level controls to high-level control. As technology has grown and depends greatly on data sharing and web services, it is widely believed that there is a growing need to increase investment in high-level control measures, rather than simply adding more low-level controls. This is because it is the only way to change the way technology is currently being used and to halt the recent increase in, and severity of security incidents. High-level control measures are policy-based and usually put restrictions on certain actions and access to resources. An example of this would be the UK Government OFFICIAL or OFFICIAL SENSITIVE protective marking which is now being implemented to control data storage and sharing in the public sector. Many of the detailed assurance requirements that are mandated for IT systems processing protectively marked data are also examples of high-level control measures. These measures are often the most effective way to improve the security posture of an organization but can take a long time to have an impact and can incur significant resistance to change from users.
Cybersecurity controls and measures are the technical and non-technical efforts put in place to safeguard the confidentiality, integrity, and availability of information on computing devices. These measures are taken to protect the resources of a company and its users. The resources are usually information in storage, processing, or transit, and the computing devices on which that information resides. Cybersecurity controls and measures play an important role in cyber risk management as they are the proactive defense to reduce the risk of an incident occurring. To better understand the measures, a computer can be secured by a chain with a lock around it. The chain is the cybersecurity measure and the lock is the cybersecurity control. The following sections provide guidance on technical measures and include a range of suggestions for best practice.
3.3. Incident Response and Recovery
The preference is to use the ISO31000:2009 standard as the mainstream risk assessment framework. With an easy to understand concept, this is the identification of an event on an organization in comparison to a previous risk. This standard uses a simple colored risk matrix and has a seven-step process which is relatively easy for the maritime industry to adopt compared to more maritime-specific methods such as SRA. By setting guideline Cyber risk assessment methodology built on the ISO31000:2009, Maritime Cyber RAND and also setting guideline for cyber risk matrix, the contributor will explain planning methodology and will offer suggestions for tools and automation that can be used to accomplish the risk assessment recommendations. This section has potential for an extra output, be it as a research paper or a further best practice document.
There is more to a thorough risk assessment framework than merely identifying risks. Identifying risks involves knowing and understanding what events are likely to have an adverse effect on an organization. Standard risk assessments stop at this stage and the contributor aims to take this to the next level and show how this leads into identifying cyber scenarios. In migrating from identifying standard business risks to identifying cyber risks and events, the contributor aims to go through the use of risk matrices and demonstration of applying this method to cyber risk. The aim is to provide guidance on planning and process to implement a risk assessment framework and to maximize the benefits it can bring to an organization in understanding cyber risks.
3.4. Training and Awareness Programs
Standardization and Best Practices for Cyber Risk Management in Maritime Operations is a proposal for the development of a new strategy by shipping organizations to confront maritime cyber risk and has been prepared by stakeholders in the maritime industry. In an environment significantly reliant on technology for operational efficiency, the topic of cyber risk is not considered in a general context. Both the scope and the impact of cyber risks are amplified from a safety and financial standpoint when considering the nature of the assets and the systems employed in the maritime industry.
Throughout the document, it has been assumed that users are already knowledgeable in operational technology and corporate IT networks. As the scope of the document is wide and varies between different types of organizations (ship, port, manufacturers, etc.), it would be impossible to cater a specific training program around cyber awareness for each individual type of user within this industry. Therefore, references from the document may need to be synthesized into an appropriate context and delivery of training for the intended audience.
4. Implementing Cyber Risk Management in Maritime Operations
Cyber risk should be managed like other operational risks and decision-making processes, recognizing that it is just one of many threats and opportunities. To prevent adverse effects on organizational operations and objectives, management of cyber risk must be part of the organization’s governance, risk, and strategic management. Whether undertaken reactively in response to a specific threat or incident, or proactively as part of a systematic process, this will ensure risk is managed holistically, consistent with other risk and decision-making processes, considering cost-effective risk reduction measures and informed decision making. Integration with current practice and the business needs form the basis of effective cyber risk management. Given the dynamic nature of technology, the potential impact that particular cyber threats and vulnerabilities can have on operations and assets, and the dependency on technology for business advantage and mission success, it is important to understand which information systems, assets, and processes at the core of the organization are most critical, and which are less important in terms of their impact on achieving successful outcomes. This will help to focus resources on the most important assets and processes to ensure savvy use of resources for risk avoidance, risk transfer, risk mitigation, and accepting specific risks. Specific consideration should be given to risk acceptance, deciding which risks are cost-effective to accept and the amount of risk to accept, taking into account the potential benefits of taking on increased risk. Decision logic should be constructed on the basis of information technology and the impact of adverse cyber events on business or mission success. This involves practical planning processes and actions that assist in effective and efficient decision making, managing cyber risk at an acceptable level, and ensuring expected outcomes are achieved. Using a multi-criteria decision analysis approach to formulate decisions on the best courses of action. Finally, at each step and decision, it is important to monitor changes in the internal and external context of the organization to identify new threats or vulnerabilities and changes in the level of risk to inform iterative change in the decision logic and risk management processes.
4.1. Integration of Cyber Risk Management into Existing Processes
To achieve this, existing practices and processes need to be assessed to determine where they interact with the management of cyber risks and security, and identify areas for improvement. This will likely involve mapping activities to identify what is being done, where it is being done, the people involved, and the information and technology being used. This will also support the emerging requirements for cyber security assessment of individual assets (ships, ports, etc.) using methods such as those detailed in BIMCO’s Guidelines on Cyber Security Onboard Ships. The mapping can then be used to build a clear picture of where potential cyber risks exist in existing processes and enable a better understanding of the ways in which cyber risks threaten safety and the environment. Cyber incidents with safety and environmental consequences can be the starting point for changing industry attitudes towards cyber security.
Cyber risk management needs to be fully integrated into existing practices and processes in order to be effective in supporting the maritime sector. The scope of cyber risk management is broad and touches every aspect of a shipping company’s operations. Currently, there are no dedicated frameworks or processes for managing cyber risks and cyber security within the maritime industry, despite the industry’s increasing dependence on information technology and regulatory requirements related to security.
4.2. Collaboration and Information Sharing
The MP and ITSEC’s collaboration on this project has been clear in establishing a globally applicable structure to leverage established conventions and organizations whenever possible, thus avoiding duplication of efforts and competing requirements. One of the primary goals was to utilize existing tools and best practices whenever possible rather than creating entirely new ones. Documents such as conventions, codes, and recommended practices do not have the strict application of the rule set and typically require an associated audit tool to ensure conformance. For this reason, the first step was to create a dedicated gap analysis tool to serve as a template for existing and future documents/requirements. This tool utilizes a simplified questionnaire format based on the subject document to determine the delta (gap) between it and the targeted cybersecurity assurance level. A similar tool was then created to develop Conops and associated mapping documents that are used to define how a given requirement is implemented in a system design or process. By determining where existing tools and practices have near-term applicability, and where it is more effective to influence changes in a RPS or through the development of new requirements, the end result is to maximize the impact of limited resources.
4.3. Regulatory Compliance and Certification
ISM Code:
This code is a requirement for all companies and organizations responsible for ships and mobile offshore drilling units. It provides an international standard for the safe management and operation of ships at sea, and requires these companies to create an objective to provide safe practices in the protection of the environment. The ISM Code requires these companies to assess all identified risks to their ships, persons on board and others. This includes the assessment of potential risks to safety or the environment to determine whether adequate safeguards exist and to provide assurance that the management and safety objectives are being met. Measures have been given in alignment with the ISM Code to protect against identified cyber risks, such as the infection of critical systems by providing a clear and organized framework to manage these risks. Failure to meet these obligations can result in the detention of ships, so all necessary measures will be taken to avoid this consequence.
The primary driving force behind the implementation of cyber risk management in maritime operations is regulatory compliance. All mandates that are being set forth require companies to maintain a risk management program, address specific control and safeguard requirements, and have a system in place that identifies computers on cargo vessels to assist those in the industry to better manage their cyber risk. Currently, there are two guiding lights that operators in this industry use to direct their cyber risk management system. These are the ISM Code and the International Ship and Port Facility Security (ISPS) Code. Cyber security considerations are now being integrated into both codes and failure to comply with regulations can result in large monetary penalties, gaining a company a bad reputation, or prevention of access to certain ports.

Published by

Ace My Homework

View all posts

RELATED ARTICLES

Addressing the root causes of piracy: Poverty and lack of economic opportunities in coastal communities

Addressing the root causes of piracy: Poverty and lack of economic opportunities in coastal communities 1. Introduction If poverty in coastal communities is one of the key drivers of piracy, the most logical question is to ask why it is that in some places the poor use piracy to improve their income while in others […]

Examining the role of seafarer welfare and support services in mitigating mental health issues like depression from prolonged periods at sea

Examining the role of seafarer welfare and support services in mitigating mental health issues like depression from prolonged periods at sea 1. Introduction 1.1. Background 1.2. Purpose of the Study 1.3. Scope of the Study 2. Mental Health Issues in Seafarers 2.1. Prevalence of Mental Health Issues 2.2. Factors Contributing to Mental Health Issues 2.3. […]

Developing virtual reality and augmented reality training programs for engine room resource management and cargo handling skills

Developing virtual reality and augmented reality training programs for engine room resource management and cargo handling skills Virtual reality (VR) and augmented reality (AR) are emerging technologies that have the potential to transform the way seafarers are trained and assessed. VR and AR can provide immersive and realistic simulations of various scenarios and tasks that […]

In need of similar customized papers? Order from us today and get the best online custom writing service! Top grades and AI/plagiarsim free final paper guaranteed!

Place an order