The integrity of an organization’s information system is supported by the following cyber-resilience concepts (figure 36):
- Access control. The range of strategies controlling and regulating access to an organization’s IT network. The most fundamental relates to how the network is accessed by using credentials, e.g. usernames and passwords. In addition, the roles and what information users can access are subject to close management to ensure that privileges are removed if a user leaves the organization or is assigned another function. Stricter conventions on the selection of passwords are now required; these now need to be more complex and include special characters to avoid brute force password attacks. For highly sensitive information, or if a user accesses the system from a new (remote) location, two-factor authentication is becoming the norm.
- Data security. The range of strategies used to regulate the integrity of the information stored by an organization. Encrypting data and its transmission has become the norm to avoid breaches. Furthermore, corporate data needs to be classified by level of importance and sensitivity and stored accordingly. Key strategic information should be stored in systems only accessible through internal networks and through highly secure connections. Removable media, such as UBS storage drives, but also laptops and portable devices, needs to be restricted as they represent security risks if lost or stolen. Additionally, old IT equipment, particularly the hard disk drives of computers, need to be disposed of appropriately. A common practice is to wipe or physically destroy any storage device that has been earmarked for disposal. The software and the hardware processing the data can also be tampered with, implying that their integrity needs to be verified on a regular basis.
- Network security. Involves the deployment of a range of strategies to protect the integrity of an organizational IT network. An IT network can be segmented in such a manner that the administrative network is separated from the network supporting operations. Network redundancy can improve cyber resilience. Firewalls have become standards and allow monitoring of all inbound and outbound traffic between a network and the outside; virtual private networks (VPN) can also be used for outside access. IT systems also require a form of physical protection that can range from locked access for servers and network hubs, and must include a form of protection from hazards, e.g. floods and power outages. An IT network must be protected from malware attacks, which could be used as a propagation tool within an organization’s IT infrastructure. Furthermore, the physical components of the network, such as cables and switch boxes, must be hardened against physical damage.
- Operational security. The range of strategies to ensure that daily IT operations do not contribute to risks. Software upgrades and patches must be monitored to ensure that each network component has the latest up-to-date version. Information technology networks are constantly probed by hackers, which will require the network to be continuously monitored for vulnerabilities. As an organization’s finances can be accessed online, hackers have a strong incentive to make unauthorized transactions. An organization’s IT has also to be aware of cultural and intelligence developments in the sector to enable new risks to be identified and mitigated, and ensure that lessons can be learned from events taking place elsewhere.
Box 4: The port of Los Angeles’ cyber-resilience centre
As cybersecurity becomes a more salient threat to the integrity of information systems, port authorities are setting up forms of organizational support. In 2022, the Port of Los Angeles Authority established a Cyber-Resilience Centre (CRC) to act as a “system of systems,” whereby port stakeholders using the Port Community System will automatically share cyber threat indicators and deploy common defensive measures. Cyber-threat information is centralized so that there is a lower risk that an attack could be successful. The goal is to create a supply chain of IT integrity through stakeholders handling cargo, e.g. terminal operators, shipping lines, motor carriers and rail carriers (See Case Study 1).
Third-party contractors or port suppliers can also be the source of cyber-attacks. Ports need to be aware of these when considering the integration of relevant digital services such as Maritime Single Windows, which offer more efficient and paperless compliance processes at ports but increase cyber exposure.
The industry organization BIMCO issued Guidelines on Cyber Security onboard Ships – fourth version (BIMCO et al, 2021). According to the BIMCO guidelines, enterprises should:
- Identify cybersecurity threats – to the ship, both external and internal, including those posed by inappropriate use and poor cybersecurity practices;
- Identify vulnerabilities of assets within the company;
- Develop inventories of onboard systems with direct and indirect communications links;
- Assess risk exposure and vulnerabilities;
- Develop protection and detection measures;
- Establish response plans, including contingency plans to respond to cyber-risks and tackle the effects of potential attacks on ship safety and security; and
- Respond and recover – from any cyber security incidents using the contingency plan, then report on the effectiveness of the response plan, update it, and reassess threats and vulnerabilities.
BIMCO and other maritime non-governmental organizations (NGOs) have invited public and private stakeholders to help create global digital ISO standards to facilitate the digital exchange of data, particularly given the new urgency of the COVID-19 pandemic and increasing demand.
Other available guidelines include the Digital Container Shipping Association's Implementation Guide for Cyber Security on Vessels v1.0); the recommendation by the International Association for Classification Societies (IACS), and which applies to newbuild ships only but can also serve as guidance for existing ships (IACS, 2020); and the United States National Institute of Standards and Technology (NIST, 2018). While their target audience is the container industry, other shipping segments may also find them helpful. Taking account of IMO guidelines and the United States NIST framework, the guidance specifies, for example, that company plans and procedures for cyber-risk management should be incorporated into the existing security and safety risk management requirements contained in the International Safety Management Code (ISM) Code and International Ship and Port Facility Security (ISPS) Code. The British Port Association have issued a national level guide on managing cyber risks (British Ports Association, 2020).