Cyber security assessments in the maritime industry
Hi everyone! do you know of any resources for assessing cybersecurity in the maritime industry? There seems to be some guidelines around cyber security developed by BIMCO but it seems very generic. I do need to assess the cyber security posture for several organisations in the maritime sector. What frameworks can I use?, Are assessment for companies in the maritime industry different than in other industries?
Hey Willjack, maritime companies are assessed like the rest of companies. The only different is that they have an OT (operational technology ) side which falls within the vessels. ISO27001 and NIST frameworks are probably the most frequent security frameworks in used to improve the organisation's posture. My recommendation is that you use one these two frameworks to assess the "traditional" IT and the "Guidelines on Cyber Security on board Ships" created by BIMCO to create a security baseline for the company's vessel fleet.
Rupeshh, as Richardc mentioned risk in maritime organization is treated with the same frameworks. Some organizations are ISO others (few) NIST.
My recommendation is that you use NIST is your customers are happy. The reason I suggest NIST is because it was specifically designed for organizations in the critical industries and because in the special case of the maritime industry the United States Cost Guard customized and created especial NIST profiles for organizations in the maritime industry.
The customizations are for the following maritime areas:
- Maritime Bulk Liquids Transfer
- Offshore Operations
- Passenger Vessel Operations
In each are the USCG developed which are the main drivers and objectives of organizations operating in these specific areas of maritime, and these profiles allow you to align your cyber risk reduction practices to meet these drivers.
Let me provide you with an example, let's say your customer falls within the Passenger Vessel Operations sector within maritime.
The mission objectives and drivers developed by USCG are the following:
You can develop a NIST assessment and program for your client that aligns with any of these drivers that they wishes to pursuit for their organization. This customization provides the highest level of integration between business and risk reduction.
Ask questions if you need it!