Search

How Class Societies Can Leverage the MTS-ISAC to Reinforce Guidelines

Next Evolution for Classification Societies

As maritime industry stakeholders well understand, Classification Societies were created to address safety and security concerns. The adherence to Class Society physical guidelines has coincided with a decrease in the number of safety and security issues impacting vessels and navigation. This is a positive trend for mariners, as historically the maritime profession has always been subject to a variety of risk factors. As Class Societies continue to help improve maritime safety and security, the latest challenge they are trying to tackle is cybersecurity.

In 2018, the International Association of Classification Societies (IACS) listed 12 recommendations for cyber safety: 1) procedures for software maintenance of shipboard equipment and systems; 2) manual / local control capabilities for software dependent machinery systems; 3) contingency plan for onboard computer based systems; 4) network architecture; 5) data assurance; 6) physical security of onboard computer based systems; 7) network security of onboard computer based systems; 8) vessel system design; 9) inventory list of computer based systems; 10) integration; 11) remote update/access, and (12) communication and interfaces.


Do Cyber Guidelines Match the Threat Landscape?

Class Societies have been publishing their own cybersecurity guidelines for the last few years. As a result, the recommendations outlined above are covered in various ways by the different Class Societies. Some have taken a pragmatic approach, while others have focused on creating elaborate frameworks with security controls to be met. While perhaps well intentioned to ensure the safe operation of a vessel, overelaborate guidelines can cause an undue burden on vessel owners and operators. Worse yet, the additional work may not result in real risk reduction or really be “used” to reduce risk.

In addition, stakeholders may not understand the exact intent or desired outcome of a cybersecurity control (i.e. how it will reduce risk). Part of a well-balanced and strategic approach to Class Society cybersecurity guidelines should be to ground them in a firm understanding of practical maritime risk management. If the purpose of the control is to help support safe and secure marine operations, then it helps to support the control with practical information concerning current, real-world cyber risks to maritime stakeholders. Take the following example, where The Guidelines on Cyber Security Onboard Ships may not have enough context:

· Guideline: An awareness program should be in place for all onboard personnel, covering…risks related to emails and how to behave in a safe manner. Examples are phishing attacks where the user clicks on a link to a malicious site.

What type of awareness program is adequate? What are the types of phishing attacks taking place, how can they be recognized, and what are safe behaviors? Are there supplemental or complementary controls that should be put in place to protect against phishing attacks?


How Can Class Societies Leverage the MTS-ISAC?

As Class Societies work to provide meaningful guidance to their stakeholders, they can benefit from the information being shared by maritime stakeholders. By joining the MTS-ISAC, Class Societies can gain valuable insights provided by daily information shares as well as published security advisories. In addition, they can contribute to the maritime cybersecurity community in a additional ways. First, they can share their understanding into the state of cybersecurity of their class vessels. Next, they can also help disseminate meaningful information regarding current cyber threat trends which pose risks to their stakeholders. Because of the integrated role Class Societies play in the maritime community, there are multiple ways they can actively help safeguard the community!

In both situations, class societies can dig deeper into the actual risks posed by threat actors. Focusing on actual versus potential risks is what Class Societies have traditionally done. While there are plenty of scenarios that Class Societies can explore, helping maritime stakeholders address the known and present risks to improve the safety and security of maritime operations is their primary focus.

Now let’s take our previous guideline example and make it more meaningful for all types of stakeholders, including security, operations, and crewmembers, as they all have a role to play in cybersecurity efforts.

· Guideline: An awareness program should be in place for all onboard personnel, covering…risks related to emails and how to behave in a safe manner. Examples are phishing attacks where the user clicks on a link to a malicious site.

· Context: Threat actors are using both Sat-C and email to send phishing messages impersonating Port State Control authorities. Recent message subjects have focused on COVID-19 and the message details often solicit the victim to send personally identifiable information (PII) regarding crew and/or passengers with an urgent deadline.

· Control Recommendations

o People: Create cyber security awareness through a mix of in-person and online training using real-world examples of phishing campaigns; implement email security policies.

o Processes: Ensure personnel understand how to handle links and attachments, as well as report phishing emails to the security team.

o Technology: Implement multi-factor authentication (MFA) where feasible; apply the principle of least privilege and limit the use of administrative accounts; leverage secure email features (DKIM, DMARC) and disable POP3, IMAP, and/or SMTP where feasible (O365 users); enable suspicious email activity logging and alerting; limit the ability to send unencrypted PII; block and/or scan for URLs and malicious attachments in email; use email security tools to detect and filter spam and phishing attacks.

When this type of additional information is matched with a given control, stakeholders can better understand how to effectively implement guidelines to help prevent transportation security incidents. This type of approach provides real-world and functional examples to industry partners that are in alignment and supportive of the intent behind the United Nation’s International Maritime Organization’s adoption of “Resolution MSC.428(98) Maritime Cyber Risk Management in Safety Management Systems”, compliance for which is required by the annual Document of Compliance audit date starting as of January 1, 2021. Once again, this can help eliminate some of the confusion that surrounds the general language included in the resolution with more concrete information.


Sterling Example of the Path Forward

ClassNK has positioned itself as a thought leader striving to understand ongoing, real world cyber impacts to maritime stakeholders by being the first Classification Society to join the MTS-ISAC. We are excited about ClassNK’s proactive and practical approach to understanding maritime cyber safety and security issues. We appreciate their dedication to the maritime community and desire to effectively communicate and share information regarding cyber risks to maritime stakeholders! While many organizations still have challenges with teams remaining in separate silos, cybersecurity requires a multi-disciplinary team approach. By building a cross-sectional team of marine and security experts, ClassNK implemented a maritime cybersecurity best practice for collaboration between their experts to engage with their stakeholders.

Recent Posts

See All

© 2020 by MTS-ISAC |  Privacy Policy

  • LinkedIn