Following on from our maritime report, this blog takes a look at the human side of cyber security, discussing some of the emerging regulations. For further details, click here to download the full report.
Any resilient business needs a cyber-security team that works to implement security and behave in a secure manner when using company assets. This will require changes in the maritime sector where pressures and risks have typically been physical ones. Regulatory changes are underway to enforce such changes, and organisations need to be aware of what's coming in order to plan accordingly.
These regulatory pressures will push organisations to formalise the way how they manage and implement cyber security awareness, which will directly impact their businesses, as it will inevitably result in an increased amount of responsibilities for staff at both management and operational levels.
The Safety Management System (SMS)
A vessel's SMS, and the manual containing it, outlines the risks faced and how they are being addressed, but at present, it is unusual to see an SMS making reference to a comprehensive set of cyber security considerations. The industry is rightly focused on safety, and historically has not seen cyber as a priority for keeping mariners and their vessels safe and secure.
This omission is understandable, but results in cyber security being put on the back burner, and soon there will be pressure to address this shortcoming. The 98th session of the IMO Maritime Safety Committee has accepted the MSC-FAL.1/Circ.3 'Guidelines on a maritime cyber risk management' and Resolution MSC.428(98), affirms the need for an approved SMS to take cyber risk management into account, with the Resolution in particular encouraging administrations to 'ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Documents of Compliance after 1 January 2021.'
This move to address cyber security is commendable and must be acted upon by all relevant maritime organisations, however this poses some notable challenges.
Skills focuses – Security Officers
The first challenge is one of skillsets. Currently, neither the company level Company Security Officer (CSO) or ship-specific Ship Security Officer (SSO)'s training or responsibilities includes any cyber-specific knowledge. Both roles are highly targeted at handling the current physical risks to the maritime sector.
Larger firms may have the budget to have a CSO equivalent focusing only cyber security risks, but most will find it necessary to upskill existing CSOs and SSOs, and this will need to be done in a way that does not place excessive load on already-pressed resources. The CSOs in particular will need to ensure that any new activities SSOs are taking on are simplified, and wherever possible automated to minimise the impact on staff.
Skills focuses - Mariners
Modern mariners are highly skilled, but have very specific skillsets. While these skills leave them well placed to deal with known and defined issues, this can leave staff struggling to identify or deal with specific cyber security incidents. Without training on cyber security issues and their indicators, we have found that staff with engineering backgrounds can struggle to interpret cyber events.
Overreliance on technology
By conducting interviews and discussions with people within the maritime industry, we found that there is a perception amongst industry experts that younger mariners rely heavily on technology, which at times excludes simpler mechanisms which cannot be easily subverted, but may seem less convenient – as outlined in our report.
Without backup checks and balances, mariners who are implicitly used to trusted technologies, may not be as in tune to their surroundings and able to detect issues as more experienced staff. As more junior mariners move up the ranks, the industry may find itself increasingly staffed by mariners who never had to do without now-critical technologies, leaving firms more exposed to the cyber-attacks that might either subvert or disrupt systems. An updated SMS may say all the right things about cyber security and incidents, but if staff don't know how to identify issues when they arise, the potential benefits of a robust cyber risk management plan are diminished.
We recommend that these firms begin to consider these challenges and how to best face them sooner rather than later. Upskilling staff is not a quick task, and developing the controls and measures needed to address risks without overloading staff takes time.
These issues are a single facet of the various cyber security challenges maritime firms are facing. These and more are explored in our 'Stormy Seas Ahead' report, which can be accessed here.