USA Rule Making

While the USA is currently generating cyber security rules for both ships and ports under a White House Executive Order, there are more than a few things to monitor. This post will look at some of the main issues.

First, with the USCG generating the rules, the USA has a significant opportunity to ensure that the rules for ships and ports are well aligned. While these two aspects of maritime security have often been treated separately, they function as part of a more extensive system of systems.  Consider that ports not only act as a point to service ships (maintenance, etc) but also as a transition point between modes of transportation (ship to rail, ship to truck). While there has been a tendency for IT Security doctrine to focus on the mode of transportation, there is a need to understand that the maritime sector, while important, falls into the context of supply chains and transportation networks that are multi-modal by nature.

The other challenge is that these rules may only apply to specific operations or ships, such as those on international travel. This does not reflect the cybersecurity threat landscape. Connected ships of any type, including traditionally excluded or exempted vessels, once connected to the internet can face threats. This may force a decision to either have all shipping (including recreational boats intending to connect to ports) fall under the same regime or force the need for something similar to zones where certain kinds of ships would be allowed to connect but others would not. This would have to align with the context of network zoning.

Finally, there are some emerging issues when considering some of the approaches being taken. Ships, particularly those that will need to demonstrate compliance with IACS UR E22, E26, and E27) will essentially be operating certified networks. The challenge here occurs with when those trusted and certified networks have to connect to unknown or uncertified networks (which is likely to occur around the world). The Zero-Trust model is one way of mitigating many of the risks associated with this and is likely an option being explored. The key here, however, will be for shipowners going through their renewals (in terms of classification societies) or reclassification to produce the necessary evidence to the surveyor to demonstrate that their operations and cyber security postures have been maintained.

And this is where we come to another upcoming vulnerability in the overall system. At this point, port state entities have relatively scarce resources to conduct credible inspections and assessments at an industry level. The numbers are adequate to generate standards, but the temptation will be there within administrations to produce standards and then fall back on regimes that rely on the presentation of certifications. These certificates will likely be problematic and become attractive to counterfeiters, who will likely offer certificates for a fee without the actual activities like audits and assessments to back them up. Before we roll into this, it may be prudent for the Maritime Safety Committee or other body within the IMO to produce a template for Contracting Governments to use that incorporates the necessary integrity controls to prevent (or more easily detect) this. This would require both the controls and the means of verifying the controls.

A number of publicly available reports that have not been well circulated outline the importance of this step. One such report, the Shen Attack, provides some context around this challenge. While different strings of ports would likely result in different impacts, the general concept of the report is sound and worth reading by those with responsibilities for local facilities/ports and areas or regions.

 

IAMSP TET Supports OCEANUSLive.org Service

IAMSP is pleased to announce the results of the Technical Evaluation Team’s (TET) review of the OCEANUSLive.org service currently in beta testing and expected to move into full production mode in the near future. This review, undertaken by a team of three persons under the oversight of the President, examined the offering based upon its adherence to the latest and sound principles associated with maritime domain awareness, information and intelligence production, and its utility to the maritime security effort currently underway in the Indian Ocean (and applicable elsewhere).

This review touched on 168 topics that included reviewing the concept, design, fragility, safety, maintenance, life cycle management, risk management and training elements associated with the service being offered and took place over a six week period.

formal bridesmaid dresses As a result of this effort, it is the assessment of the TET that the service does address a significant need or vulnerability currently evident within the maritime security awareness domain, has demonstrated that (under normal operating conditions) to be consistently reliable and to be reasonable in terms of integration and maintenance within organization’s normal operating routines.

The IAMSP is of the belief, based on sound doctrine and experience, that timely information communication and sharing is an essential element in helping protect our seafarers during higher-risk transits. We further echo the concept that such information sharing must be done across the full community of those seeking to protect our seafarers and add our voice to calls to the various reporting centers and organizations to focus on this important goal.