Originally by Norma Krayem 2017-11-18 23:53:15 (Abridged)
The digitization of the maritime sector has brought about a technological revolution with great efficiencies to the overall operations and global supply chain. Unfortunately ensuring that there is security embedded on the front end is still not the norm. This leaves new and old legacy in a systems cobbled together in a patchwork of structures.
At the same time, the sector is debating the potential use of autonomous ships; however, discussions around cybersecurity protections are still not part of the underlying debate. It should be clear to all that cyberattacks and associated risks represent a clear and present danger. Nation states, non-state actors, criminals, and 21st century pirates are using cybersecurity as a tool to steal and disrupt the system.
The “call to action” around the cybersecurity risk has been a steady drumbeat for many years and the sector’s cybersecurity ecosystem must be evaluated and the associated risks quickly addressed now (or quickly). Whether it was from 2013 with the issuance of Presidential Cybersecurity Executive Order 13636 in 2013; the U.S. Coast Guard first cybersecurity strategy in 2015 or the U.S. Coast Guard updated “guidance” in December 2016 that stated that cybersecurity risk is covered under the Maritime Transportation Security Act (MTSA), the cyber-risk is self-evident.
The IMO has been working to address cyber risk. It was only after the Maersk attack that the IMO issued more solid guidelines for maritime security risk management. Cybersecurity attacks have been documented on ships, ports, and more recently. Of particular note are alerts about GPS and satellite spoofing in the Black Sea bring great cause for alarm.
Here are eight basic tenets for the sector to consider:
1. The maritime domain is a complex and increasingly automated one. As a result, cybersecurity attacks can potentially impact the health and safety of people as well as the safety and security of goods, bringing significant regulatory and legal implications to the corporate ecosystem, whether it includes passenger or cargo operations.
2. There are common misconceptions that cybersecurity risks are solely a technology problem. It is not, it requires an enterprise risk management holistic approach that includes the C-Suite, senior leadership, risk officers, legal, regulatory, security, information technology and other departments in the overall process.
3. Cyber attackers have varied motives, which include stealing, disrupting and potentially destroying assets. Shutting down a port or a similar Maersk-like attack can have reverberating impacts on the global economy.
5. Expect U.S. and global regulators to continue to double down on cybersecurity risk within the entire maritime ecosystem.
6. To understand cyber risk in the industry, breakdown the maritime domain into its respective parts, identify the cyber risk within each domain as well as from cross-sector risk. Create a comprehensive plan to manage, mitigate, respond and recover to cyber-attacks which must be a living document that is constantly tested.
7. Traditional risk transfer mechanisms like insurance and other tools are invaluable but will not ever completely cover cyber risk.
8. Increasing use of and innovation around technology should be embraced but must also include security and cybersecurity at the front end.
Norma Krayem is Senior Policy Advisor & Co-Chair, Cybersecurity and Privacy Team, Holland and Knight and Former Deputy Chief of Staff, U.S. Department of Transportation.