Cyber in Safety Management

Those involved in integrating Cybersecurity into Safety Management Systems should remain aware of a fundamental cultural different in how safety management and security management approach risk. Safety Risks are tied to a specific set of actions or conditions that can be managed as their own isolated entity. Security risks, however, might be described as being tied to a specific outcome for the threat agent.

Let’s consider a situation involving a crane. Under the Safety Management approach, we would look at the crane, its design, its operations, the training of its operators, the environment in which it is used and so on. The key element here is that we are reducing the acts or conditions that lead to hazards associated with the crane. While we may not be able to completely eliminate all risk, we can manage it to a reasonable level (often referred to as being “As Low As Reasonably Practicable”).

Security threats generally focus on an outcome for the threat actor–such as disrupting operations, gaining access, generating wealth, etc. The threat will look at the means and/or opportunities available to meet its intent and, depending on what is found, will pick the one that offers the best chance of success. This means that addressing one aspect of security risk may not result in the mitigation of risk but in the repositioning or shifting of that risk into other areas.

This operates slightly different in the cybersecurity space (for now and for the most part). Unless dealing with an actual attacker, many of the ways that attacks occur involve things that are engineered to perform a certain way. Consequently, we can reduce the opportunities that they have to operate (often referred to as the attack surface). This, however, has not gotten to the root cause of our issue, the threat actor.

This assumption, however, may have a lifespan. As we look at systems that “think” because of neural networking, we may see an intermediary stage between the threat actor and the threat mechanism. This might involve the threat actor either developing or contracting an intermediary that has the ability to conduct its own reconnaissance and, using that information, then look at not one but several threat mechanisms to be used separately or together in the attack. Again, we are at the premise of that the security threat has shifted its attention onto something else and is not actually addressed.

Being cognizant of this different is something that needs to be reinforced as we look at the integration of security controls into safety management. We need to examine the safety risk management philosophy in a way that takes into account this, and other, core differences.

IMO Insider Threat Toolkit

As discussed within the 2024 August newsletter, the IMO Insider Threat toolkit provides some guidance with respect to different things that can be done to mitigate insider threats. A degree of caution is recommended and those thinking about implementing the controls recommended in that package should do so with the assistance of competent practitioners that have experience in this domain.

Privacy-related issues, understanding what constitutes suspect behaviour in multicultural environments, and similar challenges can become difficult waters for organizations that blindly implement certain kinds of controls. Additionally, the imposition of these kinds of controls into environments where “pressure is the norm” could possibly lead to challenges depending on how staff interpret the appearance of such controls.

Finally, while the focus on security controls provides good guidance, several routines support those controls. Asset management, inventory control, appropriate human resources and contracting processes all contribute to the weave that becomes an effective insider threat program.

Attacks on Shipping

The attacks on shipping herald in a new period of instability on the world’s oceans. Attacks over the past few months by Houthi rebels against commercial shipping started this cycle but the recent seizure of the MV Aries illustrates a number of problematic issues.

Location

The attack on the MSC Aries occurred in International Waters. This becomes problematic given that it is questionable if the Iranian forces would have had any legal basis for boarding and taking control of the ship. Directing the ship out of international waters and back into Iranian territorial waters also raises a number of questions.

These restrictions are enshrined in the United Nations Convention on the Law of the Sea (UNCLOS). While this Convention is largely accepted as the de facto law of the sea, Iran signed (but is not indicating as ratifying the Convention) but Israel does not appear on the list of signatories or countries that have either signed or ratified it (it is listed as having an objection).

Piracy? Not Sure About that One…

Piracy, as defined in UNCLOS Article 101, has a key statement that makes it difficult to apply in this context. The act must be “committed for private ends by the crew or passengers of a private ship or a private aircraft.” It’s pretty clear when combining the video and the publicly-released statements that this is not the case. Given that the aircraft was a military helicopter, we might reach out to UNCLOS Article 102 to see if there were indications that the government aircraft’s crew had mutinied. The statements made by Iran would make this position difficult, if not impossible, to prove.

Similarly, the statements made indicate that it was seized due to its association with Israel. There were no indications in the statements released that Iran considered the ship to have been engaged in piracy. There’s no reason to even pursue this line of thinking so we can take Article 105 off the table.

In brief, the claim of piracy would be a hard sell. While I am not a maritime law expert, I don’t need to be when reading the text of UNCLOS. The gaps are sufficiently clear when taking a basic, literal approach to the text.

Hot Pursuit

This is another hard sell, if it can be sold at all. The right of hot pursuit (UNCLOS Article 111) has to begin when the vessel is within “the internal waters, the archipelagic waters, the territorial sea, or the contiguous zone of the pursuing State, and may only be continued…if the pursuit has not been interrupted.” Again, this would be a hard sell.

Our Outcome

The seizure and removal of the MSC Aries to Iranian territorial waters creates a problem for more than a few countries. This include the flag under which is it registered (Portugal -International Shipping Register of Madeira), the states associated with the citizenship of the various crew members, and so on.

This could also raise issues with various international organizations, ranging from those associated lobbying for seafarer rights up to and including organizations such as the International Labour Organization.

What is clear is that this seizure is almost certainly to be challenged as a “seizure without adequate grounds” under Article 106, invoking a degree of liability for the seizure. What that liability is would have to be worked out by the international courts and those with the appropriate background in maritime law.

From the Security Perspective

The security profession tends to rely upon the good conduct and intention of states. This act calls that trust into question. We saw a similar attack carried out (i.e., using helicopters and rappelling onto the deck) when the Galaxy Leader was attacked on 19 November 2023. That attack, given it was carried out by non-state actors and such may fall closer to the definitions of piracy (the maritime lawyers and courts can decide that). This attack, however, is fundamentally different in that it did not involve a third party, it was carried out by Iranian forces.

Private security forces are generally not equipped to take on state actors. Attacks by pirate groups and such are one thing, but taking on the navies or armed forces of nation states is quite another.

This invokes the question of where an appropriate response lies. Is it with the naval forces in the area? Potentially but would this lead to an escalation of tensions and activities that would become even less palatable to those attempting to transit the waters for legitimate commercial purposes? Does it belong in the realm of diplomacy but, given what we are seeing, what are the realistic chances of success?

Does this create a situation where direct escorting of vessels is the only option with the escorting vessels essentially creating an exclusion zone around clusters of ships and preventing the movement of aircraft towards those vessels? Again, we are left with the question of what happens should the aircraft simply ignore the instructions of the escorting vessel. In all cases, what we can say is that this turn of events has simply increased tensions and further destabilized a region, an action that should certainly not go unnoticed by those organizations that seek to protect the legitimate use of the sea.

USA Rule Making

While the USA is currently generating cyber security rules for both ships and ports under a White House Executive Order, there are more than a few things to monitor. This post will look at some of the main issues.

First, with the USCG generating the rules, the USA has a significant opportunity to ensure that the rules for ships and ports are well aligned. While these two aspects of maritime security have often been treated separately, they function as part of a more extensive system of systems.  Consider that ports not only act as a point to service ships (maintenance, etc) but also as a transition point between modes of transportation (ship to rail, ship to truck). While there has been a tendency for IT Security doctrine to focus on the mode of transportation, there is a need to understand that the maritime sector, while important, falls into the context of supply chains and transportation networks that are multi-modal by nature.

The other challenge is that these rules may only apply to specific operations or ships, such as those on international travel. This does not reflect the cybersecurity threat landscape. Connected ships of any type, including traditionally excluded or exempted vessels, once connected to the internet can face threats. This may force a decision to either have all shipping (including recreational boats intending to connect to ports) fall under the same regime or force the need for something similar to zones where certain kinds of ships would be allowed to connect but others would not. This would have to align with the context of network zoning.

Finally, there are some emerging issues when considering some of the approaches being taken. Ships, particularly those that will need to demonstrate compliance with IACS UR E22, E26, and E27) will essentially be operating certified networks. The challenge here occurs with when those trusted and certified networks have to connect to unknown or uncertified networks (which is likely to occur around the world). The Zero-Trust model is one way of mitigating many of the risks associated with this and is likely an option being explored. The key here, however, will be for shipowners going through their renewals (in terms of classification societies) or reclassification to produce the necessary evidence to the surveyor to demonstrate that their operations and cyber security postures have been maintained.

And this is where we come to another upcoming vulnerability in the overall system. At this point, port state entities have relatively scarce resources to conduct credible inspections and assessments at an industry level. The numbers are adequate to generate standards, but the temptation will be there within administrations to produce standards and then fall back on regimes that rely on the presentation of certifications. These certificates will likely be problematic and become attractive to counterfeiters, who will likely offer certificates for a fee without the actual activities like audits and assessments to back them up. Before we roll into this, it may be prudent for the Maritime Safety Committee or other body within the IMO to produce a template for Contracting Governments to use that incorporates the necessary integrity controls to prevent (or more easily detect) this. This would require both the controls and the means of verifying the controls.

A number of publicly available reports that have not been well circulated outline the importance of this step. One such report, the Shen Attack, provides some context around this challenge. While different strings of ports would likely result in different impacts, the general concept of the report is sound and worth reading by those with responsibilities for local facilities/ports and areas or regions.

 

Baltimore and Lessons Learned

The tragic event in Baltimore, while rare, is something that we should be paying close attention to. While it will take time for investigators to build and flush out the timelines of events, identify root causes, and communicate those publicly, we owe it to those affected to take the time and look to prevent future occurrences.

This comes in two parts.

General

First, we must look at the facts the investigations will eventually identify and communicate. Given the breadth and severity of this event, the investigation report should most certainly be a public document. Given that the affected families require closure, investigations should proceed with a sense of purpose to meet all the criteria of thorough, supportable, relevant, timely, and impartial. There is no reason to think this will be otherwise.

Second, we need to maintain level heads. We have already seen the outraged social media posts blaming one party or another. While this is natural, the nature of social media can very quickly build echo chambers that compound views based more on the reaction to the event than the event itself. While challenging in an age where many outlets look to “publish first,” the gravity of this event should compel people to wait for the facts to come out.

Some Questions or Thoughts

To date, some of the questions that the Association is considering include the following:

  • Many bridges were built decades ago. If we look at the evolution of container ships (and likely others), there has been an increase in the size of the early container ships from 500-800 TEU (twenty-foot equivalents) and a size of about 137m x 17m x 9m from around 1960 to almost three times that size when considering the UCLS that carries between 18000 to 21000 TEU and has a size of 400m x 59m x 16m today. This is not to say that common sense would not prevail (i.e., a ship being told to sail through a space where it cannot fit) when considering port operations, but should these ships also include “buffer zones” that consider these kinds of events?
  • Should the design of any bridge or any significant upgrades include a point where tugs could be positioned to deflect the ship away from directly impacting the bridge? This is not quite as simple as it sounds. The first question would be the kind of tug (conventional, tractor, or azimuthal stern drive) would be most appropriate. The second involves deploying and operating those tugs in a way that is safe for the tug operators, the vessel, and efficient for port operations. 
  • Should bridges include rock islands or similar barriers that protect the bridge from impact? This is another complex engineering challenge because of the numbers involved and secondary risks. One challenge is the design of the islands in such a way that the ship is deflected but the energy from the deflection does not cause the failure of the bridge. Another challenge involves the design of the barrier in such a way that safe navigation is maintained (i.e., these barriers take up space that would likely affect the space available for safe navigation). Also, there would need to be an understanding of how these would affect factors such as currents that could affect the ability to assure good control over the vessel. Other questions would likely arise.
  • Should the design of bridges include shear points that would prevent the total collapse of the bridge? Many buildings have done to protect against total failure under certain blast conditions. Again, this is not a simple question and would require some significant engineering by those that have knowledge about the various forces (such as sheer and torsion) on bridges and how to manage them. The goal would be to prevent the collapse of all spans if an impact did occur.
  • Should any bridge where people traverse also have a warning system installed on the bridge (such as a highway sign and siren) that can be used to announce the emergency situation to those on the bridge and prompt them to evacuate? This might be under the control of the Port and operated as part of the coordinated emergency management efforts with those responsible for the road networks. Additional questions that come to mind if this approach is taken is how to deal with circumstances where the bridge becomes congested and traffic cannot move.

To be clear, these are questions that arise because of the situation in general, not because of any specific issues in Baltimore specifically. Nor are they intended to cast light or blame in any direction. They are part of the questions that we need to ask ourselves as we work towards preventing similar events in the future.

What we can hope for is that the families affected in the tragedy are supported, that the investigation and recovery proceed smoothly and safely so that the Port and its community returns to the best conditions possible after such an event.

A Less Comfortable Thought

When considering what information should be publicly released, there is an uncomfortable fact to consider. This concern is based on something that occurred in 2013-2014 in Canada. In 2013, Lac Megantique suffered a terrible rail disaster that left over 40 dead and over 30 buildings either destroyed or significantly damaged. A detailed investigation was conducted into the causes of the event and its aftermath. Shortly after that report was published, however, images and details of the publicly-released report appeared in a known terrorist organization’s publication that was encouraging attacks of a similar nature. Establishing the right balance of publicly released information and withholding information potentially useful to hostile parties is a difficult balancing act but can be done if it’s considered at the early stages of drafting the report.