Say your company is ready to defend itself against cybersecurity and implement a mitigation program, what is next? New or revised cybersecurity regulations, frameworks, executive orders and/or guidance surface regularly to assist organizations, governments, other entities in bolstering their cybersecurity programs. Within the maritime industry, there is no overarching policy to follow due to its diversity with multiple governing bodies and organizations. No matter where you fit within the industry, it is important to implement best practices when building the foundation for your cyber risk management or cybersecurity program.
One framework worth reviewing and implementing is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was initially published in February 2014 as the result of a presidential executive order. Its main objective is to provide public and private sector organizations with “a set of industry standards and best practices to help organizations manage cybersecurity risks.”
The resulting framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The framework’s core is broken out into 5 areas:
To learn more about the Cybersecurity Framework, view the NIST report. An updated version of the framework is expected to be released this Fall.
Last year, the U.S. Guard worked with the National Cybersecurity Center for Excellence (NCCoE), part of NIST, to create the Maritime Bulk Liquid Transfer Cybersecurity Framework Profile. This was the first of several future maritime specific framework profiles to help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems utilizing NIST’s framework as a baseline. BIMCO also referenced the NIST framework in its published guidelines for cybersecurity onboard ships from 2016.
No matter what framework your company implements or guidance its follows, a thorough groundwork is needed to understand where vulnerabilities lurk within systems and operations, and what controls are needed. Whether this is done internally or through a third party, identifying vulnerabilities and assessing risk is a critical first step. From there, new technology, training, and procedures can be implemented to reduce any type of cyber risk.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com, or stay connected by following us on LinkedIn or @GnostechInc on Twitter.