MARITIME CYBERSECURITY IN THE WESTERN HEMISPHERE An Introduction and Guidelines MARITIME CYBERSECURITY IN THE WESTERN HEMISPHERE An Introduction and Guidelines MARITIME CYBERSECURITY IN THE WESTERN HEMISPHERE An Introduction and Guidelines Maritime Cybersecurity in the Western Hemisphere 3 COPYRIGHT (2021) Organization of American States. All rights reserved. No portion of this publication may be reproduced or transmitted in any form, or by any means, in whole or in part, without the express consent of the General Secretariat of the Organization of American States. Prepared and published by the Maritime and Port Security Program of the Inter-American Committee against Terrorism (CICTE). The contents of this publication are presented exclusively for informational purposes and do not represent the official position of the Organization of American States, its General Secretariat, or its Member States. This publication has been made possible thanks to the financial support of the Government of Canada. We welcome your interest in this guide. Your feedback on how you have used this guide and whether it helped improved maritime cybersecurity incident response would be valuable information we can use to help design future projects. Please contact CICTE’s Maritime and Port Security Program at [email protected] to share your feedback. OAS Cataloging-in-Publication Data Maritime cybersecurity in the Western Hemisphere : an introduction and guidelines / [Prepared and published by the Maritime and Port Security Program of the Inter-American Committee against Terrorism (CICTE)]. v. ; cm. (OAS. Official records ; OEA/Ser.D/XXV.17) ISBN 978-0-8270-7242-8 1. Computer security. 2. Security, International. 3. Transportation--Security measures. 4. Cyberterrorism. 5. Shipping-- Security measures. 6. Harbors--Security measures. I. Inter-American Committee against Terrorism. II. OAS/CICTE Maritime and Port Security Program. III. Organization of American States. Secretariat for Multidimensional Security. IV. Series. OEA/Ser.D/XXV.17 4 Maritime Cybersecurity in the Western Hemisphere CREDITS Luis Almagro Secretary General Organization of American States (OAS) Arthur Weintraub Secretary for Multidimensional Security Organization of American States (OAS) Alison August Treppel Executive Secretary Inter-American Committee against Terrorism Organization of American States (OAS) Violanda Botet Deputy Executive Secretary Inter-American Committee against Terrorism Organization of American States (OAS) OAS Technical Team OAS Maritime and Port Security Program Lisbeth Laurie Ricardo Desgarennes OAS Cybersecurity Program Kerry-Ann Barrett Diego Subero Sofia Hunter Intern Karen Grubb Contributors Hudson Trident Max Bobys Andrew Baskin Graphic Design María Paula Lozano Maritime Cybersecurity in the Western Hemisphere 5 CONTENTS Executive summary ------------------------------------------- 09 List of acronyms ----------------------------------------------- 11 1.0 - Introduction --------------------------------------------- 13 2.0 - Cyber risk in the maritime domain --------------- 15 2.1 - Why cybersecurity is important to ports in the Western Hemisphere ------------------------------------------------------- 15 2.1.1 - Port and maritime operational digitalization and automation ---- 17 2.1.2 - Maritime organizations as logistics data hubs and repositories -- 17 2.2 - How ports and ships are vulnerable --------------------------- 18 2.2.1 - Operational conditions ------------------------------------ 18 2.2.2 - Human vulnerabilities ------------------------------------ 19 2.2.3 - Port-ship interface --------------------------------------- 20 2.2.4 - Cyber-physical intersection ------------------------------- 21 2.3 - Cybersecurity threats ----------------------------------------- 22 2.3.1 - Types of cyber threat actors -------------------------------- 22 2.3.2 - Case studies -------------------------------------------- 23 6 Maritime Cybersecurity in the Western Hemisphere 3.0 - Regulations and guidelines ------------------------ 25 3.1 - International attempts to address maritime cybersecurity considerations ---------------------------------------------------- 26 3.1.1 - IMO and shipping ----------------------------------------- 26 3.1.2 - IMO and ports ------------------------------------------- 27 3.2 - National legislation / regulations ----------------------------- 28 3.2.1 - National cybersecurity strategies ----------------------------- 28 3.2.2 - National and supranational legislation and multilateral regulation -------------------------------------------------------- 28 3.3 - Useful policy frameworks and industrial standards ------------ 30 3.3.1 - United States National Institute of Standards and Technology Cybersecurity Framework ------------------------------- 30 3.3.2 - International Organization for Standardization 27000 and 28000 standards --------------------------------------------- 32 3.3.3 - CIS Controls --------------------------------------------- 32 3.4 - Industry guidelines ----------------------------------------- 33 3.4.1 - Port Cybersecurity: ENISA Good Practices for Cybersecurity in the Maritime Sector -------------------------------------------------- 33 3.4.2. - United Kingdom Good Practice Guide: Cyber Security for Ports and Port Systems ------------------------------------------------- 33 3.5 - Data privacy requirements ----------------------------------- 34 4.0 - Initial Steps for Developing Organizational Cybersecurity Capabilities --------------------------------- 35 4.1 - Establish oversight ------------------------------------------ 37 4.2 - Define cyber stakeholders---------------------------------- 37 4.3 - Create a cybersecurity steering committee ------------------- 38 4.3.1 -Strategies for driving change ------------------------------- 39 Maritime Cybersecurity in the Western Hemisphere 7 4.4 - Organization-wide baseline capability assessment ------------ 40 4.5 - Cybersecurity strategy and implementing plan --------------- 41 4.5.1 - Strategies for driving change ------------------------ 41 4.5.2 - Cybersecurity plan --------------------------------- 42 5.0 - Best practices ----------------------------------------- 43 5.1 - Governance/policy best practices ----------------------------- 44 5.1.1 - Data security --------------------------------------- 44 5.1.2 - Technology policies --------------------------------- 45 5.2 - Operational best practices ------------------------------------ 46 5.2.1 - Training ------------------------------------------- 46 5.2.2 - Managing cyber-physical access control --------------- 48 5.2.3 - Email security ------------------------------------- 49 5.2.4 - Protecting against social engineering ----------------- 50 5.2.5 - Access control ------------------------------------- 51 5.2.6 - Cyber threat information collection and analysis --------2 5 5.2.7 - Information sharing -------------------------------- 53 5.2.8 - Network security, vulnerability management, and situational awareness ----------------------------------- 54 5.2.9 - Supply chain and third-party management ------------ 55 5.3 - Cyber incident response preparation ------------------------- 56 5.3.1 - Create an incident response plan --------------------- 56 5.3.2 - Continuity of operations and disaster recovery planning - 58 5.3.3 - Develop relationships with third parties who will assist with incident response and recovery ------------------------------ 59 5.3.4 - Perform cyber breach incident response drills and exercises ---------------------------------------------- 60 6.0 - Conclusion --------------------------------------------- 61 References ----------------------------------------------------- 62 8 Maritime Cybersecurity in the Western Hemisphere EXECUTIVE SUMMARY The growth in digitalization and automation in the maritime domain1 has brought increases in efficiency and competitiveness as well as the industry’s overall cyber risk. In the Western Hemisphere, the maritime sector is crucial to the flow of commerce and protecting operations and data that underpin those operations is of growing importance to national and regional economies. Maritime Cybersecurity in the Western Hemisphere 9 The Organization of American States (“OAS”), • Best practices to improved cyber risk an international organization, through the management and cybersecurity already Inter-American Committee against Terrorism exist and are described in this document (“CICTE”) has developed this overview in order to assist entities in the region in document to assist in the following: performing an initial baseline cybersecurity capability assessment to measure existing cybersecurity capabilities. 1. Assist maritime stakeholders in the Western Hemisphere understand maritime cyber risk; • Greater awareness of international rules and best practices to manage cybersecurity 2. Provide a brief overview of the key risk in the maritime area can be of particular international rules and standards under use to OAS member states, some of whom development today by international are in the earliest stages of considering organizations and states to address these and implementing maritime digitalization risks; programs, and 3. Lay out initial steps maritime organizations • States in Western Hemisphere, particularly can take to manage cyber risk; and in Latin America, are rapidly developing national cybersecurity plans and increasing 4. Highlight some best practices to consider ways to share information and respond as maritime organizations implement cyber rapidly to cybersecurity
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages68 Page
-
File Size-