By:
Max Bobys, HudsonAnalytix - Cyber
Scott Dickerson, CISO LLC
John Felker, Morse Alpha Associates, Inc.
Cliff Neve, MAD Security
Overview
This article explores the challenges commonly encountered by maritime executives when assessing the acquisition of cybersecurity services and/or solutions, highlighting the disconnectedness often arising between “buyers” and “sellers.” It also highlights the consequences of such misalignment and stresses the need for and value of expertise and solutions tailored to address the maritime domain's unique regulatory, technical, and operational challenges. It introduces the Global Maritime Cybersecurity Consortium (GMCC) as a collaborative effort to tackle these challenges by maritime cyber experts providing specialized expertise and solutions tailored to each maritime organization’s unique needs. The authors chart the cybersecurity complexities inherent to the maritime domain, the constraints of current solutions, and the GMCC's purpose in bridging the gaps among decision makers when weighing the countervailing demands of cybersecurity needs, corporate goals and objectives, operational requirements, regulatory adherence, and fiscal sustainability. By offering customized strategies, complementary capabilities, and deep maritime industry cybersecurity expertise, the GMCC provides a timely resource to maritime industry leaders.
Almost as often as my colleagues and I find myself hustling through an airport to meet with a client, we encounter a shipping or port-sector executive who privately pulls us aside to ask whaddya-think-about-this vendor or about such-n-such cybersecurity technology or this-or-that “solution”? Without a coherent strategy and holistic approach, these are extremely difficult questions (if not impossible) to answer. While on the surface many cybersecurity capabilities may appear sound (and most likely are, on their own merit), too often they do not represent the best fit for the enterprises represented by those inquiring.
As a result we often find ourselves pulling back on specific recommendations to ask our interlocutor several important questions: first, is the (insert name of company, solution, service, etc.) capability right for your environment, e.g., will it complement, enhance and integrate with the tools and capabilities you already have in place? Second, is it a capability that your team can use right out of the box, with minimal training? Thirdly, has the solution been proven to be effective in maritime-specific environments? And lastly, does the tool produce information that aligns with and can be used to support your overall business objectives?
The Buyer-Seller-Experience Challenge
While these distinctions may not seem overly critical at first, the consequences of ignoring them can be costly.
The first question cuts to the core of the persistent disconnectedness that exists in the global maritime market between buyers (e.g., CISOs, IT Managers, and CFOs) and sellers (e.g., vendors, CISOs and IT Managers). The second and third questions attempt to call out whether the tool can be used right now and whether there is a basic understanding of the unique regulatory and technical challenges that maritime organizations deal with at the national and international levels. The last highlights an often-overlooked element in cybersecurity – how will this tool help my overall business objectives and keep leadership engaged?
Failure to address buyer-seller misalignment can result in inefficiencies, vulnerabilities, and ultimately, costly consequences for maritime stakeholders. Buyer-seller disconnectedness can lead to a mismatch between the cybersecurity solutions being offered and the specific operational needs and challenges faced by maritime organizations. You will notice CISOs and IT Managers are listed as both buyers and sellers. Why? Because they are the intermediaries between the solutions and the problems. The problems, however, may not always be technical. Rather, they might be financial. How so? CISOs and IT Managers don’t have Balance Sheet or even P&L responsibility. As a result, vendor agendas (e.g., sales quotas) get pushed; CISO/IT Manager agendas get promoted (e.g., “I need the best”); and CFOs, who are too often not information security experts, rubber stamp the acquisition. Time passes, and fiscal sustainability becomes… challenging.
While more can certainly be said about such disconnectedness, let’s dive into the challenge of vendors or solutions under consideration that lack maritime experience. It underscores the importance of understanding the regulatory and technical challenges unique to maritime organizations. With the maritime industry subject to a complex web of regulations, including International Maritime Organization (IMO) guidelines, International Ship and Port Facility Security (ISPS) Code, and various national and regional regulations, it is imperative that cybersecurity solutions are tailored to support adherence to these specific requirements. Ignoring the need for maritime-specific expertise can leave organizations vulnerable to compliance violations, security breaches, and operational disruptions, highlighting the criticality of selecting vendors with critical maritime domain expertise.
The Path Forward
Maritime cybersecurity is undeniably complex, characterized by a multitude of technical, procedural, and regulatory challenges that demand specialized expertise and innovative solutions. From navigating evolving regulations to grappling with the rapid move toward automation and the prevalence of increasingly Internet-enabled operational technology (OT) systems, maritime organizations face a myriad of hurdles in safeguarding their digital assets. For commercial vessels especially, bandwidth compounds these challenges, making it increasingly difficult to secure shipboard networks and systems. Moreover, the global applicability of cybersecurity regulations, coupled with the changing complexities of insurance and response protocols, adds layers of complexity to an already intricate landscape.
In this context, the realm of cybersecurity providers that truly understand the nuances of maritime cybersecurity is limited. While numerous companies offer cybersecurity solutions, the unique requirements and constraints of the maritime industry demand a specialized approach. To be sure, no individual company possesses the full depth and breadth of expertise required to provide comprehensive cybersecurity services tailored to any one client’s specific needs. From strategy and governance to risk analysis, threat intelligence, OT expertise, 24/7 monitoring and response capabilities, and the ability to easily translate cyber issues into business terms that leadership can understand and acknowledge, a holistic solution is needed to address the diverse range of cybersecurity challenges facing the maritime industry overall.
An understanding of these issues served as the premise on which the Global Maritime Cybersecurity Consortium (GMCC) was founded. Recognizing the maritime industry's growing needs for integrated solutions and maritime subject matter expertise, the GMCC brings together a team of specialists to provide breadth and depth under a single collaborative roof. By leveraging the collective expertise of its members, the GMCC offers a complete, albeit flexible solution to any one maritime client, with the ability to address any cybersecurity capability gap, small and/or large.
At the heart of the GMCC's mission is the commitment to connecting organizational leadership with the relevant aspects of cybersecurity. By providing top-level insights and evidence-based guidance, the GMCC enables maritime leaders to make informed business decisions about how to identify and right-fit sustainable solutions for their environment while concurrently ensuring alignment with maritime regulatory requirements. From understanding port and shipping based cyber risk profiles to evaluating the impact of emerging cybersecurity threats, the GMCC brings the expertise needed to bridge the gap between cybersecurity, business, and leadership objectives, ensuring alignment and technical effectiveness.
The Need Re-Affirmed
A recent encounter with the CIO of a prominent shipping client brought these realities into sharp focus. In a break during a site assessment, he pulled me aside and asked: "What are your thoughts on quantum computing?" I noticed his tone was tinged with a sense of urgency. In addition, the question seemed anything but apropos of our survey findings (e.g., cyber hygiene training, unsegmented networks, lax password enforcement). Based on current priorities, quantum computing came from left field. It was a seemingly innocuous question, yet its implications reverberated. When pressed, he admitted he was facing an inquiry from his company’s COO, who had been approached by an aggressive vendor. More to the point, the COO was pressing the CIO to accommodate a vendor briefing at HQ.
This is just one example, but similar questions arise too frequently. For this reason – and for this trend alone – the need for specialized cybersecurity solutions tailored to the maritime domain and meeting your organization’s strategic objectives and business needs, is more pressing today than ever.
The GMCC was conceived as a collaborative effort among like-minded cybersecurity leaders to address the growing cybersecurity needs of the global maritime industry. The consortium brings together a coalition of leading companies with a shared vision: to fortify the resilience of maritime organizations against myriad and changing cyber threats. What sets the GMCC apart is not just its collective expertise in cybersecurity but our deep understanding of maritime supply chain operational and regulatory complexities and our ability to translate this understanding into thought and terminology that any cybersecurity staff or leader can use to help company leadership understand and support cybersecurity efforts.
From maritime technology providers and shipping conglomerates to cybersecurity specialists and consulting firms, each member brings a unique perspective and skill set to the table that any maritime organization can benefit from. At its core, the value proposition of the GMCC resides in its ability to deliver tailored solutions that are practical, proven, and scalable. Most importantly for maritime leaders, the GMCC recognizes that one size does not fit all in the realm of cybersecurity, and as such has adopted a nuanced approach, leveraging its collective expertise to develop customized strategies that align with the unique needs and constraints of each client.
The Path Forward
Everything begins with a plan. To navigate the complexities of the global cybersecurity landscape, maritime organizations must first seek to implement a comprehensive framework that encompasses governance, risk management, and compliance. This includes creating a prioritized cyber risk management strategy based on risk determinations that consider the organization's business objectives, key stakeholder expectations, third-party risks and dependencies, and legal, regulatory, and contractual requirements. To be effective (and sustainable) the plan must establish clear cybersecurity roles and authorities, supporting policies, resource identification and commitment and C-suite / board level oversight mechanisms. A key element of C-suite / board level engagement is a frequent and regular schedule of interaction / discussion between key cybersecurity personnel and senior leadership. Whether it is regularly scheduled board meeting slots or standalone cybersecurity program briefings, these sessions are critical to mutual understanding of cybersecurity issues.
As most know, a lot has happened recently. However, more is coming. The White House issued Executive Order 14116 Federal Register :: Amending Regulations Relating to the Safeguarding of Vessels, Harbors, Ports, and Waterfront Facilities of the United States, and the U.S. Coast Guard dropped NVIC 02-24, MARSEC Directive 105-4, and its Notice of Proposed Rulemaking. IMO also has cybersecurity for ports firmly set in its sights for MSC 108. And then, of course, there’s the newly released NIST CSF 2.0.
Let’s break this down.
Govern
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
Key questions to consider:
Have you created a prioritized cyber risk management strategy based on risk calculations that fully considers the organization’s business, stakeholder expectations, third-party risks and dependencies, and legal, regulatory, and contractual requirements?
Does your organization have a documented cybersecurity plan?
Has your organization formally established a role for overseeing cyber security?
Does your organization have defined Board of Director oversight and monitoring mechanisms?
Identify
The organization’s current cybersecurity risks are understood.
Key questions to consider:
Does your organization conduct regular cyber risk assessments and penetration tests?
Does your organization have effective asset management of hardware /cloud infrastructure, software, and data?
Do information security leaders regularly collaborate with those in charge of physical security? This is especially important – cybersecurity staff and the regulatorily mandated Facility Security Officer MUST happen frequently!
Protect
Safeguards to manage the organization’s cybersecurity risks are used.
Key questions to consider:
Does your organization have all the following cybersecurity elements in place to protect the organization:
Identity and access management, including limiting the use of privileged and group accounts, implementing MFA, changing default passwords, and revoking access when no longer needed?
Awareness, training, drills, and exercises? Including those that wrap cyber and physical together.
Data security?
Platform security, including configuration management, patch management (with prioritization of addressing known exploited vulnerabilities), and resilience (IT, OT, IoT)?
Network security, including network segmentation and protecting critical assets from direct internet access?
Detect
Possible cybersecurity attacks and compromises are found and analyzed.
Key questions to consider:
Is your organization able to quickly detect threat activity through continuous monitoring of networks, endpoints, applications, and user behavior?
Does your organization leverage the MTS-ISAC to maintain situational awareness of threat activity and to aid in triaging alerts?
Respond
Actions regarding a detected cybersecurity incident are taken.
Key questions to consider:
Does your organization have a mature and effective cyber incident response plan and playbooks to respond to different types of incidents, limit impacts by containing and remediating the incident, conduct investigations and perform forensic analysis?
Are communication plans in place to guide stakeholders in how to communicate those incidents internally and externally, especially to required regulatory touchpoints?
Does your organization regularly test the plan to ensure that designated response team stakeholders know their roles, responsibilities, and authorities and that process faults are learned and remediated?
Recover
Assets and operations affected by a cybersecurity incident are restored.
Key questions to consider:
Can your organization recover from incidents and restore capabilities and normal operations in a timely manner?
Parting Thoughts
As maritime organizations continue to digitalize, the importance of cybersecurity becomes increasingly critical. The challenges faced by executives seeking to identify and procure appropriate cybersecurity services and solutions that align with their organizational needs are not only chronic but endemic to the maritime industry. The consequences of buyer-seller misalignment sets the stage for significant operational disruption, reputational harm, and financial strain.
It's critical for maritime leaders to not lose sight of the fact that while cyber risk will constantly evolve and remain chronic, it can be managed. By embracing a comprehensive cybersecurity framework and leveraging the collective capabilities and expertise available through the GMCC, maritime leaders can proactively engage with their cybersecurity colleagues to confidently navigate the evolving cyber threat landscape, safeguarding their assets and operations for the journey ahead.
Comentarios