Why the maritime industry must get on board with the NIS Directive

While it may often appear to be plain sailing for the maritime industry, just under the surface lies a range of technologies that are changing the course of the sector. But with these changes comes an increased threat of cyber attacks. Global maritime cyber incidents are growing in frequency and magnitude, and we’ve seen the number of publicly reported incidents triple over the past three years. To counter this rise, legislation is increasingly being introduced, which is sector-specific and targeted to address cyber security, such as the Network and Information Security (NIS) Directive.

What is the NIS Directive?

The Network and Information Security (NIS) Directive is a new European Union legislation which was transposed into UK law on 10th May 2018. The NIS Directive is the first EU attempt to legislate cyber security, and it applies to all countries in the European Union.

In scope of this legislation are organisations in vital sectors that rely heavily on information networks, and are referred to as Operators of Essential Services (OES). Examples of organisations considered as OES are those in energy, utilities, transport, maritime, digital service providers and the health industry.

Regulatory responsibility for the NIS Directive resides with sector specific bodies known as competent authorities (CA). In the UK, the CA for the maritime sector is the Department for Transport (DfT). They are primarily responsible for enforcing the NIS Directive, but are also the point of contact for OESs to notify incidents that fall within the scope of the legislation.

Whilst there is an expectation that the CAs for each country will aim for a collaborative relationship with OES organisations, fines of up to £17million could be levied on organisations that do not comply. Also worth noting is the potential damage to business reputation that may be caused by non-compliance.

What are the objectives of the NIS Directive, and how will it help the Maritime sector?

The NIS Directive aims to improve national cyber security capabilities, increase cooperation between EU member states, and requires OESs to take appropriate and proportionate cyber security measures. This will be assessed through the achievement of 14 outcome based principles defined by the Directive, which will lead organisations to accomplishing good practice in cyber security. Because the NIS Directive does not define a set of prescriptive rules that must be adhered to, organisations need to take informed and balanced risk decisions to achieve the outcomes specified by the principles. This should result in a defensible cyber risk management programme, covering the systems operated by the organisation that support the essential service. Within the maritime sector this will include operational technology, critical systems security and safety elements. To be successful, the output of the programme will need to be embedded within organisational governance structures, and become part of standard operating procedures.

Which parts of the Maritime sector are affected by the legislation?

Maritime as ‘an operator of essential services’ is in the frontline. The maritime sector OESs are defined as shipping companies, harbour authorities, port facilities and vessel traffic services. The NIS Directive prescribes thresholds for all four types of maritime OESs, with a few examples outlined below:

• The amount of tons of freight a shipping company handles annually at UK ports and the percentage of the annual UK passenger numbers it transports into UK ports
• The number of passengers handled annually by a harbour authority in the UK
• The number of passengers handled annually by a port facility in UK
• The number of passengers handled annually by an operator of vessel traffic services

What are the potential consequences of a cyber attack in Maritime?

The UK government considers maritime cyber attacks as a significant threat, which can cost companies millions of pounds. In June 2017 the first recorded cyber attack hit the industry, caused by the NotPetya malware, which affected the IT systems of a large shipping organisation and led to significant financial losses. Although this was the first recorded attack of this scale, trends suggest that it is unlikely to be the last.

Shipping vessels which use network and information systems for navigation, propulsion, and cargo functions are also at risk. Research by the Liberian Registry (LISCR) states that 40% of crew members reported they had been aboard a vessel infected with malware, while 90% of staff reported that they had not been trained in cyber security.

The range of technology used within vessels is likely to vary depending upon how long it has been in service. Some vessels may be over three decades old and therefore are likely to operate systems that are no longer supported by their vendors. Whilst older systems may contain security vulnerabilities, the ability to exploit these would be more difficult, as this would require physical access on board the vessel. But vessels operating state of the art network and information systems, that can be accessed remotely and without the need for physical access, may also be vulnerable.

What should organisations be doing in response to the legislation?

In the UK, as preparation for the NIS legislation the Department for Transport will require each OES to establish an incident reporting mechanism, complete a self-assessment and clearly set out their journey to full compliance. Enforcement is therefore likely to take place shortly after, towards the end of 2019.

The following key steps should be considered by each OES, in order to begin the journey to towards compliance:

1. Get on the front foot: Engage with the board and senior stakeholders, as well as your national regulator. The regulators of each European nation want to establish a collaborative approach to implementing the guidance. Each organisation may already have controls in place that the regulator may enshrine in sector guidelines.
2. Establish an incident notification process: This is a fundamental aspect of the NIS Directive, requiring each OES to notify the respective CA of any reportable incidents. A clear understanding of what type of incident is reportable and the process for reporting must be established, documented, and effectively communicated across the organisation.
3. Understand your level of compliance: This should be informed through discussions with key stakeholders within the organisation, and with those possessing the technical expertise to understand both maritime technology and the sector specific security guidelines. Discussions will require a detailed understanding of the systems that support the operation of the essential service, and the consequence that a loss of those systems would cause.
4. Understand the risk of existing gaps: The security threats faced by each sector will vary significantly and therefore so will the security countermeasures required to defend against these threats. Whilst the guidance provided for achieving each principle is valuable for understanding what is expected, it may not be appropriate for all sectors, or for all systems within a sector. If an OES can clearly demonstrate the rationale for not implementing certain recommendations, and that this position does not constitute a significant cyber security risk, then this may be considered an acceptable position. However, this can only be supported through the creation of a well-defined and defensible risk management programme.
5. Get support: Seek guidance and support from cyber security experts on how to effectively implement the NIS Directive within your organisation.