[Update] Presentation on Maritime Cyber Security at the 12th Governing Council Meeting



A Moderator's Reflections on the Presentation on Maritime Cyber Security at the 12th Governing Council of ReCAAP Information Sharing Centre

By Dr. Graham Ong-Webb, Research Fellow, S. Rajaratnam School of International Studies

On 22 Mar 2018, I was honoured to moderate a discussion on maritime cyber security at the 12th Governing Council Meeting of ReCAAP Information Sharing Centre. On my panel were LCDR Robert Cole, who is a Port and Facilities Activities Section Chief (with the Prevention Operations Planning Branch, Coast Guard Pacific Area) of the United States Coast Guard (USCG), and Mr. Ben Wootliff, who is a Partner at Control Risks.

A Regulatory/Enforcement Agency's Perspective

In LCDR Cole’s presentation on the management of cyber matters in relation to the Marine Transportation System (MTS), what struck me was the conception of the MTS as an integrated collection of waterways, ports, and inter-modal land-side connections that allow the various modes of transportation to move people and goods to, from, and on the water.

Also of interest was LCDR Cole’s discussion on the ways the USCG is planning and responding to cyber threats. He referred to the National Institute of Standards & Technology (NIST) Cyber Security Framework as a foundational reference model and common framework providing a set of cybersecurity activities, outcomes, and informative references.

He also spoke about how a recently drafted Navigation and Vessel Inspection Circular (NVIC) was providing useful guidance for addressing cyber risks to the maritime industry in line with the Maritime Transportation Security Act.

A Risk Consultancy's Point of View

From a risk consultancy’s point of view, Mr.Wootliff gave a useful primer on cyber risks and how to protect assets from attacks.

He ascribed the growth in the number of disruptive cyber operations to the proliferation and accessibility of software tools. In particular, cybercriminal groups have demonstrated their ability to carry out very advanced attacks. However, he qualified that while maritime shipping constitutes 90 percent of the world’s global trade, cyber attacks in the maritime domain still accounts for a small amount of the world’s attacks. Nevertheless, he warned that attacks in the maritime domain will likely rise in line with growing accessibility of technologies such as ECDIS and satellite communications to nefarious groups.

In terms of mitigation. Mr Wootliff that organisations should start conducting vulnerability assessments of its internet-connected and computerised vessel systems. In knowing their risk exposures, they should develop early warning capabilities and establish contingency plans to respond to breaches.

Four Key Takeaways

Here are my four takeaways of the discussion:

(1) Cyber security threat is imminent in the shipping industry. There is an urgency to mitigate the threat. 

(2) There is a need for a better understanding of the technology and human nexus in order to address more effectively the human factor challenge.

(3) Training and education at all levels must be implemented.

(4) A global regulatory and legal framework on cyber security is necessary.