In our continuing coverage from this week’s Nor-Shipping 2017 conference in Oslo, Norway, we bring you remarks by Rear Adm. Paul Thomas, given during a panel titled “Maritime Cybersecurity: Risks, Resilience and Strategies for Defense in Depth,” and facilitated by Julian Bray of TradeWinds. These remarks are not ‘as delivered’ but provide a condensed version of the panel highlights in the ‘panel-conversational’ style.
In his remarks, Thomas focuses on cyber risk in the maritime shipping environment and the importance of incorporating cyber risk management into operations and maintenance at the earliest stages of ship design and construction.
Maritime Cybersecurity: Risks, Resilience and Strategies for Defense in Depth
I want to touch on three points: where we’ve been, where we are, and where we are headed with regard to cyber risk management and cyber security in the MTS [Marine Transportation System], and specifically in shipping in the view of the Coast Guard. I’ll focus on shipping because I believe this audience is largely focused there, but the CG has also been working hard on cyber risk management throughout the MTS and particularly at regulated facilities and in navigation systems. The authorities are different and the mechanisms of governance are different but the key concepts are the same.
So, where have we been? For about three years we have been working, as have many of you, to build awareness of cyber risks in shipping. Our message has been simple and straight forward:
Cyber is not just about hackers and attackers. Many high profile cyber system breaches have been reported in the media recently, and there is no doubt that nation states, cyber criminals and “hacktivists” will continue to target cyber systems, including data and control systems in the MTS. But cyber systems are not just vulnerable to hackers and attackers. Cyber accidents, such as the unintentional introduction of malware or the improper application of a software patch by well-intentioned employees, customers or contractors can have equally debilitating cyber and physical consequences as an intentional attack. In fact, we have seen failures of critical safety and environmental systems that resulted from cyber accidents.
It is not just an IT thing. Thinking about cyber as simply an IT issue is like thinking about the safe operation of a ship as simply a main propulsion issue. IT systems and personnel can help enable safe, secure, environmentally sound and productive operations, but they can’t assure it. Cyber is an operational issue. It touches on every aspect of how we design, construct, operate and maintain ships and port facilities, and how we train and equip the people who operate them.
It is not a brave new world. While the cyber revolution has led to a whole new way to operate in the MTS and a whole new set of vulnerabilities and risks to consider, it has not resulted in the need to develop a whole new structure for the management of those risks. The good news is that in many ways cyber and cyber risk management is not a brave new world for shipping; it is the next cycle in the evolution of shipping. When we moved from sail to steam propulsion as a new operational construct we introduced new operational risk management measures, including design, construction and maintenance standards for boilers and, for the first time, shipboard engineers. As we grow our reliance on cyber systems we must similarly introduce the appropriate risk management measures. Safety culture extends into cyberspace, and safety and operational management systems should address training, operations and maintenance of critical cyber systems that reduce vulnerability to both cyber accidents and cyber attacks.
Really, cyber is about operational risk management and this industry knows how to manage operational risk.
Much progress that has been made in just a few years to build awareness of cyber risks in shipping. Cyber Risk Management [CRM] is now a household term in the shipping industry. This is not the case in other critical infrastructure segments. It reflects a maturity of understanding of the entire cyber challenge beyond hackers and attackers. Industry associations and class societies have published CRM guidelines. IACS [International Association of Classification Societies] has made cyber safety and CRM a focus area, and IMO also has developed guidelines for shipboard CRM.
So, we can check the box on awareness of cyber as a risk management challenge
Our focus now is in installing governance over cyber risk in the same way we have installed governance for physical risks. It is our view that, to the extent a ship or shipping company relies on cyber systems to meet existing international or domestic requirements around safety, security and environmental protection, there already exists an obligation to understand and manage the risks associated with those systems.
The U.S. has submitted a paper to IMO for consideration at MSC 98 [Maritime Safety Committee 98] that makes the case for installation of governance over cyber risks as part of the SMS [safety management system] required by ISM code. ISM code requires that a SMS establish safeguards for all risks and procedures to ensure compliance with all requirements of the convention. ISM code specifically mentions computer systems, which we take to include control systems. Our paper suggests a timeline for PSCOs [port state control officers] to verify that their SMS does indeed address cyber risks.
We’re focused now on the basic components of governance that can get at the risk associated with the operations and maintenance of critical cyber systems, and that help to mitigate the risk of existing systems that have vulnerabilities resident in their design and integration with shipboard systems. These basic components of governance include the things you are all familiar with: (1) accountable personnel responsible for CRM, (2) a corporate structure to address CRM training requirements based on access to cyber systems, and (3) corporate and shipboard procedures for O&M [operations and maintenance] of critical cyber systems – all the things you expect to be in place to manage other types of operational risk.
Now is the time to get at the risk inherent in existing critical cyber systems by installing basic governance over the O&M of these systems.
Next we must focus on mitigating inherent cyber risk through standards for the design, construction and integration of shipboard cyber systems, in the same way we set standards for ship structure or propulsion systems. I know that IACS is working hard on this and we’ll hear next on the cyber safety initiative at ABS [American Bureau of Shipping]. The ship of the future will have cyber systems designed and integrated to class and other standards incorporated into IMO and domestic regulation. They will be operated and maintained in accordance with approved SMS that are compliant with ISM or domestic requirements.
How we get there, how fast and who leads us is still up for debate. But the need to incorporate cyber risk at every stage of ship design, construction and operation is not debatable.
I look forward to your thoughts and discussions on this important topic.
To read more from Rear Adm. Thomas during Nor-Shipping 2017, view additional Maritime Commons posts:
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.