While the maritime industry tries to keep up with the new technological trends, it becomes reliant on cyber systems and connectivity of Operational Technology (OT) with Information Technology (IT), it faces new challenges. Cyber crimes are increasing at an unprecedented rate and cyber disruption cause far-reaching consequences. The maritime industry must focus now on protecting human life, maritime assets, and the marine environment from cyber-related incidents.
Namely, the Coast Guard American Waterway Members (AWO) Cyber Risk Management Quality Action Team recommends companies to take measures to mitigate cyber risks and move into risk assessment and management processes, including its Safety Management System.
According to AWO, the basic risk assessment guidelines are:
#1 Identify and characterize the computer system: Focusing on its functions, the users of the system, and the internal or external use of the system.
#2 Identify Risks: The unauthorized access to the computer system and when, misuse of information stored in the computer system, loss of data and the disruption of service.
#3 Determine Risk Impact: Acknowledge how a cyber incident could affect the company or the vessel operations.
#4 Determine Risk Probability: The possibilities of an incident to occur.
#5 Assess Risk Rating: Risk Probability X Impact of Occurrence = Risk Rating
#6 Determine & Implement Security Controls: Administrative controls (policies and procedures), technical controls (firewalls, anti-virus software, data access permissions, etc.), and user training.
#7 Monitor: Continue to monitor the security controls for effectiveness and re-evaluate risk when changes are made to the system
Finally, the Coast Guard has adopted the National Institute of Standards and Technology (NIST) Cybersecurity Framework as the foundation for its guidance to other segments of the maritime industry on cyber risk management. The base of the NIST Framework is five concurrent and continuous functions which provide a high-level, strategic view of the lifecycle of managing cyber risk:
- Identify physical and software assets, people, data and risks;
- Protect assets by training users and mitigating risk;
- Detect cyber incidents;
- Respond with defined response processes;
- Recover assets or systems affected by cyber incidents.
You may see more information herebelow:
