Why do we need a holistic approach towards Maritime Cybersecurity?

Regardless of what business you are in, holistic cybersecurity is deemed to be an integral part of a company’s digitalization. With cyber-attacks increasing at a rapid pace most companies have taken up the smart strategy of protecting themselves through a bend of technology tools and processes.

Automation, digitization and integration drive maritime industries now more than ever. The maritime infrastructure is more reliant on cyber technology. Consequently, cyber security has been a major cause of alarm in maritime industry. 

Incidents related to navigation, movement of cargo, and other processes threaten lives, environment, property, and considerably disrupt maritime trade movement as a result of cyber-attacks.

Cyber security is not just about preventing hackers gaining access to systems and information. It’s also about protecting digital assets and information, ensuring business continuity, and making sure the maritime industry is resilient to outside threats. That means not only keeping ship systems safe from physical attack, but also ensuring that supporting systems are robust.

Compared to other areas of protection and security, cyber risk management is more challenging due to lack of information about the cyber-attacks and its impact. Until this information is acquired, the impact and probability will continue to be uncertain.

Recent experience of cyber-attacks in maritime industry and from other business sectors such as banking, finance and insurance sectors, public administration and airline industry have shown that any successful cyber-attacks might result in substantial impact in providing services and compromise on safety of organizations assets.

The main objectives of cyber-attacks in the maritime business include media attention, denial of service, access to system targeted, selling stolen data, hold the organizations for ransom on stolen data and system operability, organizing fraudulent movement of cargo, gathering intelligence on precise location of the cargo, ship transportation, handling plans, circumventing cyber security defenses, financial gain, disruption of economy, gaining knowledge about critical information/national infrastructure.

Cyber security is not just about preventing hackers gaining access to systems and information. It’s also about protecting digital assets and information, ensuring business continuity, and making sure the maritime industry is resilient to outside threats.

Technology As Standalone Not Enough?

Cybersecurity is too great of a risk to ignore or treat with side-lines. With data breaches costing high and causing long-lasting stain over an organization’s reputation, most companies have cyber protection on their radar.

However, to achieve this goal, they mostly equip themselves with state-of-art robust cybersecurity tools which promise to offer excellent security. Although this is a path down the right direction but a path that ends with a nasty fall.

Primarily as smart hackers take their time and manage to break past these tools through various techniques while using proximity to an organization or human psychology as a tool.

Additionally, they can also opt for using social engineering or merely playing out insiders of an organization to go through a hack attack.

 

The Holistic Approach

  • Holistic security is an approach that seeks to integrate all the elements designed to safeguard an organization, considering them as a complex and interconnected system. The ultimate purpose of holistic security is continuous protection across all attack surfaces: the totality of all physical, software, network and human exposure.
  • Based on systems thinking, holistic security involves consideration of how any security system’s constituent parts interrelate and work within the context of larger systems. A holistic approach can be applied to almost anything that requires security be it a person, a computer, a network, a building or a property, but must always be considered within the broader context.
  • The integration of different levels and types of security enables a more comprehensive understanding of vulnerabilities and more comprehensive protection against a variety of threats.
  • For security to be considered holistic, a number of requirements must be met. First, separate areas of security must be applied together: locks, for example, in the physical environment and security software in the virtual environment. Holistic security also demands that systems and devices be compatible and interoperable.
  • Employees and Management, both are also an integral part of the system, need to be trained. All employees should be encouraged to provide feedback and suggestions and identify any security holes they detect. Security policies and procedures must be clearly understood by all personnel and those who will be working with the security system should have input to its implementation.
  • Holistic security is increasingly crucial in light of the developing Internet of Things (IoT). IoT security is complicated by the huge numbers of non-computing devices and other objects (things) being outfitted with networking and data transfer capabilities. Because these systems often communicate over the internet and/or interface with other networks, it’s essential that they and their extended environments are secured.

The best way to achieve a capable cybersecurity infrastructure is based on a holistic approach to cybersecurity. A concept based upon a balanced and integrated use of technology, people, and processes is the ultimate defensive approach against the complex cybersecurity challenges occurring in the modern world.

The International Association of Classification Societies (IACS) has recently published new Unified Requirements for cyber security: E26 and E27. The aim of this UR is to provide a minimum set of requirements for cyber resilience of ships, with the purpose of providing technical means to stakeholders which would lead to cyber resilient ships.

  • UR E26 aims to ensure the secure integration of both Operational Technology (OT) and Information Technology (IT) equipment into the vessel’s network during the design, construction, commissioning, and operational life of the ship. This UR targets the ship as a collective entity for cyber resilience and covers five key aspects: equipment identification, protection, attack detection, response, and recovery.
  • UR E27 aims to ensure system integrity is secured and hardened by third-party equipment suppliers. This UR provides requirements for cyber resilience of onboard systems and equipment and provides additional requirements relating to the interface between users and computer-based systems onboard, as well as product design and development requirements for new devices before their implementation onboard ships.

These will be mandatory for classed ships and offshore installations contracted for construction on or after 1 January 2024. 

 

At Varuna Marine Services B.V., our approach to Cyber Security Compliance in line with MSC.428 (98) and consist of 24/7 Active Network Monitoring: CyberShell.

  • Our solutions ensure compliance with these URs as part of its unified approach to protect the ship as a whole.
  • Our fully managed cybersecurity solution captures all cyber security related KPIs and ensures compliance at all times. 
  • Our team of Cyber Security experts will carry out an annual and biannual soft and hard audit to ensure a full test of readiness against any external cyber-attack.