Proposed US National Maritime Cybersecurity Plan – Implications

Imperatives of Maritime Cybersecurity 

    In the wake of the contemporary geopolitical environment, the question of maritime security has gained prominence. One of the important tenets of maritime security is cyber security. The US has moved up a few notches in this field through its recent steps. Its relevance is not lost to the security analysts. A look at India’s maritime strategy suggests that it is underpinned by an emphasis on maritime diplomacy and expanding naval capability. While India is adopting a multidimensional approach for maritime security, it has yet to formulate a maritime cybersecurity readiness plan to secure Critical Information Infrastructures (CIIs) in the maritime sector. Since mid-2017 ransomware attack against shipping giant – A.P. Moller- Maersk – causing congestion in about 76 ports around the world including JNPT in India, cyber-attacks in the maritime sector are increasing at an alarming rate. The International Maritime Organisation (IMO) stated that cyber risks should be addressed appropriately in the safety management systems under the ISM Code by January 2021. 

    Given the fact that China is using cyber-attacks as a significant tool in advancing Chinese interests in Indo-Pacific, it is imperative for India to adopt a maritime cybersecurity strategy. In this regard, the proposed National Cybersecurity Strategy (NCSS) provides an appropriate opportunity. It may be noted that the US is in the process of the updating Cybersecurity Strategy with a National Maritime Cybersecurity Plan (NMCSP). The proposed NMCSP plan could be useful in this regard. In this context, a critical assessment of the US National Maritime Cybersecurity Plan (NMCSP) assumes relevance. 

US Maritime Cyber Strategy 

   The US Cyber Security Strategy (2018) identifies maritime cybersecurity as a priority area. It also recognises that maritime cyber security requires international cooperation between the public and private sectors. It indicates that the US will move quickly to clarify maritime cybersecurity roles and responsibilities; promote enhanced mechanisms for international coordination and information sharing, and accelerate the development of next-generation cyber-resilient maritime infrastructure. In pursuance of this, the US National Security Council is working to update the US government’s approach to its maritime cybersecurity strategy in coming months. 

   The proposed National Maritime Cybersecurity Plan (NMCSP) aims to enhance the maritime cybersecurity preparedness by identifying port vulnerabilities, developing suitable mitigation measures, establishing global maritime information sharing arrangement and capacity building of US maritime cyber agency. 

Main Pillars 

   The proposed NMCSP Plan has four main pillars. One, developing NIST Port Operational Technology Cyber Security Framework through collaboration with various stakeholders including international community and agencies; Second, setting up a Maritime Information Sharing and Analysis Centre (MISAC) to strengthen situational awareness about cyber threats between global maritime transport stakeholders, including major ports and other maritime operators; third, Assessing Vulnerabilities in Port Equipment through operational technology equipment evaluations to be facilitated by US Department of Homeland Security (DHS). Fourth, capacity building and skill development of US Coast Guards concerning the use of operational technologies in the port and overall maritime environment.   

Assessing the proposed National Maritime Cybersecurity Plan (NMCSP)

   The US Cyber Security Strategy, taking into account the changing geostrategic landscape in the light of rapid advancements in ICT technology, identifies maritime cybersecurity as a priority area of concern. Building on this, proposed National Maritime Cybersecurity Plan (NMCSP) has been formulated to address port infrastructure vulnerabilities, especially lack of separation between information technology and operational technology systems, which have the potential to cause significant cascading supply chain effects. 

Given the international character of the maritime sector and existing lack of cybersecurity standards in operational technology, equipment and networks; the NMCSP proposes for information sharing among major ports across the world and to develop NIST operational technology cybersecurity framework.

   Given the fact that the shipping sector plays a pivotal role in global trade and commerce, international outreach is essential to strengthening maritime security. In this respect, international cooperation proposed in the NMCSP Plan will be useful in timely detection and rapid response to cyber-attacks in the maritime sector and to improve the cyber resilience of global port infrastructures. However, a proposal for setting up a Maritime Information Sharing and Analysis Center (MISAC) on the lines of sectoral ISAC model as practised in the US may lead to creating multiple cyber agencies and fragmentation of information-sharing arrangements. This may be avoided by entrusting information sharing tasks to the existing framework of the computer emergency response teams (CERTs). It may be noted that CERT-to-CERT arrangements are now the most widely used network for information sharing on cyber security incidents among national CERTs of various countries. United Nation Group of Governmental Experts (UNGGE) recognises CERTs cooperation as one of the important Confidence Building Measures (CBMs) for ensuring a safe, secure and stable cyberspace.   

Implications on India’s Maritime Cyber Security Preparedness  

   The maritime sector has been identified as one of the critical information infrastructures under the of the Information Technology (IT) Act, 2000.  Section 70 of the IT Act provides that Critical Information Infrastructure (CII) means the computer resource, the incapacitation or destruction of which, shall have a debilitating impact on national security, economy, public health or safety. 

   National Critical Information Infrastructure Protection Centre (NCIIPC) has been notified as  the nodal agency for CII protection under Section 70A of the IT Act. NCIIPC has issued Guidelines for the Protection of National Critical Information Infrastructure (2015). NCIIPC guidelines enlist forty controls and corresponding guiding principles for the protection of CIIs. While these control measures and guiding principles are useful in disseminating cyber security awareness among CII stakeholders in general, the NCIIPC guidelines lack the sector-specific implementation plan. Further, maritime cyber security is a relatively new area of emphasis, among the CIIs and thus there is a need for a focussed and nuanced approach for enhancing maritime cyber security. 

   In this context, the US National Maritime Cybersecurity Plan (NMCSP) could be used to develop a foundation to identify the vulnerabilities of major port infrastructures in India and to develop suitable mitigation measures. It also provides a template for skill development and capacity building in cyber security amongst maritime stakeholders, including training for handling IT and operational technologies in the shipping industry. Government maritime agencies such as the Naval forces and the Coast Guards also need to be trained in dealing with cyber attacks and secure communication technologies. Further, the public-private partnership (PPP) model would be useful in cyber capacity building in the maritime sector. Expertise in the private sector could also be leveraged to play a meaningful and effective role in the development of the OT security standards, in consonance with the NIST cybersecurity framework for the maritime sector.