Cybersecurity & Maritime

The maritime industry, a vital pillar of global trade, is now at a crossroads, facing an alarming and rapidly escalating threat from cyber attacks. As digital technologies become an inseparable part of naval operations, the need for robust cybersecurity measures has reached a critical and immediate point.

Cybersecurity is a global challenge that transcends national borders. The interconnected nature of maritime operations means that a single cyber incident, regardless of origin, can have profound and far-reaching consequences. Integrating Information Technology (IT) and Operational Technology (OT) in the maritime sector presents unique cybersecurity challenges. OT systems, which control physical processes such as navigation, engine management, and cargo handling, are increasingly connected to IT networks, exposing them to cyber threats. As critical nodes in the maritime supply chain, ports are particularly vulnerable to cyberattacks.

Several high-profile cyber incidents have highlighted the vulnerabilities within the maritime sector, including the following :

  • Maersk NotPetya Attack (2017): The attack led to significant financial losses, estimated at around $300 million, highlighting the critical need for robust cybersecurity measures in the maritime industry.
  • Port of San Diego Ransomware Attack (2018): This incident underscored the vulnerability of port infrastructure to cyber threats and the importance of securing both IT and OT systems.
  • COSCO Shipping Lines Cyber Attack (2018): The attack disrupted communication and booking systems, demonstrating the far-reaching impact of cyber incidents on global shipping operations.
  • Mediterranean Shipping Company (MSC) Cyber Incident (2020): MSC experienced a cyber incident, highlighting cybersecurity's importance in maintaining the continuity of maritime operations.

This sector is governed by a plethora of international conventions and regulations, including the Convention on the High Seas (1958), the International Regulations for Preventing Collisions at Sea (1972), the International Convention for the Safety of Life at Sea (SOLAS, 1974), and the United Nations Convention on the Law of the Sea (UNCLOS, 1982). These conventions primarily focus on physical safety and navigation, with little to no provisions for cybersecurity.

In 2016, the International Maritime Organization (IMO) recognised the importance of cybersecurity, issuing temporary risk management guidelines, later superseded by formal guidelines.  In 2017, the IMO adopted Resolution MSC.428(98), mandating that shipping companies incorporate cybersecurity risk management into their Safety Management Systems by January 2021. IMO has been at the forefront of addressing these cybersecurity issues. However, the maritime industry also relies heavily on the principles outlined in the NIST CSF to bolster its cybersecurity measures.

This framework, updated to version 2.0, is designed to enhance cybersecurity risk management across various sectors, including maritime operations. It introduces a sixth core function, ‘Govern,’ which emphasises integrating cybersecurity practices with overall organisational governance to ensure that cyber risk management aligns with broader business objectives.

Whilst the maritime industry has made strides in aligning with NIST CSF, there remain significant gaps, particularly in cybersecurity supply chain risk management. Aside from the latter, the available principles and guidelines provide high-level principles without detailed implementation strategies, leaving a significant gap in cybersecurity preparedness. Given cyber threats' evolving and increasingly sophisticated nature, there is a growing consensus that existing regulations are insufficient. The current conventions were established long before the digital age, and their provisions do not adequately address the complexities and urgency of cybersecurity.

The EU's updated Network and Information Systems Directive (NIS2) and the Critical Entities Directive (CED) are set to impact the maritime sector significantly. NIS2 expands the scope of the original NIS Directive, imposing stricter cybersecurity requirements on a broader range of entities, including those in the marine industry.

Maritime companies must invest more in cybersecurity and ensure compliance with these new regulations. Member States play a crucial role in developing and enforcing cybersecurity standards within the EU. For instance, the EU's General Data Protection Regulation (GDPR) and the NIS Directive (1 and 2) have significant implications for the maritime industry, requiring companies to implement robust cybersecurity measures and report incidents promptly. They also aim to enhance cybersecurity across member states by promoting cooperation and harmonising national cybersecurity capabilities by introducing the first European cyber crisis liaison organisation network (EU-CyCLONe), a cooperation network for Member States' national authorities in charge of cyber crisis management.

The Critical Entities Directive (CED) complements NIS2 by focusing on the resilience of critical infrastructure, including ports and maritime transport facilities. CED requires member states to identify essential entities and implement robust security measures to protect against physical and cyber threats.

The EU's Artificial Intelligence Act (AI Act) also has significant implications for the maritime sector, particularly regarding the use of AI in operational technology and ports. The AI Act ensures that AI systems are safe and transparent and respect fundamental rights. For the maritime industry, AI systems used in navigation, cargo handling, and other critical operations must meet stringent requirements for robustness and cybersecurity.

The industry is at a critical juncture, facing increasing cyber threats that require a coordinated and comprehensive response. Updating existing regulations and harmonising everything into a coherent framework is essential to enhancing maritime cybersecurity. However, this is not enough. International cooperation, robust standards, and proactive measures by naval companies are equally crucial. The global marine community can collectively strengthen its cybersecurity defences by sharing information, best practices, and resources. This will ensure the maritime industry can navigate the digital seas safely and securely.

Article by Dr Ian Gauci

 

You may wish to read:

Cybersecurity in Aviation: Securing the Skies

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content