On Wednesday 17 August, the UK Government issued cyber security guidance for ports, please see here.
The Code of Practice was commissioned by Department for Transport and developed by the Institute of Engineering & Technology and outlines cyber security requirements at ports and port facilities. The Code of Practice should be used as part of an organisation's overall risk management system, to ensure that the cyber security of port systems is managed both cost effectively and as part of mainstream business.
The guidance makes clear that cyber security is not just about preventing hackers gaining access to systems and information. It also addresses the integrity and availability of information and systems, ensuring business continuity and the continuing utility of cyber assets.
The guidance outlines:
|Motivations behind a cyber attack
||Introduces five broad categories of ‘threat actor’:
- espionage – seeking to breach systems for state or commercial purposes;
- activist groups – seeking publicity or creating pressure on behalf of a specific objective or cause;
- criminal – largely driven by financial gain;
- terrorism – seeking to instil fear and cause physical and economic disruption; and
- warfare – conflict between nation states, where the aim is disruption of transport systems/infrastructure.
|Developing a cyber security assessment (CSA)
||Outlines the steps to performing a cyber security assessment (CSA). These are as follows:
- evaluating important assets, and the external infrastructure upon which they depend;
- identifying the business processes using the assets and infrastructure, to assess their criticality;
- assessing the risks arising from possible threats to the assets, understanding the vulnerabilities and estimating the likelihood of their occurrence;
- identifying and assessing countermeasures; and
- agreeing whether the residual risk is acceptable (or addressing any deficiency considered unacceptable).
|Developing a cyber security plan (CSP)
|Introduces the concept of a cyber security plan (CSP). The description of the CSP includes:
This section also outlines the importance of:
- contents – the contents of the plan should align to the CSA, and should drive policies, processes and procedures;
- review requirements – the CSP should include a suitable mechanism for performing periodic, at least annual, reviews of the CSP to verify that it remains fit for purpose;
- monitoring and audit requirements – the CSP should set out the auditing measures that will take place across the port assets.
- the compliance of the port supply chain with the security policies, processes and procedures specified in the CSP;
- identifying the individual(s) responsible for cyber security at the port and port facilities (cyber security officer (CSO);
- establishing a port security committee (PSC) and a security operations centre (SOC);
- arrangements for providing information to third parties;
- arrangements for managing security incidents or breaches.
While the structure being offered in this guidance is not necessarily new, it is refreshing to see it brought together in a maritime context. The specific measures being recommended, including performing a cyber security assessment, a cyber security plan and including the supply chain on a risk-basis are important. Allocating suitably skilled people to the role of cyber security officer (CSO) will be key.
Moore Stephens has extensive experience in both the maritime industry and in security management. We can help you with your cyber security assessment, your independent audit of security measures, and your assessment and audit of security measures throughout your supply chain. We can also help you implement security policies and procedures or act as cyber security officer on your behalf while you build your own internal capability.
Please contact Steve Williams
for more information.