Page 20: of Maritime Reporter Magazine (September 2019)

T

THOUGHT LEADERSHIP: PORT & SHIP SECURITY

Captain Andrew Kinsey is Senior Marine Risk Consultant, Allianz Global Corporate & Specialty.

Maritime Port & Ship Security:

Drills & Training for Real World Conditions he United States Coast Guard

Marine Safety Alert 06-19 (USCG MSA 06-19) outlines a

TFebruary 2019 incident aboard a deep draft commercial vessel that called on the Port of New York / New

Jersey after experiencing a signi? cant cyber incident that impacted their ship- board network. The Safety Alert stated in part: “An interagency team of cyber ex- perts, led by the Coast Guard, re- sponded and conducted an analysis of the vessel’s network and essential con- © denisismagilov/Adobe Stock trol systems. The team concluded that bersecurity resources and best practices of the many operational systems that or cannot be relied on. although the malware signi? cantly for businesses https://www.us-cert.gov/ can be compromised in a cyber incident. As was stated in our Allianz Global degraded the functionality of the on- resources. One resource that should be Training needs to start with new hires Corporate & Specialty 2019 Safety and board computer system, essential ves- studied is the Cyber Resilience Review and include all employees. As with any Shipping Review, technology is now sel control systems had not been im- (CRR). The CCR Self-Assessment pro- business plan, it is critical that upper widespread in the maritime industry, and pacted. Nevertheless, the interagency vides a measure of an organization’s cy- management be invested in the success critical to the running of ships, ports and response found that the vessel was op- ber resilience capabilities and provides a of operational security. It is also impor- logistics. The growing use of connected erating without effective cybersecurity helpful User’s Guide that provides infor- tant to solicit and respond to rank and ? le technology in the maritime sector is ex- measures in place, exposing critical mation on conducting self-assessments, input. The best procedures are those that pected to be a positive for both safety vessel control systems to signi? cant evaluating cyber resilience capabilities are developed with robust involvement and claims. Electronic navigation tools, vulnerabilities.” and providing guidance for follow-on and communication, as well as being ship-to-shore communications and the activities. The CRR Self-Assessment subject to regular review and evaluation. greater use of sensors have the potential

This incident provides valuable guid- also enables an organization to assess its A procedure should not just look good to improve navigation and help avoid ance on how we should evaluate the se- capabilities relative to the National Insti- on paper; it also needs to be functional groundings and collisions. curity readiness of terminals, vessels and tute of Standards and Technology (NIST) and address a real need. In 2017, the International Maritime associated infrastructure. It also high- Cybersecurity Framework (CSF), and a It is also important to include business Organization (IMO) adopted its Mari- lights the importance of how security crosswalk document that maps the CRR partners in security drills to help develop time Cyber Risk Management in Safety drills and crew training should be devel- to the NIST CSF is included as a com- and strengthen relationships and estab- Management Systems resolution, which oped and conducted. A key take away of ponent of the CRR Self-Assessment Kit. lish a sound training foundation. Having requires ship owners and managers to the USCG MSA 06-19 is that the Coast A Cyber Security Self-Assessment is feedback from outside an organization incorporate cyber risk management into

Guard strongly encourages all vessel and the beginning, but it is critical that train- is vital to developing and maintaining ship safety by 2021. However, this is a facility owners and operators to conduct ing and drills are incorporated to help a robust security posture. An adequate current threat that needs to be acted on cybersecurity assessments to better un- maintain and improve port and vessel response plan in the event of an actual now, not put off until the regulations derstand the extent of their cyber vulner- security. Cybersecurity training is avail- incident is critical, and it is important go into effect. While new technology abilities. This needs to be a vessel and able on the U.S. Small Business Admin- to conduct training in real world condi- and the Internet of Things have intro- facility speci? c review as each asset can istration website (https://www.sba.gov/ tions. This means not solely relying on duced many new exposures and threats, have unique exposures. The good news course/cybersecurity-small-businesses/). IT-based systems to respond to a security in many ways current security training is that there are very good free assets All employees have a role in cyberse- incident, but instead to utilize manual re? ects the same goals and objectives available to help conduct this review. curity and cyber is a critical component backup systems. It also means that op- we had when steaming in piracy waters

The Department of Homeland Security of overall physical security. ID cards erations need to be evaluated and plans in the 1980’s; present a hard target and

Cybersecurity and Infrastructure Securi- and swipe cards are in regular use for made to reduce operations in the event have a plan that can survive a punch in ty Agency (CISA) website provides cy- facility access and these are just a few that automated systems are not available, the mouth. 20 Maritime Reporter & Engineering News • SEPTEMBER 2019

MR #9 (18-25).indd 20 MR #9 (18-25).indd 20 9/11/2019 9:29:12 AM9/11/2019 9:29:12 AM