Maritime Executive produced an interesting article which references some great work by Marie Larsen from the Norwegian University of Science and Technology, around the perception of cyber risk in the maritime domain. I feel that the Maritime Executive title of "Maritime Cyber Security Starts With The Crew" is inappropriate, as the technical controls should be such that the crew should not be exposed to 95% of the threats.
They could start by building a governance wrap around the IMO cyber guidelines, calculating system criticality and risk to ensure that the protection afforded is appropriate, prioritised and within their financial constraints. Yes, the crew play a pivotal role, however, their judgement should be the last line of defence and not the first.
We frequently see the IMO cyber guidelines being misinterpreted by well meaning companies who are evidently not experts in cyber but understand Information Technology. In one recent example the term "threat" was confused with "vulnerability" in a management company cyber security assessment (CSA), as a result of this subtle difference, vulnerabilities were not addressed on the vessel, leaving vessel exposed, moreover, their assessment also overlooked the need for monitoring.
Fortunately, the Flag State auditors are in the same boat (pun intended) and their lack of cyber understanding means that they don't understand that the answers provided to their own questionnaires.
Summary
The perception of cyber security in the maritime sector is in need of improvement across the board and not just within the crew, in fact with a robust governance model not only will the ship be protected, but it should also include training for the crew and for those responsible for creating the necessary documentation.
External Links
Better Cybersecurity at Sea Starts With the Crew
FHS Brage: Cyber Risk Perception in the Maritime Domain: A Systematic Literature Review