It’s Time for a More Robust Approach to Maritime Cybersecurity.
For years, the maritime industry has followed a haphazard set of cybersecurity standards. From the Coast Guard to the International Maritime Organization, organizations are only now beginning to develop a standardized and structured regimen. Unlike other defense-oriented organizations, however, there are no mandates out there to follow, no prescribed standards to meet and no industry norms to adopt.
So what success stories and cautionary tales do we know from others who have gone through this process? What are the standards maritime organizations should be following based on the extensive cybersecurity compliance experience of government and government related organizations in general? And what makes maritime different from other industries? SteelCloud’s Founder and COO Brian Hajost discussed this on Cybersecurity TV with Dave Gardy and Dan Turissini, MTS Maritime Cyber Security and Infrastructure Committee chair. Here’s what they had to say.
The maritime industry is more complex than you think.
The maritime industry is really a system of industries. It’s not just the boats you see floating in the water. There are ports. There is logistic coordination between truckers and train systems. There are contractors that run a lot of the infrastructure. And because the US is just a small part of the worldwide maritime industry, it not uncommon for entities to be owned by international companies.
There are also several multi-factor compliance requirements. Contractors have to comply with Coast Guard standards and MARAD guidelines and those of the International Maritime Organization. And all of them are looking at implementing different aspects of cybersecurity. Thus, there is a lot of complexity to deal with. As a result – unlike a lot of other industries – the maritime industry has a lot of “gods” to which they have to answer. What would be ideal is if they all came together to establish one set of standards everyone can follow, creating consistent security across the industry.
Here are the standards to make standard.
The good news is that, from the DoD to the civilian organizations that serve them, there is already momentum in place. Some of the best practices that corporations adopt come from NIST SP 800-53, which prescribes security and privacy controls. That is the best place to start.
Three more established standards can be followed. All are very similar and are based on mostly the same guidelines. Better yet, each is set up in a step-by-step manner that helps integrate the standards into an organization:
Security Technical Information Guides (STIGs). These are the standards followed by the DoD and other government entities.
Center for Internet Security (CIS) benchmarks. CIS provides a series of benchmarks and controls used in both private and public industries.
All of this is expensive and time consuming to implement. The fact that all of these approaches are based on the same foundation of standards offers an opportunity, though. Automation can do all the heavy lifting for you, making standards much easier to implement and maintain. Better yet, the automation technology used to establish and hold secure baselines is proven over years of use across the DoD and corporate America.
Hacks are increasing. Don’t become the cautionary tale everyone cites.
You don’t need a mandate to establish security controls in your organization. Or, perhaps, you might consider hackers your “mandate”. Organizations involved in critical infrastructure— transportation, communications, energy and shipping to name a few—are especially at risk to the work of hackers. Not only do hacks on critical infrastructure end up costing at least $1M more on average than other data breaches, but compromised infrastructure can have a tremendous impact on the economy. Nobody wants to make a breach part of their brand.
Automation is the key to establishing and maintaining the standards that can keep your data safe. SteelCloud’s ConfigOS is the leading solution used at the highest levels of government and industry. As the maritime sector shores up their cybersecurity standards, establishing an automation-based approach can save time, effort and cost.
Many public and private organizations have learned about automation the hard way. Don’t make the same mistakes. Contact SteelCloud today and arrange a demo to see easily you can go from haphazard security to a standardized approach that works.
