The most critical & sensitive data (i.e. personal data, financial data, operational data and business strategies) of the Organizations is hosted in their Information Systems and any malfunction or disruption of the Information Systems may cause significant impact on Organization business activities. 

The modern com­­mercial ships are considered as «Floating Digital Offices» as they are hosting and interacting with complex, heterogeneous In­formation Systems and depend on several providers (i.e. Navigation Equipment providers, cloud providers, telco providers, etc.). Thus, Commercial Ships are exposed to multiple and known cyber-attacks and vulnerabilities, making cybersecurity a critical aspect of maritime organizations business continuity. 

Furthermore, Commercial Ships play a decisive role in the Maritime Environment, interacting with many entities including Maritime CompaniesCrewShip ManufacturersPort Aut­horitiesInspectorsCargo OwnersShipping RegistersCharterersTelco Providers, and any degradation, interruption or impairment of Ships’ Information Systems will have serious consequences on the proper functionality of the ship and interacting entities acti­vi­ti­es, making security management one of the most im­por­tant concerns. In order to improve the security and to avoid such events, there are several guidelines and best practices that need to be followed such as IMO’s MCS-FAL.1-Circ.3 “Guidelines on Maritime Cyber Risk Management”, OCIMF’s “Tanker Management Self-Assessment v3” and BIMCO’s “Guidelines on Cyber Security Onboard Ships v4”. Apart from onboard cyber security requirements, international organizations such as ENISA, UK DfT and IAPH have published additional requirements and best practices regarding the Information Systems of ports since they continuously interact with ships and their systems are also vulnerable to hackers.  

All the above guidelines can be covered by well-known international standards and regulations such as ISO/IEC 27001, ISO/IEC 22301, SOC 2, GDPR, CCPA etc., and the most effective way to comply with these complex requirements is to adopt a Cybersecurity Compliance Framework in order to evaluate and continuously improve the Ships Information Systems (SIS) and the Port Information and Communication Technology (PICT) regarding cybersecurity.  

ICT PROTECT proposed compliance methodology for Maritime Cyber Risk Management derives from the international standards, regulations and best practices mentioned above and consists of eight phases as depicted in the Infographic below. 

Maritime Cybersecurity Compliance Roadmap

Maritime Cybersecurity Compliance Roadmap

 

Via this Framework, the Maritime Cybersecurity team members will be able to identify all the cybersecurity requirements; identify their IT & OT Assets; evaluate targeted threats & vulnerabilities; define targeted cybersecurity controls; include specific metrics and audit evidences in their internal audits and therefore know the level of compliance for each requirement. 

At ICT PROTECT we have developed and implemented this Framework through the STORM GRC Tool, and we have successfully used it in order to address our clients’ complex compliance requirements (including the maritime sector). STORM GRC Tool offers a bundle of targeted services to the Company users in order to guide them to securely manage their ICT systems and create all mandatory documents and evidences required by ISO 27001:2013 and industry specific Cybersecurity requirements (i.e. IMO, NERC CIP, etc.) 

In conclusion, with the rapid growth and adoption of technology in maritime environment, Ships Information Systems are increasingly exposed to cyber risks. These cyber risks could be exploited either by satellite networks or by traditional communication channels and could have a significant impact on all maritime entities af­fecting international economy. A holistic and common approach (Cybersecurity Compliance Framework) should be adopted for the security management of both ICT & OT systems in order to continuously monitor security and privacy risks, improve their ICT-based business pro­cesses, and provide continuity and rendering of servi­ces for all entities of the maritime environment.