Recent incidents – as far back as NotPetya in 2017 The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED – clearly indicate that cyber incidents/attacks can have devastating impact on commerce, the businesses involved in that commerce and the maritime community. More recent events, like Solar Winds and MS Exchange Server, point to increased and more widespread cyber impacts to governments, business, commerce, and potentially national infrastructure stakeholders. However, the maritime transportation system has historically not looked at cyber as a critical element in overall security. Rather, cyber has been treated as a support function – information technology - and not a critical element of security and a key facilitator of modern maritime business operations. I believe that this is a result of the focus placed upon physical security regulation – rightfully – after the attacks of September 11, 2001.
The Maritime Transportation Security Act (MTSA) of 2002 Maritime Transportation Security Act of 2002 - Wikipedia was enacted following the attacks. MTSA is the implementation of a broader international security standard, the International Ship and Port Facility Security Code (ISPS). Both are focused predominantly on physical security measures and requirements. Both ISPS and MTSA changed the security culture in the maritime community and MTSA, specifically, focuses upon preventing transportation security incidents (TSIs) and balancing security and the free flow of commerce. One of the key elements of MTSA and the attendant CFR 33 101-107 – and overlooked in our estimation – is the language in that regulation that could and should be used to ensure cybersecurity:
CFR 33 101.105 Infrastructure means facilities, structures, systems, assets, or services so vital to the port and its economy that their disruption, incapacity, or destruction would have a debilitating impact on defense, security, the environment, long-term economic prosperity, public health, or safety of the port.
The recent National Maritime Cybersecurity Plan Homeland Security Digital Library (hsdl.org) makes the right connection between the physical and cyber security elements of our nation’s maritime critical infrastructure and in Priority Action 4 covering Risks and Standards, “…develop procedures to identify, prioritize, mitigate, and investigate cybersecurity risks in critical ship and port systems.” Understanding risk, and specifically your risk, is important as cyber and physical elements of security have the potential to significantly impact your maritime business. Being a part of the Maritime Transportation System Information Security and Analysis Center (MTS-ISAC) is a great step to help you begin to understand your risk. The MTS-ISAC promotes and facilitates maritime cybersecurity information exchange, awareness, training, and collaboration between private and public sector stakeholders…to effectively improve cyber risk management across the MTS community through effective information exchange for the improved identification, protection, detection, response, and recovery efforts related to cyber risks.