The Big Picture of Cybersecurity and Digitalization
There isn’t a day that passes where we don’t read something in the news about cyber risk and increasing digitalization of industry, the “Internet of Things”, and disruptive technologies such as blockchain. Last summer, at the Posidonia International Shipping Conference in Athens, the opening ceremonies included remarks from the Greek Prime Minister, the EU Transport Secretary, and the Secretary General of the International Maritime Organization (IMO). Each spoke of the arrival of the “Fourth Industrial Revolution”. They stressed the immense benefits of technology integration to optimize business, increase visibility of operations, and reduce administrative burdens. There was also a call for industry to pay close attention to the increasing exposure to cyber risk as technology integration and operational dependency deepens.
Information Technology (IT) and security integration is a critical factor of quality and protecting clients and business. Cybersecurity in our industry is far more than protecting data, and more of about safety of our people, operations, and the environment. What makes maritime cybersecurity special is the convergence of business IT with Operational Technology (OT) and Industrial Controls Systems (ICS) aboard ships and in the marine terminals. OT and ICS on board ships are the physical cyber systems that assist mariners with the physical process of controlling navigation, cargo management, and marine propulsion. Similarly, OT and ICS in the marine terminals are built into cargo handling systems, cranes, yard equipment, and pipelines.
This is similar, and in many cases, the same as other areas of critical infrastructure, such as the public utilities, power generation, and some manufacturing processes involving heavy machinery. Facility security is also more converged than ever for access control and security monitoring, and even optimized to assist in the tracking and management of cargo and equipment movements within marine terminals.
Over the past twenty years, these systems have become more networked with IT and connected to the Internet for understandable business reasons: access to data and greater visibility to optimize operations, and even remote control and maintenance – sound familiar? There is increased exposure of these critical systems to the frailties of the Internet. When disrupted, the impacts are physical and can endanger life, operations, and the environment – physical consequences that can be severe and well beyond data loss or denial of service in IT. Compounding the problem is the lack of sufficiently qualified IT staff and industrial controls cybersecurity engineers to manage the risk and protect our businesses.
Beyond the computers, networks, and systems, cyber is about relationships. The maritime industry is heavily dependent on third parties and deep human networks of complementary businesses to ensure an uninterrupted, profitable, and secure flow of global trade. Cyber can be regarded as that nervous system of communications that makes this all happen. This means we can no longer simply think of our own individual security, but rather work together to ensure a mutual digital trust.
Cybersecurity compliance is approaching our industry. In June 2017, the 98th Session of the IMO’s Maritime Safety Committee passed a resolution requiring cybersecurity risk management to be included in Safety Management Systems by 1 January 2021. Similarly, the United States Coast Guard issued a Draft Navigation and Inspection Circular (NVIC) 05-17 proposing cybersecurity guidelines for facilities and operators subject to the Maritime Transportation Security Act. In September of 2018, the National Cyber Strategy was released and with that maritime was included as a priority, further recognizing the strategic importance of our ports and the maritime transportation system to both our economic and national security.
From newspapers to port security briefings, we have been informed on the spectrum of cyber antagonists, from nation state actors to criminals to unknowns, who are responsible for the malicious cyber attacks and cyber-enabled business espionage that places our businesses and critical infrastructure at risk. It is a very complicated problem that is presented to us as stakeholders in the business of international trade. We can also expect that government agencies will look to industry’s leadership in cybersecurity, to include greater information sharing and strategy development to protect our ports and the marine transportation system that are so near and dear to us.
Technology integration is a spectrum; some companies have more and some less. Some are really complicated, some are not at all. The following list is applicable to any industrial business, as the cyber lessons learned by industry skeptics.
- Have you conducted an internal assessment to identify and inventory your assets and technologies to know what to protect?
- Do you have policies and procedures directly relating to IT and information security?
- If you are a business responsible for ICS/OT/SCADA, do you have policies and procedures directly relating to industrial cybersecurity and to protecting those systems?
- Have you internally assessed for risk and the impacts of risk to your business?
- Do you have business continuity plans in place, and do you exercise those plans regularly?
- Have you discussed cybersecurity with your contractors, vendors, and trusted business partners?
This digital transformation of our industry may be more complicated than other industrial revolutions because it comes with its own unique and significant risks that aren’t fully understood, which also have both national security and business security implications. We need to collaborate and work together to take charge of this so-called “Fourth Industrial Revolution” to understand the risks and lead with relevant and cost-effective solutions. We must also strive to capture the value that digitalization may bring to us and take our businesses into a profitable and secure future.
- Date December 5, 2018
- Tags 2018 Nov