Overview

The maritime industry continues to evolve in terms of size, automation, and its reliance on cyber-enabled infrastructure. As we look toward a future that offers Maritime Autonomous Surface Ships (MASS) and other technologies, the International Association of Maritime Security Professionals examines some of the more challenging issues in this space.

Technological developments do not occur in a vacuum. While the engineering aspects of a problem may be scoped to solve the problem, some constraints and restraints must guide innovation. Constraints such as conventions, laws, and regulations often face challenges in keeping pace with innovation. This has been particularly evident in the MASS domain. There are cases, however, where ethical and other grounds compel us to restrain our activities from specific solutions. Technological solutions do not operate in a vacuum, and there is a need to understand how these innovations may affect public safety, vulnerable communities, the environment, and other factors that may not be part of the technical work.

An organization makes significant efforts and investments in the innovation space. The efforts necessary to understand an issue’s problem space, stakeholder needs and expectations, and work towards a viable and acceptable solution are not trivial. These investments and their potential rewards for an organization can make the innovation attractive to those who either cannot make such efforts themselves or are willing to operate outside the generally accepted conduct of good neighbours. Intellectual property theft, illegal surveillance, and other illicit and illegal activities may threaten a company’s efforts.

The Association believes that security in the innovative space consists of three major elements. The first involves the security principles and practices applied to the work and the environment in which the work occurs. Addressing these challenges is important in preserving the work’s value from a competitive perspective and in establishing that the claims regarding the work can be considered trustworthy.

The second aspect involves security, which becomes an emergent work property. This involves a “whole of lifecycle” approach that spans the conceptualization, design, implementation, operations, and (ultimately) removal of service of the work. The Association’s approach to security design, monitoring, and compliance assumes that the security attributes of innovation blend well into the non-functional requirements of the product or service being developed and must be directly relatable to why that product or service exists.

The third security aspect involves using or applying the innovation in the future. Does it provide an overall benefit and how does it preserve that benefit? Are there checks and balances in place that prevent the tool’s misuse in a way that exposes populations and legitimate operations to harm? The Association looks at this from the perspective of governance, administrative controls, and other forms of control that are intended to ensure that the good work produced in the innovative process is less susceptible to being twisted for unintended purposes.

References

These links will be checked periodically and updates as new information becomes available.

Conceptualization

Design

Systems Engineering

NIST SP 800-160 Vol 1 Revision 1 Engineering Trustworthy Secure Systems.  This document describes various engineering-related processes that are used in a multidisciplinary context to aid in the appropriate design of systems. While this is often associated with IT Systems, it can be used in the context of any system.

NIST SP 800-160 Vol 2 Rev 1: Developing Cyber Resilient Systems. This takes a Systems Engineering approach but then looks to move beyond the traditional security protective posture and provides a structure on building resilience into a system.

International Council of Systems Engineers. This organization maintains a Wiki of Systems Engineering principles and practices that can be very useful in defining, establishing, and managing work associated with all phases of the system’s life cycle.

System Requirements

International Maritime Organization Maritime Safety Committee. The Maritime Safety Committee deals with all matters related to maritime safety and security for all kinds of shipping.

International Association of Classification Societies Unified Requirements. These rules apply across all classification societies and focus on safe shipping. For those working in the cyber domain, pay close attention to IACS UR E22, UR E26, and UR E27.

NIST SP 800-53B Control Baselines for Information Systems and Organizations. This focuses on IT security and is used as a baseline set of control definitions. Many standards map to this baseline when describing the security posture of a system. Note that NIST SP 800-53A describes how to assess these. Care must be taken when applying this standard to ensure that it is used as a guide and not a checklist. Follow the structures associated with the technical management and technical processes as described in systems engineering then integrate the appropriate level of network.

Frameworks and Guidance

Transport Canada’s Maritime Cyber Security guidance. This document looks at a range of both IT and OT systems, including common connectivity and information flows using functional block diagrams and similar diagrams.

United States Coast Guard Cyber Security Guidance landing page. As a landing page, this page is both updated as well as holds information on a range of topics. There has been significant increases in activity after the USA announced that it would develop rules in the cyber domain.

  • You can also find the USCG Maritime Cybersecurity Assessment and Annex Guide (MCAAG)  published Jan 2023. This was in response to NVIC 01-20 that provided voluntary guidance to facility owners and operators on complying with the requirements to protect computer system and network vulnerabilities in accordance with 33 CFR 105 and 106.

The International Chamber of Shipping’s Cyber Security on Board Ships. This document, when used with the Transport Canada documentation, can provide a solid starting point for understanding the analysis.  The ICS documentation provides detailed guidance regarding how to walk through the process while the Transport Canada’s diagrams and other technical details provides a more granular (if high level) understanding of the inter-relationship of system elements.