On June 19th, a vessel transiting the Black Sea reported a crippling GPS disruption. Drawing upon years of sea time and training, the crew safely navigated the vessel using dead reckoning and properly reported the interference to the Coast Guard Navigation Center (NAVCEN).
Unfortunately, there is a potential for an increase in these types of incidents even with the best protection measures. As electronic navigation systems become increasingly complex, interconnected, and cyber dependent, they could fall victim to bad actors, hackers, and nuisance cyber agents. Many of these incidents can be prevented or mitigated by embracing a culture of cyber risk management, without which, technical solutions like virus protection software and firewalls will have limited effectiveness. As for the vessel in the Black Sea, they were able to rapidly identify and safely recover from the interference because of the crew’s robust training and professional navigation skills.
The Coast Guard, in partnership with industry associations, class societies, and other Flag States, worked through the International Maritime Organization to develop Guidelines on Maritime Cyber Risk Management
, and a subsequent Resolution Maritime Cyber Risk Management in Safety Management Systems
. These documents affirm that safety management systems should take cyber related risks into account in accordance with the objectives and requirements of the International Safety Management Code.
In the same way the maritime industry developed a robust safety culture, we must now focus on the development of a culture of cyber risk management. Much in the same way crews train for fire and flooding emergencies, crews should also train for cyber incidents. The IMO Guidelines on Maritime Cyber Risk Management stress the importance of a continuous and cyclical process of identifying risks, protecting from those risks, detecting incidents, responding to incidents, and recovery to normal operations. It is vital that shipping companies embrace a culture of cyber risk management at all levels of their organization in order to achieve a robust cyber posture. Training, exercises and drills are a critical component of a cyber risk management regime and should be adopted into Safety Management Systems.
The Coast Guard Office of Design and Engineering Standards, in partnership with industry associations and class societies, is working to develop additional best-practice guides and industry standards which can be used to assist companies with implementing cyber risk management policies. The Coast Guard Office of Port and Facility Compliance is collaborating with the National Institute of Standards and Technology, National Cyber Center of Excellence to develop sector-specific profiles which adapt the NIST Cybersecurity Framework to specific asset classes. This collaboration has already produced profiles for bulk liquid transfer facilities, offshore platforms, and will soon be kicking-off a profile on electronic navigation and automation systems.
Source: USCG, LT Amy Midgett