Although the risk of incidents of information security and cybersecurity in the maritime sector have not contemplated until recently, other sectors and organizations have been concerned for decades about cybersecurity risks and the deployment of prevention and mitigation controls.
A code of best practices widely used in information security and communications systems is ISO27002. The origin of this code is the British Standard BS 7799-1 which was first published in 1995.
Security domains covered by ISO27002 are:
- Information Security Policies.
- Organization of Information Security.
- Human resources security: prior to employment, during employment, termination and change.
- Asset management: responsibility for assets, information classification, media handling.
- Access control: user access management, system and application access control.
- Physical and environmental security: secure areas, equipment.
- Operations security: procedures, responsibilities, malware protection, control of operational software, logging and monitoring, backups, audits.
- Communications Security: network security, information transfers.
- Systems acquisition, development and maintenance.
- Supplier relationships: information security, service delivery management.
- Information security incident management.
- Continuity of information security, business continuity.
- Compliance with legal and contractual requirements.
Other codes of useful good practices are those produced by the National Institute of Standards and Technology NIST in the United States. For example, the Security and Privacy Controls for Federal Information Systems and Organizations guide SP 800-53. Although this guide has been produced to protect government information systems it contains very useful recommendations for all industries.
As for the security of industrial control systems, organizations such as NIST, the Centre for the Protection of National Infrastructure CPNI in the UK and CCN in Spain have published guides with useful recommendations.
For industrial systems, the main reference in NIST would be the Guide to Industrial Control Systems (ICS) Security SP 800-82.
CPNI has produced several interesting guides. As an introductory guide the document Good Practice Guide – Process Control and Scada Security is recommended. This guide is not currently available at CPNI although may be found at alternative sites. An official translation in spanish may be found in the “Centro Criptológico Nacional” CCN website.
As for cybersecurity in the navigation systems of ships, due to the requirements of real-time response in Integrated Bridge Systems IBS, the use of sensors (e.g.: wind, depth, position) and actuators (e.g. autopilot ), they could be considered depending on the case as mission-critical IT systems or industrial control systems.
The characterization of a ship as an industrial control system is very clear if we consider the machinery, utilities and auxiliary equipment. For example, the electrical network, engines and deep well pumps are handled by industrial control equipment such as PLCs and SCADA systems.
The impact of a cyberincident in which an attacker takes control of the ECDIS navigation system or deep well pumps could have very serious consequences leading even to the sinking of the ship.
An example of the architecture of control systems used in the distributed machinery of a ship is shown here:
Some introductory ideas to incorporate maritime cybersecurity best practices, policies, procedures and controls in vessel operations can be found in the article Maritime cybersecurity using ISPS and ISM codes.
- ISO 27001: http://www.iso.org/iso/catalogue_detail?csnumber=54533
- NIST SP800-82: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
- CCN – CPNI GPG: https://www.ccn-cert.cni.es/series-ccn-stic/guias-de-acceso-publico-ccn-stic/209-ccn-stic-480a-seguridad-en-sistemas-scada-guia-de-buenas-practicas/file.html