#44 Maritime Cybersecurity Compliance Measures

Some of the maritime cybersecurity compliance measures you need to consider include IMO Resolution MSC. 428(98), ISA/IEC 62443, ISO/IEC 27001, and TMSA. There are also other industry and regulatory standards that you need to adhere to based on your country of operation and nature of your vessels’ operations.

As connectivity and reliance on the Internet are now the norms with many technologies essential to the operation and management of vessels, the security, safety, and reliability of these systems is paramount. To that end, the maritime industry is recognizing the need for cybersecurity oversight to ensure the effective management and mitigation of evolving cyber threats. Let’s take a look at a few of the compliance measures in depth:

IMO Resolution MSC.428(98)

A significant cybersecurity compliance deadline facing the maritime industry is the International Maritime Organization’s (IMO) Resolution MSC.428(98), which encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company's Document of Compliance after January 1, 2021. These are based on the NIST 800-53 R4 cybersecurity framework and tailored for the Maritime industry to provide a standardized approach for applying and evaluating security controls within an OT environment.

These guidelines provide recommendations and include functional elements that support effective cyber risk management:

  1. Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data, and capabilities that, when disrupted, pose risks to ship operatio
  2. Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
  3. Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
  4. Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber event.
  5. Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

ISA/IEC 62443

The ISA/IEC 62443 series of standards have been developed jointly by the ISA99 committee and IEC Technical Committee 65 Working Group 10 customized to address the need to design cybersecurity robustness and resilience into industrial automation control systems (IACS). An IACS is defined as a collection of personnel, hardware, software, and policies involved in the operation of the industrial process, and that can affect or influence its safe, secure, and reliable operation. The ISA/IEC 62443 Series Standards and Technical Reports are arranged in four groups:

ISA/IEC 62443 Family of Standards

General—This group includes documents that address topics that are common to the entire series:

  1. ISA-62443-1-1
    Terminology, concepts, and models
  2. ISA-62443-1-2

    Master glossary of terms and abbreviations
  3. ISA-62443-1-3
    System security conformance metrics
  4. ISA-62443-1-4
    IACS security lifecycle and use-cases
  1. Part 1-1: Terminology, concepts, and models introduce the concepts and models used throughout the series.
  2. Part 1-2: Master glossary of terms and definitions is a list of terms and abbreviations used throughout the series.
  3. Part 1-3: System security conformance metrics describe a methodology to develop quantitative metrics derived from the process and technical requirements in the standards.
  4. Part 1-4: IACS security lifecycle and use cases provide a more detailed description of the underlying lifecycle for IACS security, as well as several use cases that illustrate various applications.

Policies and Procedures—Documents in this group focus on the policies and procedures associated with IACS security:

  1. ISA-62443-2-1
    Establishing an IACS security program
  2. ISA-62443-2-2
    IACS security program ratings
  3. ISA-62443-2-3
    Patch management in the IACS environment
  4. ISA-62443-2-4
    Security program requirements for IACS service providers
  5. ISA-62443-2-5
    Implementation guide for IACS asset owners
  1. Part 2-1: Establishing an IACS security program describes what is required to define and implement an effective IACS cybersecurity management system.
  2. Part 2-2: IACS security program ratings provide a methodology for evaluating the level of protection provided by an operational IACS against the requirements in the ISA/IEC 62443 Series of standards.
  3. Part 2-3: Patch management in the IACS environment provides guidance on patch management for ACS.
  4. Part 2-4: Security program requirements for IACS service providers specify requirements for IACS service providers such as system integrators or maintenance providers.
  5. Part 2-5: Implementation guidance for IACS asset owners provides guidance on what is required to operate an effective IACS cybersecurity program.

System Requirements—The documents in the third group address requirements at the system level:

  1. ISA-62443-3-1
    Security technologies for IACS
  2. ISA-62443-3-2
    Security risk assessment for system design
  3. ISA-62443-3-3
    System security requirements and security levels
  1. Part 3-1: Security technologies for IACS describes the application of various security technologies to an IACS environment.
  2. Part 3-2: Security risk assessment for system design addresses cybersecurity risk assessment and system design for IACS.
  3. Part 3-3: System security requirements and security levels describe the requirements for an IACS system based on the security level.

Component Requirements—The fourth and final group includes documents that provide information about the more specific and detailed requirements associated with the development of IACS products:

  1. ISA-62443-4-1
    Product security development lifecycle requirements
  2. ISA-62443-4-2
    Technical security requirements for IACS components
  1. Part 4-1: Product security development life cycle requirements describe the requirements for a product developer’s security development lifecycle.
  2. Part 4-2: Technical security requirement for IACS components describes the requirements for IACS Components based on the security level. Components include Embedded Devices, Host Devices, Network Devices, and Software Applications.

ISO/IEC 27001

ISO 27001 is a technology-neutral, vendor-neutral information security management standard that offers a prescription of the features of an effective information security management system (ISMS). The mandatory requirements for ISO 27001 are defined in its clauses 4 through 10 – to receive certification or to pass an audit, your ISMS must conform to these requirements.

CLAUSE 4

Context of the Organization

defines requirements for understanding external and internal issues, interested parties and their requirements, and defining the ISMS scope.

CLAUSE 5

Leadership

defines top management responsibilities, setting the roles and responsibilities, and contents of the top-level Information Security Policy.

CLAUSE 6

Planning

defines requirements for risk assessment, risk treatment, Statement of Applicability, risk treatment plan, and setting the information security objectives.

CLAUSE 7

Support

defines requirements for the availability of resources, competencies, awareness, communication, and control of documents and records.

CLAUSE 8

Operation

defines the implementation of risk assessment and treatment, as well as controls and other processes needed to achieve information security objectives.

CLAUSE 9

Performance Evaluations

defines requirements for monitoring, measurement, analysis, evaluation, internal audit, and management review.

CLAUSE 10

Improvement

defines requirements for nonconformities, corrections, corrective actions, and continual improvement.

TMSA

In 2004, the Oil Companies International Marine Forum (OCIMF) introduced the Tanker Management and Self Assessment (TMSA) program to help vessel operators assess, measure, and improve their safety management systems. It complements industry quality codes and is intended to encourage self-regulation and promote continuous improvement among tanker operators.

The TMSA framework is based on 12 elements of management practice. Each element includes a clear objective and a set of supporting KPIs:

  1. Management, leadership, and accountability
  2. Recruitment and management of shore-based personnel
  3. Recruitment and management of vessel personnel
  4. Reliability and maintenance standards
  5. Navigational safety
  6. Cargo, ballast and mooring operations
  7. Incident investigation analysis
  8. Management of change
  9. Safety management
  10. Environmental management
  11. Emergency preparedness and contingency planning
  12. Measurement, analysis, and improvement

Guidelines on activities, grouped into four stages, are provided to help you meet these objectives. You should work through the 12 elements to produce as accurate and substantive an assessment as possible. You can use the assessment to conduct a gap analysis to identify which elements and stages have yet to be attained and how best to develop a performance improvement program.

Comments

Popular posts from this blog

#18 10 Main Personal Protective Equipment (PPE) Used Onboard Ship

#68 MANNED SHIPS ERA TO ARTIFICIAL INTELLIGENCE CONTROLLED SHIPS ERA (iota-4)

#41 Maritime Cybersecurity