Cybersecurity Maritime Security Security & Defense

Report

October 4, 2021

Appendices: Cooperation on maritime cybersecurity

By William Loomis, Virpratap Vikram Singh, Dr. Gary C. Kessler, Dr. Xavier Bellekens

Appendix 1: Players

The MTS is, at its core, a sprawling and diverse system of transportation. Each segment has its own specific purpose, set of tools, and risks. However, the MTS is a system of systems driven by the responsibilities, actions, and objectives of its players. Any ground-level understanding of the MTS must begin with a bird’s-eye view of the various players in regulating, advising, informing, and driving the maritime industry, including those specifically related to maritime cybersecurity.

Baltic and International Maritime Council (BIMCO)

BIMCO is the largest international organization representing the interests of ship owners, charterers, brokers, and agents. The group’s primary role is the preparation of global regulations and policy recommendations in many areas related to the MTS, from the environment, crew support, and insurance to maritime safety and security, ice information, and digitalization, including guidelines related to maritime cybersecurity. BIMCO membership comes from more than 120 countries and represents approximately 60 percent of the global merchant fleet (measured by gross tonnage of the vessels). With headquarters in Copenhagen, BIMCO has been designated a nongovernmental organization (NGO) by the United Nations.

Chambers of Shipping

National chambers of shipping (COS), such as the Chamber of Shipping of America (CSA) and the United Kingdom’s Chamber of Shipping, are nongovernmental trade organizations representing the interests of a nation’s shipping companies. Approximately forty national COS organizations are members of the International Chamber of Shipping, representing the interests of the maritime industry to international regulatory and standards bodies.1“About ICS,” International Chamber of Shipping website, accessed May 2021, https://www.ics-shipping.org/about-ics/. The organization strives to ensure the development, promotion, and application of best practices throughout the shipping industry, and works with key actors across the ecosystem and in the private and public sectors to do so.2“About ICS,” ICS. The International Chamber of Shipping holds consultative status with the IMO.

Class Societies

Classification (or class) societies are nongovernmental organizations that set and maintain technical standards related to the design, construction, and operation of ships and offshore structures.3“Maritime Industry Knowledge Center, Class Society,” Maritime Industry Foundation website, accessed March 11, 2020, https://www.maritimeinfo.org/en/Maritime-Directory/classification-societies. The primary focus of these standards is on a ship’s hull, propulsion and steering systems, power generation, and other systems related to a vessel’s operation. Class societies employ a program of inspection and certification to deliver a baseline reference point on ship safety and reliability for shipbuilders, brokers, operators, flag administrations, insurers, and the financial community. The International Association of Class Societies (IACS) has ten member organizations—including the American Bureau of Shipping (ABS), Bureau Veritas (BV, France), China Classification Society, Lloyd’s Register (United Kingdom), Nippon Kaiji Kyokai (ClassNK, Japan), and the Russian Maritime Register of Shipping—and some insurers require that a vessel have a class society certification before providing coverage.4“IACS–International Association of Classification Societies,” International Marine Consultancy (website), https://www.imcbrokers.com/iacs-international-association-of-classification-societies/. IACS issues advisory recommendations related to adopted resolutions: recommendation no. 166 addresses cyber resilience.5IACS Recommendations 161-180, IACS website, accessed September 17, 2021, https://www.iacs.org.uk/publications/recommendations/161-180/. 

Cybersecurity and Infrastructure Security Agency (CISA)

CISA is an agency within the DHS. Tasked with guiding public-sector cybersecurity strategies in the United States, CISA enhances cyber defense across all levels of government by coordinating state cybersecurity programs and improving the government’s ability to repel cyberattacks (ranging from ransomware to attacks on the supply chain).6“About CISA,” Cybersecurity and Infrastructure Security Agency website, https://www.cisa.gov/about-cisa. CISA is not an enforcement agency and has no enforcement branch; instead, it focuses on risk management and, working with public- and private-sector partners, shares threat intelligence and builds a more cyber-resilient infrastructure. CISA’s Cybersecurity Division addresses many physical and cyber threats, including ICS/OT and cyber-physical system (CPS) security.

Cybersecurity, Energy Security, and Emergency Response (CESER)

CESER is an office within the DOE tasked with enhancing and improving the US energy infrastructure and supporting DOE’s national security mission. By encouraging cooperation between industry, academia, DOE national laboratories, state and tribal governments, and other federal governmental agencies, CESER aims to build an energy infrastructure and supply chain that is resilient to natural and human-made threats and makes the US energy sector stronger and more secure. CESER’s projects include coordinating international cooperation, providing grant funding, offering training and operational support, and designing training exercises. Cybersecurity preparedness, information sharing, and incident response within the sector is emerging as a major task of the CESER office.

European Union Agency for Cybersecurity (ENISA)

Originally chartered in 2004 as the European Network and Information Security Agency, ENISA is the EU’s lead agency for common standards of cyber defense throughout Europe. With headquarters in Athens, ENISA activities include the development of cybersecurity policies, cybersecurity certification programs for IT products and services, information sharing, capacity building, and cyber-awareness training programs. Recognizing the importance of the maritime sector to the EU economy and society, along with the increased digitalization of maritime facilities, ENISA has taken an active role in the preparation of maritime cybersecurity guidelines for ports.

Information Sharing and Analysis Groups

Information sharing and analysis centers (ISACs) and information sharing and analysis organizations (ISAOs) collect, process, analyze, interpret, and share actionable intelligence related to cyber and physical threats that are relevant to their particular mission. Their overarching goal is to assist their members to maintain relevant domain situational awareness.

ISACs were defined by presidential order in the United States in 1998, during the earliest efforts to define critical infrastructures and infrastructure protection. ISACs were designed to enhance private sector/public sector information sharing to aid critical infrastructure owners and operators—the vast majority of whom are in the private sector—to protect their facilities, employees, and customers against cyber and physical security threats.

The National Council of ISACs (NCI) is composed of twenty-five member ISACs, including the Maritime ISAC, the Oil and Natural Gas ISAC (ONG-ISAC), the Electricity ISAC (E-ISAC), and Maritime Transportation Sector ISAC (MTS-ISAC).

ISAOs were formed by a 2015 US presidential order to promote voluntary information sharing within industry sectors. The goal in establishing a group of ISAOs was to enhance threat-related information sharing among organizations that did not belong to an ISAC because they were not in a clearly defined infrastructure sector. The International Association of Certified ISAOs (IACI) comprises fifteen information-sharing organizations, including the Maritime and Port ISAO (MPS-ISAO).

International Maritime Organization (IMO)

The IMO is an agency of the United Nations, headquartered in London, with a mission to develop a regulatory framework for international shipping. Its primary roles address safety, environmental concerns, legal issues, security, and international technical cooperation. It is, perhaps, best known for the Safety of Life at Sea (SOLAS) Convention, a treaty first adopted in 1914 after the sinking of the Titanic, and the International Convention for the Prevention of Pollution from Ships (MARPOL), first adopted in 1983. In 2017, the IMO Maritime Safety Committee released a set of Maritime Cyber Risk Management recommendations for safety-management systems that IMO encouraged shippers to implement no later than the first annual verification of a vessel’s Document of Compliance and Safety Management in 2021; this resolution is known as IMO 2021.

Maritime Insurers

Maritime insurance dates back to Edward Lloyd’s Coffee House in London, which opened in 1686. The coverage framework for ships and cargo is among the most mature in the insurance industry and covers damage or loss to vessels, terminals, cargo, and passengers. An increasing number of marine insurers require compliance with cyber-safety guidelines issued by class societies, the International Maritime Organization, and regulatory agencies.

National Institute of Standards and Technology (NIST)

NIST, a part of the Department of Commerce, is tasked with providing standards and guidelines for making the US technology base more secure. NIST’s Cybersecurity Framework, created in tandem with stakeholders across the public and private sectors, focuses on putting forward a voluntary framework for reducing cyber risks to critical infrastructure based on existing standards, guidelines, and practices. The framework is considered one of the best current standards programs out there and is utilized often throughout the MTS. The framework consists of three main components: the core, implementation tiers, and profiles.

The core focuses on providing an overarching set of desired cybersecurity activities and outcomes in common terms that are easy to understand, with the goal of helping organizations reduce their cyber risk. The implementation tiers assist these organizations in implementing these activities and outcomes by providing context for what this looks like operationally. The framework profiles aim to take this a step further by identifying key requirements and objectives for specific types of organizations.

North Atlantic Treaty Organization (NATO)

NATO was born with the signing of the North Atlantic Treaty in 1949, in the aftermath of the dark days of World War II. With headquarters in Brussels, Belgium, NATO has thirty member nations in Europe and North America. As a primarily military alliance, one of the most significant parts of the treaty is Article 5, the mutual defense clause, stating that an attack on one member country is an attack on all. This is a very controversial concept in these days of information warfare, where the very definition of cyberwar is not codified and an appropriate response in real space to an attack in cyberspace is not defined at all. To that end, NATO has established the Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia, where research, training, and exercises are conducted in the areas of technology, strategy, operations, and law. One outcome from the CCDCOE is the Tallinn Manual, a comprehensive guide on how existing law applies to information operations in cyberspace. This manual itself is not law, but it is the nearest guidance that is available on what constitutes a war in cyberspace.

US Department of Homeland Security (DHS)

The DHS, formed after the 9/11 attacks, is a cabinet-level agency tasked with border security, immigration and customs, disaster management and response, cybersecurity, anti-terrorism, and other efforts to protect the public within US borders. DHS also oversees the CISA and the Coast Guard. DHS has funded a dozen Science and Technology (S&T) Centers of Excellence (COE) addressing a range of multidisciplinary technology solutions for homeland security. Of particular interest to maritime cybersecurity is the Maritime Security Center (MSC) at Stevens Institute of Technology.

US Coast Guard (USCG)

The US Coast Guard is an agency within the DHS, although it can be transferred to the DOD to operate as part of the US Navy in times of war or when ordered by the president. The Coast Guard has a unique role in the US military, as it has a law-enforcement function in both US and international waters, and has a federal regulatory function. USCG functions also include search and rescue, security throughout the MTS, drug interdiction, port-facility inspection, public boating safety, maintenance of aids to navigation, and fishery regulation enforcement.

Broadly speaking, the Coast Guard’s role related to cybersecurity is twofold. First, it must keep the security of USCG ICT assets, including systems and networks used to manage and maintain USCG operations and shipboard systems. Second, the Coast Guard assists in the cyber protection of information assets throughout the MTS, including at port facilities and on civilian vessels via the creation of Cyber Protection Teams (CPTs). Coast Guard Cyber Command (CGCYBER) is a part of the DOD’s US Cyber Command (USCYBERCOM), primarily for external facing threats and attacks, while its internal mission is the preparation of its cyber workforce.

US Maritime Administration (MARAD)

MARAD is an agency of the Department of Transportation, responsible for administering funds to develop, promote, and work the US maritime fleet. MARAD maintains the National Defense Reserve Fleet (NDRF), a collection of vessels that can be put into service in a national emergency. MARAD also operates the US Merchant Marine Academy, one of the five US service academies.

Key international actors/programs

There are a number of international activities related to maritime cybersecurity that are examples of some of the initiatives that will undoubtedly become more common and widespread in the future. This is by no means an exhaustive list but one that is representative of the response to the need to prioritize cybersecurity in the MTS.

  • In 2018, the International Maritime Cyber Centre of Excellence (IMCCE) opened in Singapore. Created by an industry group headed by Wärtsilä and Templar Executives, the center is composed of a Maritime Cyber Emergency Response Team (MCERT) to provide cyber intelligence, incident support, and real-time cyberattack assistance, and a Cyber Security Reporting Portal (CSRP). The center also offers cybersecurity training. In 2019, the Maritime and Port Authority of Singapore (MPA) opened the Maritime Cybersecurity Operations Centre to conduct nonstop monitoring and correlation of cyber events across all maritime critical infrastructures. This center also offers early incident detection, monitoring, analysis, and response, and provides a link to the Singapore Port Operations Control Centre to more quickly respond to events.
  • The Tallinn University of Technology is located just blocks away from NATO’s CCDCOE. In 2020, the Centre for Digital Forensics and Cyber Security and the Estonian Maritime Academy, both part of TalTech, received a grant from the EU to establish a Maritime Cyber Security Centre to help develop cybersecurity in the maritime domain.
  • An industry-academic partnership in Canada is forming a maritime cybersecurity research and development center. Announced in early 2021, cybersecurity professors at Polytechnique Montréal are teaming with maritime companies Davie Canada and Neptune Cyber to build Canada’s Maritime Cyber Security Centre of Excellence. The goal of the five-year research program is to examine cybersecurity in maritime critical infrastructures and build better systems to detect and respond to malicious cyber activity.

Key private-sector actors

The MTS is a critical element of global and national economic security. It is the anchoring industry for the bulk of imports and exports. Responsible for the transport of food, goods, and people, the MTS partners in many sectors for the public good. The vast majority of MTS assets are owned and/or operated by the private sector.

The global merchant fleet is composed of more than fifty-six thousand cargo vessels, including general and bulk cargo carriers, various types of tankers, and vehicle/passenger vessels.7“Global Merchant Fleet: Number of Ships by Type,” Statista, March 4, 2021, https://www.statista.com/statistics/264024/number-of-merchant-ships-worldwide-by-type/. The table below lists the ten largest container shipping companies, comprising 84 percent of the global market.

The table below lists the largest oceanic passenger cruise lines, comprising nearly 95 percent of the global market share. Cruise lines represent a significant segment of the larger maritime business community, even if they are not explicitly addressed at length in this report.

As of 2019, 93 percent of global shipbuilding took place in China, Japan, and the Republic of Korea, and Asian countries owned half of the world’s fleet. A large number of commercial vessels are registered under a flag that matches neither the country of the builder nor the owner or operator; the top five flag registrants are Panama, Liberia, Marshall Islands, Hong Kong, and Singapore, with Panama alone accounting for 16 percent of the global commercial fleet.8“2020 E-handbook of Statistics: Merchant Fleet,” UNCTAD, December 7, 2020, https://stats.unctad.org/handbook/MaritimeTransport/MerchantFleet.html.

While ships and shipping companies have been, in general, private-sector entities (albeit some with a close relationship to the respective national government), the same cannot be said of ports around the world. Ports vary in ownership and operation, covering the spectrum from being fully operated by a public-sector governmental agency to being owned and/or operated by a private-sector—possibly foreign—company. The two tables below show the location of the busiest ports in the world. Not surprisingly, the top ten busiest container ports are all in Asia, all but one in the east or southeast portion of that region. Also, not surprisingly, six of the top ten busiest passenger ports—including the top five—are in the Caribbean. 

The United States is a maritime nation and, like others in the global economy and supply chain, dependent upon shipping for trade. The table below lists the ten busiest US container ports, where the busiest, the Port of Los Angeles, is the seventeenth busiest in the world. Nearly half the US import/export volume goes through three ports. The critical nature of these ports to the US economy and security becomes immediately evident, given the number of ships and cargo that move through two adjoining ports on the West Coast and two on the East Coast. All these ten ports are owned, and most are operated, by some sort of municipal or other governmental agency; like a private-sector business, all are tasked with making a profit.

Appendix 2: Acronyms 

  • 2020 National Maritime Cybersecurity Plan (2020 NMCP)
  • 2021 Port Infrastructure Development Program (PIDP)
  • A. P. Moller-Maersk Group (Maersk)
  • Application programming interface (API)
  • Artificial intelligence (AI)
  • Automatic identification system (AIS)
  • Baltic and International Maritime Council (BIMCO)
  • Center for Advanced Defense Studies (C4ADS)
  • Chamber of Shipping of America (CSA)
  • Chambers of Shipping (COS)
  • China Ocean Shipping Company (COSCO)
  • Coast Guard Cyber Command (CGCYBER)
  • Cooperative Cyber Defence Centre of Excellence (CCDCOE)
  • Customer relationship management (CRM)
  • Cyber protection teams (CPTs)
  • Cyber Security Agency of Singapore (CSA)
  • Cybersecurity and Infrastructure Security Agency (CISA)
  • Distributed control systems (DCS)
  • Enterprise resource planning (ERP)
  • European Union Agency for Cybersecurity (ENISA)
  • Federal Acquisition Security Council (FASC)
  • Federal Emergency Management Agency (FEMA)
  • Five Eyes (FVEY)
  • Global Positioning System (GPS)
  • Gross domestic product (GDP)
  • Industrial control system (ICS)
  • Industrial Control System Joint Working Group (ICSJWG)
  • Information communications technology (ICT)
  • Information sharing and analysis centers (ISACs)
  • Information sharing and analysis organizations (ISAOs)
  • Information technology (IT)
  • Input/output hardware (I/O)
  • Intellectual property (IP)
  • International Association of Class Societies (IACS)
  • International Convention for the Prevention of Pollution from Ships (MARPOL)
  • International Convention on Standards of Training, Certification, and Watchkeeping for Seafarers (STCW)
  • International Maritime Organization (IMO)
  • International Ship and Port Facility Security Code (ISPS)
  • Internet of Things (IoT)
  • Machine learning (ML)
  • Marine Safety Information Bulletin (MSIB)
  • Maritime Safety Administration (MSA)
  • Maritime Security Council (MSC)
  • Maritime transportation sector (MTS)
  • Mediterranean Shipping Company (MSC)
  • National Cyber Security Centre of the Netherlands (NCSC)
  • National Institute of Standards and Technology (NIST)
  • National Maritime Cybersecurity Plan (NMCP)
  • National Telecommunications and Information Administration (NTIA)
  • National Transportation Safety Board (NTSB)
  • Nongovernmental organizations (NGOs)
  • North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
  • North Atlantic Treaty Organization (NATO)
  • Office of Cybersecurity, Energy Security, and Emergency Response (CESER)
  • Oil and natural gas (ONG)
  • Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC)
  • Operating systems (OS)
  • Operational technology (OT)
  • Operational Technology Cybersecurity Expert Panel (OTCEP)
  • Personally identifiable information (PII) 
  • Port Security Grant Program (PSGP)
  • Positioning, navigation, and timing (PNT) 
  • Process automation controllers (PAC)
  • Programmable logic controllers (PLC)
  • Protected health information (PHI)
  • Remote terminal units (TRU)
  • Safety instrumented systems (SIS)
  • Safety of Life at Sea Convention (SOLAS)
  • Social Security number (SSN)
  • Software Bill of Materials (SBOM)
  • Supervisory control and data acquisition (SCADA)
  • Tactics, techniques, and procedures (TTP)
  • Twenty-foot equivalent unit (TEU)
  • US Coast Guard (USCG)
  • US Department of Commerce (DOC)
  • US Department of Defense (DOD) 
  • US Department of Energy (DOE)
  • US Department of Transportation (DOT)
  • Vessel traffic management services (VTMS)

Explore the full report

These Appendices are part of a larger body of content encompassing the entirety of Raising the colors: Signaling for cooperation on maritime cybersecurity— use the buttons below to explore this report online.

The Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Will Loomis, Gary Kessler, and Xavier Bellekens

Image: Ship docked at port's harbor.