At the international level, cybersecurity for the maritime ecosystem was directed in 2017 by the International Maritime Organization (IMO).
Under Resolution MSC.428(98), operators should ensure their existing safety management systems address cyber-risks and cybersecurity appropriately.
IMO also shared its Guidelines on Maritime Cyber Risk Management that reference additional frameworks and standards like NIST CSF; ISO/IEC 27001; The Guidelines on Cyber Security Onboard Ships produced and supported by ICS, IUMI, BIMCO, OCIMF, INTERTANKO, INTERCARGO, InterManager, WSC and SYBAss; IAPH “Cybersecurity Guidelines for Ports and Port Facilities”, and others.
Besides international regulations, local and national directives exist that drill down to a certain level of technical implementation of safeguards and countermeasures.
TP-26. Monitor availability of the port systems and devices in real-time, where technically feasible
TP-27. Set up a logging system to record events related, at least, to user authentication, management of accounts and access rights, modifications to security rules, and the functioning of the port systems
TP-28. Set up log correlating and analysis systems to detect events and contribute to cybersecurity incident detection
The document also considers OT systems in all the security measures defined to protect maritime control systems and networks.
For the U.S., there is the Maritime Cybersecurity Assessment & Annex Guide (MCAAG) by the U.S. Coast Guard, which helps Maritime Transportation Security Act (MTSA)-regulated facilities and other Marine Transportation System (MTS) stakeholders to address cybersecurity risks.
It’s NIST CSF-based and gives direct guidance on its C.13 Security Measures for Monitoring:
Apply DE.CM baseline controls (DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-7, DE.CM-8) to ensure information systems and assets are monitored to identify cybersecurity events.
Implement PR.PT-1 to establish processes and procedures to ensure audit logs are enabled and to review access logs
Ensure all facility systems and networking devices have audit logging enabled
The complexity and diversity of port infrastructure pose a challenge for log collection and management.
Various IT and OT log sources, required to be embedded into the security events pipeline, call for different techniques to get data, transform, and forward to security analysis platforms like SIEM.
Many of those systems, especially legacy ones, may not provide trivial integration options nor be supported by the security platform vendor.