CMMC2.0/CPCSC

/in /by

Shipbuilders within the USA Defense Industrial Base (USA-DIB) and Canadian Defence Industrial Base (CDA-DIB) will soon be required to hold a new cybersecurity certification as part of their contractual arrangements. While the CMMC 2.0 regime is now officially on the books, Canadian suppliers continue to wait for the formal requirements communicated through ITSP 10.171, a “Canadianized” version of NIST SP 800-171 Revision 3.

Given that Winter 2025 is upon the Canadian supplier base, it is likely a good time for those running the CPCSC program to begin releasing official details regarding those requirements. The current guidance has the requirements being written into certain RFPs beginning in Winter 2025, which we are now entering.

With companies expected to achieve Level 1 by June 2025, the time may run short for those publishing the requirements to solicit feedback while leaving organizations enough time to meet their certification requirements.

The Association will monitor this and other regimes as they enter force across the shipbuilding industry.

Cyber in Safety Management

/in /by

Those involved in integrating Cybersecurity into Safety Management Systems should remain aware of a fundamental cultural different in how safety management and security management approach risk. Safety Risks are tied to a specific set of actions or conditions that can be managed as their own isolated entity. Security risks, however, might be described as being tied to a specific outcome for the threat agent.

Let’s consider a situation involving a crane. Under the Safety Management approach, we would look at the crane, its design, its operations, the training of its operators, the environment in which it is used and so on. The key element here is that we are reducing the acts or conditions that lead to hazards associated with the crane. While we may not be able to completely eliminate all risk, we can manage it to a reasonable level (often referred to as being “As Low As Reasonably Practicable”).

Security threats generally focus on an outcome for the threat actor–such as disrupting operations, gaining access, generating wealth, etc. The threat will look at the means and/or opportunities available to meet its intent and, depending on what is found, will pick the one that offers the best chance of success. This means that addressing one aspect of security risk may not result in the mitigation of risk but in the repositioning or shifting of that risk into other areas.

This operates slightly different in the cybersecurity space (for now and for the most part). Unless dealing with an actual attacker, many of the ways that attacks occur involve things that are engineered to perform a certain way. Consequently, we can reduce the opportunities that they have to operate (often referred to as the attack surface). This, however, has not gotten to the root cause of our issue, the threat actor.

This assumption, however, may have a lifespan. As we look at systems that “think” because of neural networking, we may see an intermediary stage between the threat actor and the threat mechanism. This might involve the threat actor either developing or contracting an intermediary that has the ability to conduct its own reconnaissance and, using that information, then look at not one but several threat mechanisms to be used separately or together in the attack. Again, we are at the premise of that the security threat has shifted its attention onto something else and is not actually addressed.

Being cognizant of this different is something that needs to be reinforced as we look at the integration of security controls into safety management. We need to examine the safety risk management philosophy in a way that takes into account this, and other, core differences.

IMO Insider Threat Toolkit

/in /by

As discussed within the 2024 August newsletter, the IMO Insider Threat toolkit provides some guidance with respect to different things that can be done to mitigate insider threats. A degree of caution is recommended and those thinking about implementing the controls recommended in that package should do so with the assistance of competent practitioners that have experience in this domain.

Privacy-related issues, understanding what constitutes suspect behaviour in multicultural environments, and similar challenges can become difficult waters for organizations that blindly implement certain kinds of controls. Additionally, the imposition of these kinds of controls into environments where “pressure is the norm” could possibly lead to challenges depending on how staff interpret the appearance of such controls.

Finally, while the focus on security controls provides good guidance, several routines support those controls. Asset management, inventory control, appropriate human resources and contracting processes all contribute to the weave that becomes an effective insider threat program.

Attacks on Shipping

/in /by

The attacks on shipping herald in a new period of instability on the world’s oceans. Attacks over the past few months by Houthi rebels against commercial shipping started this cycle but the recent seizure of the MV Aries illustrates a number of problematic issues.

Location

The attack on the MSC Aries occurred in International Waters. This becomes problematic given that it is questionable if the Iranian forces would have had any legal basis for boarding and taking control of the ship. Directing the ship out of international waters and back into Iranian territorial waters also raises a number of questions.

These restrictions are enshrined in the United Nations Convention on the Law of the Sea (UNCLOS). While this Convention is largely accepted as the de facto law of the sea, Iran signed (but is not indicating as ratifying the Convention) but Israel does not appear on the list of signatories or countries that have either signed or ratified it (it is listed as having an objection).

Piracy? Not Sure About that One…

Piracy, as defined in UNCLOS Article 101, has a key statement that makes it difficult to apply in this context. The act must be “committed for private ends by the crew or passengers of a private ship or a private aircraft.” It’s pretty clear when combining the video and the publicly-released statements that this is not the case. Given that the aircraft was a military helicopter, we might reach out to UNCLOS Article 102 to see if there were indications that the government aircraft’s crew had mutinied. The statements made by Iran would make this position difficult, if not impossible, to prove.

Similarly, the statements made indicate that it was seized due to its association with Israel. There were no indications in the statements released that Iran considered the ship to have been engaged in piracy. There’s no reason to even pursue this line of thinking so we can take Article 105 off the table.

In brief, the claim of piracy would be a hard sell. While I am not a maritime law expert, I don’t need to be when reading the text of UNCLOS. The gaps are sufficiently clear when taking a basic, literal approach to the text.

Hot Pursuit

This is another hard sell, if it can be sold at all. The right of hot pursuit (UNCLOS Article 111) has to begin when the vessel is within “the internal waters, the archipelagic waters, the territorial sea, or the contiguous zone of the pursuing State, and may only be continued…if the pursuit has not been interrupted.” Again, this would be a hard sell.

Our Outcome

The seizure and removal of the MSC Aries to Iranian territorial waters creates a problem for more than a few countries. This include the flag under which is it registered (Portugal -International Shipping Register of Madeira), the states associated with the citizenship of the various crew members, and so on.

This could also raise issues with various international organizations, ranging from those associated lobbying for seafarer rights up to and including organizations such as the International Labour Organization.

What is clear is that this seizure is almost certainly to be challenged as a “seizure without adequate grounds” under Article 106, invoking a degree of liability for the seizure. What that liability is would have to be worked out by the international courts and those with the appropriate background in maritime law.

From the Security Perspective

The security profession tends to rely upon the good conduct and intention of states. This act calls that trust into question. We saw a similar attack carried out (i.e., using helicopters and rappelling onto the deck) when the Galaxy Leader was attacked on 19 November 2023. That attack, given it was carried out by non-state actors and such may fall closer to the definitions of piracy (the maritime lawyers and courts can decide that). This attack, however, is fundamentally different in that it did not involve a third party, it was carried out by Iranian forces.

Private security forces are generally not equipped to take on state actors. Attacks by pirate groups and such are one thing, but taking on the navies or armed forces of nation states is quite another.

This invokes the question of where an appropriate response lies. Is it with the naval forces in the area? Potentially but would this lead to an escalation of tensions and activities that would become even less palatable to those attempting to transit the waters for legitimate commercial purposes? Does it belong in the realm of diplomacy but, given what we are seeing, what are the realistic chances of success?

Does this create a situation where direct escorting of vessels is the only option with the escorting vessels essentially creating an exclusion zone around clusters of ships and preventing the movement of aircraft towards those vessels? Again, we are left with the question of what happens should the aircraft simply ignore the instructions of the escorting vessel. In all cases, what we can say is that this turn of events has simply increased tensions and further destabilized a region, an action that should certainly not go unnoticed by those organizations that seek to protect the legitimate use of the sea.

USA Rule Making

/in , , , /by

While the USA is currently generating cyber security rules for both ships and ports under a White House Executive Order, there are more than a few things to monitor. This post will look at some of the main issues.

First, with the USCG generating the rules, the USA has a significant opportunity to ensure that the rules for ships and ports are well aligned. While these two aspects of maritime security have often been treated separately, they function as part of a more extensive system of systems.  Consider that ports not only act as a point to service ships (maintenance, etc) but also as a transition point between modes of transportation (ship to rail, ship to truck). While there has been a tendency for IT Security doctrine to focus on the mode of transportation, there is a need to understand that the maritime sector, while important, falls into the context of supply chains and transportation networks that are multi-modal by nature.

The other challenge is that these rules may only apply to specific operations or ships, such as those on international travel. This does not reflect the cybersecurity threat landscape. Connected ships of any type, including traditionally excluded or exempted vessels, once connected to the internet can face threats. This may force a decision to either have all shipping (including recreational boats intending to connect to ports) fall under the same regime or force the need for something similar to zones where certain kinds of ships would be allowed to connect but others would not. This would have to align with the context of network zoning.

Finally, there are some emerging issues when considering some of the approaches being taken. Ships, particularly those that will need to demonstrate compliance with IACS UR E22, E26, and E27) will essentially be operating certified networks. The challenge here occurs with when those trusted and certified networks have to connect to unknown or uncertified networks (which is likely to occur around the world). The Zero-Trust model is one way of mitigating many of the risks associated with this and is likely an option being explored. The key here, however, will be for shipowners going through their renewals (in terms of classification societies) or reclassification to produce the necessary evidence to the surveyor to demonstrate that their operations and cyber security postures have been maintained.

And this is where we come to another upcoming vulnerability in the overall system. At this point, port state entities have relatively scarce resources to conduct credible inspections and assessments at an industry level. The numbers are adequate to generate standards, but the temptation will be there within administrations to produce standards and then fall back on regimes that rely on the presentation of certifications. These certificates will likely be problematic and become attractive to counterfeiters, who will likely offer certificates for a fee without the actual activities like audits and assessments to back them up. Before we roll into this, it may be prudent for the Maritime Safety Committee or other body within the IMO to produce a template for Contracting Governments to use that incorporates the necessary integrity controls to prevent (or more easily detect) this. This would require both the controls and the means of verifying the controls.

A number of publicly available reports that have not been well circulated outline the importance of this step. One such report, the Shen Attack, provides some context around this challenge. While different strings of ports would likely result in different impacts, the general concept of the report is sound and worth reading by those with responsibilities for local facilities/ports and areas or regions.