Cyber Security: Supply Chain Risk Management and Defense-in-Depth requirements for Maritime Systems

Cybersecurity for maritime operations requires a robust defense-in-depth approach from the initial sourcing of components, software, and systems; continuing through robust security engineering during the design, implementation, and deployment processes of those systems; and extending to proactive defensive measures of not only traditional information communications technology (ICT) systems but operational technology (OT) systems as well. Global connectivity has extended the risk of network attack even while a vessel is underway. Additionally, the long lifecycle of many maritime systems contributes to the challenge of defending outdated or no longer supported components and systems, (which are difficult to patch or totally unpatchable in many cases). Emerging standards and regulatory guidance are pushing the maritime industry toward compliance. These initiatives provide an opportunity to achieve improved operational practices and eliminate the underlying cyber security vulnerability as well. International bodies such as BIMCO, the Oil Companies International Marine Forum (OCIMF), and the International Maritime Organization’s (IMO) extension of the International Safety Management (ISM) Code and the International Ship and Port Facility Security Code (ISPS) are excellent resources to address cyber security risk. The new IMO guidance, adopted by the Maritime Safety Committee on June 16, 2017, as Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems, encourages organizations “to ensure that cyber risks are appropriately addressed in existing safety management systems.”[1] Many experts recommend adopting one of several international security standards or frameworks already developed to help identify, assess, and mitigate cyber security risk; these include the International Standards Organization (ISO)/ International Electrotechnical Commission (IEC) 27000 Information Security Management Systems (ISMS) family of standards, the Center for Internet Security (CIS) Top 20 Controls, and the United States National Institute of Standards and Technology (NIST) Cybersecurity Risk Management Framework. Another family of standards, the IEC 62443 Industrial Networks and Systems Security series of standards, have a direct application to shipboard automation and control systems typically found throughout a vessel’s propulsion, stabilization, electrical control, and deck machinery systems. Organizations can leverage a growing number of IEC 62443 compliant components, systems, and processes to help streamline the steps required for overall compliance and help address their underlying cyber security risk overall. This paper will focus on addressing supply chain cyber risk management for maritime operations and effective cyber security defense-in-depth practices for the vessel’s hull, mechanical, and electrical shipboard systems.