In December 2022, the EU released the second EU directive on network and information security (NIS 2 directive). Published in the Official Journal L333, Member States must convert the directive into national law by October 2024. As the current NIS Directive had implications to maritime security, this article looks to identify the consequences of the amendment.
Directive (EU) 2022/2555
NIS2 or Directive (EU) 2022/2555 is the second Directive of the European Parliament and of the Council of 14 December 2022 on measures to achieve a high common level of cybersecurity across the Union. It aims to establish measures which ensure a high level of network and information security (NIS) in the EU. The overall objective is to strengthen resilience to cyber threats in critical sectors. NIS2 emphasises the need to implement cross-sectoral security measures.
The EU’s NIS 2 Directive on cybersecurity is scheduled to become enforceable across all 27 member states on 18 October 2024. It will bring in stricter requirements for risk management and incident reporting across a wider array of industries. NIS 2 seeks to inaugurate a uniformly high standard of cybersecurity and resilience across the European Union.
In a standard approach, roadmaps will be established encompassing a collection of guidelines, procedures, measures, and strategies aimed at ensuring the security and resilience of a system or organisation. Typical components include risk analysis, security policies, access control, incident response plans, training and awareness, emergency recovery and business continuity planning, as well as compliance and regulation.
The complexity and diversity of maritime operations necessitate a customised approach to developing policies and procedures that effectively address the unique challenges faced in this industry. Tailored transparency and security plans adapted to the specific needs of the particular environment seem to be appropriate to improve network and information security and to enhance resilience to cyber threats, thus ultimately contributing to the safety and efficiency of maritime traffic.
Concrete guidelines and procedures for maritime operations could include clear instructions for ships’ cybersecurity, such as securing navigation systems, communication devices, and access controls. Customised clarity and protection strategies are critical for safeguarding maritime facilities and port infrastructure. Implementing these measures is crucial to ensuring the security and reliability of maritime operations and minimising the impact of cyber threats.
Transparency and security roadmaps: Building upon existing instruments …
There are already examples of cybersecurity policies for maritime operations and a close examination of these is appropriate given the comprehensive approach taken in developing them. They include the US National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1, as well as the relevant IMO resolution. The NIST Framework helps companies assess and manage cyber risks, ultimately leading to the creation of a customised ‘profile’ that identifies and prioritises risk mitigation measures. Specimen framework profiles are publicly available, such as those for maritime bulk liquid transfer, offshore, and passenger ship operations. They provide practical guidelines developed in collaboration with industry representatives. Additionally, guidelines from associations like the Digital Container Shipping Association (DCSA) and recommendations from organisations such as the International Association of Classification Societies (IACS) offer additional resources for addressing cybersecurity challenges specific to maritime operations. These examples can serve as valuable references for companies looking to enhance their cybersecurity posture and minimise cyber risks in the maritime sector.
Maritime operations involve a wide range of activities, including vessel navigation, cargo handling, port management, and passenger services, each presenting its own security concerns. From protecting sensitive data onboard ships to safeguarding port facilities against physical and cyber threats, policies and procedures must be meticulously crafted to address these diverse challenges.
For instance, ship systems require robust cybersecurity measures to prevent unauthorised access and potential cyber-attacks. Cargo and passenger data must be handled with care to ensure privacy and prevent breaches. Port operation systems, including communication networks and surveillance technologies, must be fortified to defend against external threats and maintain operational continuity.
Clear guidelines for monitoring and enhancing security measures are crucial components of tailored transparency and security roadmaps. Regular assessments and audits help identify vulnerabilities and areas for improvement, enabling proactive risk management and mitigation efforts. Collaboration with industry stakeholders, regulatory authorities, and cybersecurity experts facilitates the development of comprehensive security strategies aligned with best practices and regulatory requirements.
By adopting a tailored approach to transparency and security roadmaps, maritime organisations can effectively safeguard critical infrastructure, protect sensitive data, and ensure the uninterrupted flow of maritime commerce. This proactive stance towards security not only enhances operational resilience but also strengthens the industry’s reputation for safety and reliability in an increasingly interconnected world.
… and extending their scope
Comprehensive asset management is vital for securing maritime environments. It involves identifying, classifying, and protecting critical assets such as ship systems, port infrastructure, and IT systems. Access control policies, continuous monitoring, and auditing help identify and mitigate security risks across operational technology (OT) and industrial control systems (ICS), ensuring security and continuity.
Rapid incident response is crucial in maritime cybersecurity to address cyber-attacks or system failures swiftly. Skilled incident response teams, clear protocols, and collaboration with regulatory bodies and industry partners ensure timely and coordinated responses, preserving operations’ integrity and availability.
Ensuring business continuity in maritime environments is essential amidst unforeseen events like system failures, natural disasters, or cyber-attacks. Robust backup management and secure remote access are key components of this effort. Backup solutions ensure regular backups of critical data and configurations, stored securely on-site and off-site for swift restoration. Secure remote access enables workforce flexibility, ensuring access to critical systems remotely. Technologies like multi-factor authentication (MFA), virtual private networks (VPNs), and SSL encryption ensure data security. Solutions should be scalable to adapt to dynamic operations, enhancing resilience, minimising downtime, and maintaining uninterrupted operations, even in challenging circumstances.
Vigilant vulnerability management is critical for maritime security. Regular scans and tests identify weaknesses in ship systems and port infrastructure. Manual testing supplements automated scans for complex vulnerabilities. Prioritising vulnerabilities based on severity focuses resources effectively. Timely patching of software vulnerabilities mitigates risks. However, patch management remains a challenge due to the distributed nature of maritime operations. Alternative strategies like offline patching may be necessary. Robust updating procedures with smoot patch deployment will enhance resilience against cyber threats.
Multi-factor authentication (MFA) adds layers of protection against unauthorised access in maritime settings, addressing compatibility, resilience, and user awareness challenges. Implementing MFA requires compatibility with existing systems and resilience to harsh conditions. User education is vital for effective MFA usage. By addressing these challenges, MFA enhances maritime cybersecurity, safeguarding sensitive systems and data.
Cybersecurity training for maritime personnel is essential to protect against cyber threats. As digitisation increases, personnel must recognise and respond to risks effectively. Training should raise awareness of threats like phishing and malware, emphasising potential consequences on operations and data security. It should also focus on detection and response skills, including recognising indicators of attacks and appropriate incident response procedures. Practical scenarios and drills enhance readiness. Training must stay updated with evolving threats. Ultimately, tailored programmes empower personnel to mitigate risks and safeguard maritime infrastructure.
Secure supply chain management is essential for reliability and integrity in maritime operations. It involves certifying suppliers through audits and due diligence checks to ensure compliance with security standards. Implementing clear policies and procedures across the supply chain ensures consistency and covers aspects like physical security, cybersecurity, and risk management. Collaboration with partners fosters alignment and accountability. Ensuring traceability and integrity through robust tracking systems is crucial. Vigilance against emerging threats through regular risk assessments and scenario planning is necessary. In summary, secure supply chain management enhances resilience and security, safeguarding against potential risks and disruptions.
Tailored security policies for risk analysis in maritime operations are vital for resilience. Understanding unique risk factors, including piracy and cyber threats, is crucial. Policies should cover diverse stakeholders and assets, outlining measures for risk mitigation such as physical security and cybersecurity protocols. Dynamic policies must adapt to evolving threats, requiring regular assessments and updates. Collaboration among stakeholders fosters effective risk management. Ultimately, tailored security policies enhance maritime security and resilience against emerging threats.
Cryptography and encryption technologies are crucial in the maritime industry to safeguard operational technologies (OT) and data integrity. They secure communication channels, preventing unauthorised interception. Encryption scrambles data into unreadable ciphertext, ensuring confidentiality even if intercepted. It is vital for securing data stored on devices and systems, preventing unauthorised access. Additionally, encryption technologies secure access controls and authentication mechanisms, ensuring that only authorised users can access sensitive data. Implementation requires consideration of performance, compatibility, and regulatory compliance. Compliance with standards like IMO guidelines on cybersecurity ensures effective protection against threats. Overall, cryptography and encryption enhance maritime security, mitigating unauthorised access and data breaches.
A wide portfolio of security solutions is vital in the maritime industry to combat cyber threats and address security risks effectively. Adherence to established standards like IMO guidelines and ISPS Code ensures regulatory compliance. Specialised security technologies, such as maritime-focused intrusion detection and prevention systems (IDS/IPS) and vessel tracking systems, address unique challenges. Collaboration with cybersecurity experts and technology vendors ensures tailored solutions. Continuous monitoring, assessment, and improvement are essential for maintaining a strong security posture. Overall, a diverse range of security measures tailored to maritime needs enhances operational resilience and safeguards against evolving threats.
The integration of proven solutions and expertise into maritime security is vital for robust defence against cyber threats. Leveraging technologies like firewalls, intrusion detection and prevention systems (IDS/IPS), and encryption establishes strong defences. Incorporating cybersecurity expertise ensures effective strategy development and compliance. Collaboration with stakeholders fosters knowledge-sharing and collective efforts. Continuous monitoring and improvement through audits enhance security resilience. Overall, this integrated approach strengthens maritime cybersecurity, safeguarding critical systems and data.
Roadmaps offer flexibility
After completing the described roadmap, it is important to emphasise that each individual measure, even if not considered a top priority, still makes a valuable contribution to improving maritime security. Roadmaps have a flexible format for presenting strategic information, so there is no industry standard we should follow. Each of these measures aims to address specific risks and vulnerabilities, thereby increasing resilience to cyber threats. In particular, training and awareness of cybersecurity play a central role. Employees with a solid understanding of risks and security protocols are better equipped to recognise and respond to potential threats. Although training is often neglected, it is important to recognise its significance and ensure it is integrated into the overall strategy for strengthening maritime security. A holistic approach that considers all relevant measures is key to ensuring security in the maritime industry and minimising the impact of cyber threats.
By proactively engaging with cybersecurity experts, maritime organisations can enhance their cyber resilience, mitigate risks, and safeguard critical assets against evolving threats in the digital landscape. Collaboration with security experts and governmental institutions is key for the industry’s overall cybersecurity posture, ensuring continued operational reliability and safety at sea.
In conclusion, the deliberate implementation of measures, triggered by a robust change management process, will enhance maritime resilience against cyber threats and safeguard the integrity of critical infrastructure.
Mario Eisenhut