Nobody wants to talk about regulations. Ever. But the truth is that in the maritime industry, one of the reasons we have been facing more cyber security issues, is for this very lack of regulations. Looking at other essential industries, there are strict regulations which govern their businesses. So what is happening with maritime?
In a perfect world, there would be an effective, uniform set of cyber security standards for maritime businesses to follow in order to protect (as far as possible) their operations from cyberattack. They’d be enforced by a global regulatory agency, which would keep the rules up-to-date against constantly changing threats.
But this world is far from perfect, and nothing approaching a comprehensive regulatory framework for maritime cyber security yet exists. The International Maritime Organization, or IMO, introduced some basic guidelines beginning in 2017, but they are generic and don’t cover every type of threat that may exist for every type of shipping or logistics system. More problematically, they lack a strong enforcement mechanism.
National regulators are working on a country-by-country basis to fill this gap, by creating cyber security mandates of their own for shipping and logistics businesses operating within their jurisdictions. However, these laws vary from one country to another, and the level of their enforcement depends upon national priorities and capabilities.
All of the above is to say that cyber security regulation for the maritime and shipping industry remains spotty and inconsistent, at best. In order to remain secure, maritime and logistics businesses need to be proactive in taking care of their own cybersecurity needs, and to look beyond existing regulatory standards to define their own cyber security strategies, policies, and implementation.
Here’s why and how.
The growing challenge of maritime cyber security: taking it on
There is a clear need for strong security standards in the maritime industry. Cyberattacks in this sector surged 400 percent in 2020, and there is no sign that they will slow down anytime soon.
As a result of this crisis situation, maritime companies have a responsibility to their customers, shareholders, partners, and employees to fully understand the cyber risk vectors that threaten their operations, and to undertake a number of basic steps to address these risks. Businesses must develop their own, internal standards of security resiliency. These include the following:
- Get to know your organization’s cyber risks, and the types of cyber threats to which it is exposed
- Carry out a responsible process for identifying gaps that exist, and designate an appropriately-qualified point person to address them on an ongoing basis
- Ensure that internal cybersecurity standards and guidelines are developed and enforced
- Raise awareness among employees of cyber vulnerabilities and their responsibility to identify risks, such as phishing campaigns
- Implement a company cybersecurity program that includes regular simulations of cyber attacks that will identify unforeseen gaps in their response plans, in order to prepare for the worst – .should an attack actually occur
The evolving state of maritime cyber security regulation
As more countries introduce their own cyber security regulations for the industry, companies will also be compelled by regulators to boost cyber readiness. In the meantime, IMO is an excellent starting point for establishing strong security standards within the maritime and logistics industries. For instance, they require that maritime companies appointment someone to oversee cyber security for their businesses, as well as periodic security audits. Companies also need to check national and regional laws, in order to ensure that these are carefully followed.
Finally, it is critical to be aware of cyber-relevant regulations that apply to ports. There are several of these worldwide, which require the stringent compliance of ships with port cyber guidelines in order to permit docking and other uses of the port. The ports and terminals are predominantly regulated by local governments and authorities. However, it appears that IMO is considering adopting the recent IAPH cybersecurity guideline for ports, to include in the next versions of guidelines, which generally becomes mandatory over time.
Nonetheless, regulatory standards for maritime cyber security ultimately remain quite weak. Enforcement exists only in a handful of countries. And even if it were global — a development that lies far in the future — the IMO cyber security standards aren’t detailed enough to guarantee a strong security posture and cyber resiliency for every business involved in the maritime supply chain.
Irrespective of the regulatory requirements that businesses in this industry may or may not be forced to comply with, maritime companies need to take it upon themselves to up their game when it comes to cyber security. Doing so entails:
- Establishing processes for detecting and managing maritime cyber security risks.
- Ensuring that they have the right people on hand to manage cyber security.
- Running simulated drills so they can practice what to do when a maritime cyber security incident occurs, and identify unforeseen gaps in their response plans.
The regulations that exist don’t necessarily extend to areas like these, but shipping businesses shouldn’t wait around on regulations to tell them what to do. They have a responsibility to their partners, their customers and themselves to protect data and operations, regardless of whether they are legally required to do so.
Cybersecurity regulations are still lagging behind reality. Therefore, considering the high level of inter-dependencies of companies in the supply chain, the more cyber mature companies must lead by example and hold their business stakeholders to a higher standard of maritime cyber security. This could be achieved by simply adding respective clauses to their business agreements, sending cyber security surveys to business partners, and running cyber security audits on significant business partners.
Compliance vs. complacency
In short, even if you manage to comply with whichever cyber security regulations may exist for maritime and shipping businesses in your jurisdiction, that compliance is not enough.
Additional, internal steps are required to avoid complacency in the face of cyber security threats. Protect your suppliers, partners, customers and your own internal stakeholders by implementing the processes, people and technology you need to stay ahead of maritime cyber security risks. Just as important, make cyber security drills a routine part of your operations in order to guarantee cyber resiliency against fast-moving threats.
To learn more about how we can increase your business’ cyber resiliency: