#44 Maritime Cybersecurity Compliance Measures

-

Some of the maritime cybersecurity compliance measures you need to consider include IMO Resolution MSC. 428(98), ISA/IEC 62443, ISO/IEC 27001, and TMSA. There are also other industry and regulatory standards that you need to adhere to based on your country of operation and nature of your vessels’ operations.

As connectivity and reliance on the Internet are now the norms with many technologies essential to the operation and management of vessels, the security, safety, and reliability of these systems is paramount. To that end, the maritime industry is recognizing the need for cybersecurity oversight to ensure the effective management and mitigation of evolving cyber threats. Let’s take a look at a few of the compliance measures in depth:

IMO Resolution MSC.428(98)

A significant cybersecurity compliance deadline facing the maritime industry is the International Maritime Organization’s (IMO) Resolution MSC.428(98), which encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after January 1, 2021. These are based on the NIST 800-53 R4 cybersecurity framework and tailored for the Maritime industry to provide a standardized approach for applying and evaluating security controls within an OT environment.

These guidelines provide recommendations and include functional elements that support effective cyber risk management:

  1. Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operatio
  2. Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  3. Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
  4. Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
  5. Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

ISA/IEC 62443

The ISA/IEC 62443 series of standards have been developed jointly by the ISA99 committee and IEC Technical Committee 65 Working Group 10 customized to address the need to design cybersecurity robustness and resilience into industrial automation control systems (IACS). An IACS is defined as a collection of personnel, hardware, software, and policies involved in the operation of the industrial process, and that can affect or influence its safe, secure, and reliable operation. The ISA/IEC 62443 Series Standards and Technical Reports are arranged in four groups:

ISA/IEC 62443 Family of Standards

General—This group includes documents that address topics that are common to the entire series:

  1. ISA-62443-1-1
    Terminology, concepts, and models
  2. ISA-62443-1-2

    Master glossary of terms and abbreviations
  3. ISA-62443-1-3
    System security conformance metrics
  4. ISA-62443-1-4
    IACS security lifecycle and use-cases
  1. Part 1-1: Terminology, concepts, and models introduce the concepts and models used throughout the series.
  2. Part 1-2: Master glossary of terms and definitions is a list of terms and abbreviations used throughout the series.
  3. Part 1-3: System security conformance metrics describe a methodology to develop quantitative metrics derived from the process and technical requirements in the standards.
  4. Part 1-4: IACS security lifecycle and use cases provide a more detailed description of the underlying lifecycle for IACS security, as well as several use cases that illustrate various applications.

Policies and Procedures—Documents in this group focus on the policies and procedures associated with IACS security:

  1. ISA-62443-2-1
    Establishing an IACS security program
  2. ISA-62443-2-2
    IACS security program ratings
  3. ISA-62443-2-3
    Patch management in the IACS environment
  4. ISA-62443-2-4
    Security program requirements for IACS service providers
  5. ISA-62443-2-5
    Implementation guide for IACS asset owners
  1. Part 2-1: Establishing an IACS security program describes what is required to define and implement an effective IACS cybersecurity management system.
  2. Part 2-2: IACS security program ratings provide a methodology for evaluating the level of protection provided by an operational IACS against the requirements in the ISA/IEC 62443 Series of standards.
  3. Part 2-3: Patch management in the IACS environment provides guidance on patch management for ACS.
  4. Part 2-4: Security program requirements for IACS service providers specify requirements for IACS service providers such as system integrators or maintenance providers.
  5. Part 2-5: Implementation guidance for IACS asset owners provides guidance on what is required to operate an effective IACS cybersecurity program.

System Requirements—The documents in the third group address requirements at the system level:

  1. ISA-62443-3-1
    Security technologies for IACS
  2. ISA-62443-3-2
    Security risk assessment for system design
  3. ISA-62443-3-3
    System security requirements and security levels
  1. Part 3-1: Security technologies for IACS describes the application of various security technologies to an IACS environment.
  2. Part 3-2: Security risk assessment for system design addresses cybersecurity risk assessment and system design for IACS.
  3. Part 3-3: System security requirements and security levels describe the requirements for an IACS system based on the security level.

Component Requirements—The fourth and final group includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products:

  1. ISA-62443-4-1
    Product security development lifecycle requirements
  2. ISA-62443-4-2
    Technical security requirements for IACS components
  1. Part 4-1: Product security development life cycle requirements describe the requirements for a product developer’s security development lifecycle.
  2. Part 4-2: Technical security requirement for IACS components describes the requirements for IACS Components based on the security level. Components include Embedded Devices, Host Devices, Network Devices, and Software Applications.

ISO/IEC 27001

ISO 27001 is a technology-neutral, vendor-neutral information security management standard that offers a prescription of the features of an effective information security management system (ISMS). The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – to receive certification or to pass an audit, your ISMS must conform to these requirements.

CLAUSE 4

Context of the Organization

defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.

CLAUSE 5

Leadership

defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.

CLAUSE 6

Planning

defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.

CLAUSE 7

Support

defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.

CLAUSE 8

Operation

defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.

CLAUSE 9

Performance Evaluations

defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.

CLAUSE 10

Improvement

defines requirements for nonconformities, corrections, corrective actions, and continual improvement.

TMSA

In 2004, the Oil Companies International Marine Forum (OCIMF) introduced the Tanker Management and Self Assessment (TMSA) program to help vessel operators assess, measure, and improve their safety management systems. It complements industry quality codes and is intended to encourage self-regulation and promote continuous improvement among tanker operators.

The TMSA framework is based on 12 elements of management practice. Each element includes a clear objective and a set of supporting KPIs:

  1. Management, leadership, and accountability
  2. Recruitment and management of shore-based personnel
  3. Recruitment and management of vessel personnel
  4. Reliability and maintenance standards
  5. Navigational safety
  6. Cargo, ballast and mooring operations
  7. Incident investigation analysis
  8. Management of change
  9. Safety management
  10. Environmental management
  11. Emergency preparedness and contingency planning
  12. Measurement, analysis, and improvement

Guidelines on activities, grouped into four stages, are provided to help you meet these objectives. You should work through the 12 elements to produce as accurate and substantive an assessment as possible. You can use the assessment to conduct a gap analysis to identify which elements and stages have yet to be attained and how best to develop a performance improvement program.

Comments

Post a Comment

Popular posts from this blog

#41 Maritime Cybersecurity

-
Image
Maritime is one of the oldest industries and lifeblood of the global economy, accounting for the carriage of 90% of world trade. Ships and other vessels may seem like unusual targets for cyberattacks. But with their growing use of industrial control systems (ICS) and satellite communications, hackers have a new playground that’s ripe for attack. In a 2020 Safety at Sea and BIMCO Maritime Cyber Security survey, despite the majority of respondents (77%) viewing cyber-attacks as a high or medium risk to their organizations, few appear to be prepared for the aftermath of such an attack, 64% of respondents said their organization has a business continuity plan in place to follow in the event of a cyber incident, but only 24% claimed it was tested every three months, and only 15% said that it was tested every six to 12 months. Only 42% of respondents said that their organization protects vessels from operational technology (OT) cyber threats, and some respondents went so far as to describe
Read more

#21 What is Mooring of Ships

-
Image
We have been intrigued by this question: How are ships ‘parked’ upon their arrival in ports, jetties, and piers? Unlike cars, they can’t simply be put off gear and parking brakes! Ships don’t have brakes in the first place. Ships need to be fastened and fixated soundly for conducting all kinds of shore operations such as cargo loading/unloading, refuelling, bunkering, ballasting/deballasting, boarding/deboarding, maintenance, repairing, and often for idle times based on voyage schedules and berth or workforce availability. So, mooring or the system of securing a vessel soundly for the purposes mentioned above is indispensable in studying ships and offshore structures.  Differences between mooring, docking and anchoring It is common to get confused with the terms mooring, docking and anchoring and may use them interchangeably. But there are stark differences between them.  Anchoring is the system of securing a vessel amid the sea when the ship is not near the vicinity of a per
Read more

#59 Manned to AI Ships Era (iota/1): Navigating the Future with Technological Waves

-
Image
“Investing on Yourself is the best investment”. 2030 year going to be a massive change throughout the world in all the fields. Starts from pollution norms, recycling, IIOT etc. Technology developments will take over all industry in a prompt time. AI is the field of conceiving, designing and developing machines which should perform tasks that usually   requires human intelligence. AI is the art and science of developing machines running  on intelligent algorithms that make them capable of   thinking, acting and learning like human beings.  In lay-man language we are expecting a intelligent machines in the field of engineering and technology. Scanner and sensors types going to increase more like thermal, light, proximity, chemicals, barometric, speech, audio, image. Human Machine Interface to synchronization for commanding/operating the ship from shore requires. Education and training are required to meet AI and to with the emerging accomplishments, experts say that full artificial intel
Read more