Developing a maritime cyber safety culture: Improving safety of operations

Authors

  • Rory Hopcraft CyberSHIP Lab, Faculty of Science and Engineering, University of Plymouth, UK
  • Kimberly Tam CyberSHIP Lab, Faculty of Science and Engineering, University of Plymouth, UK
  • Juan Dorje Palbar Misas CyberSHIP Lab, Faculty of Science and Engineering, University of Plymouth, UK
  • Kemedi Moara-Nkwe CyberSHIP Lab, Faculty of Science and Engineering, University of Plymouth, UK
  • Kevin Jones CyberSHIP Lab, Faculty of Science and Engineering, University of Plymouth, UK

DOI:

https://doi.org/10.33175/mtr.2023.258750

Keywords:

Cybersecurity, Safety culture, Risk management, Cyber risk

Abstract

A rise in catastrophic loss-of-life events as a result of poor safety management (e.g., the capsizing of the Herald of Free Enterprise and the Costa Concordia) has driven the maritime sector to improve its safety management practices. This paper will explore the vital role of the human element within safety management, and why, as part of that safety management, organizations must foster a safety culture. This development must be achieved if organizations are to make a significant step forward in preventing similar catastrophes in the future. It is important to note that the development of safety cultures is not new to the maritime sector. However, the increase in connected systems within the sector (e.g., satellite communications) means these safety cultures must now consider the new, or altered, risks posed by digital systems. Therefore, the paper, through a high-level literature review, will consider what the core elements of a cyber safety culture are, and how an organization company can nurture its development, both internally and across the wider sector. The paper will discuss the various benefits of developing a robust cyber safety culture, including demonstrable compliance to the International Maritime Organization’s (IMO) cyber regulation, Resolution MSC.428(98). The paper will conclude by arguing the development of a cyber safety culture is not going to remove all risk completely, but rather will allow organizations to be better prepared for when incidents do occur.

------------------------------------------------------------------------------
Cite this article: Hopcraft, R., Tam, K., Misas, J.D.P., Moara-Nkwe, K., Jones, K. (2023). Developing a maritime cyber safety culture: Improving safety of operations. Maritime Technology and Research, 5(1), 258750. https://doi.org/10.33175/mtr.2023.258750
------------------------------------------------------------------------------

Highlights

  • This paper argues that managing maritime cyber risks is not easy. However, through the inclusion of cyber risk into an organisations safety culture, operations can become more resilient to cyber incidents.
  • Safety cultures have been a mandated part of maritime risk management for many years. Through the ratification of the International Maritime Organizations Resolution MSC.428(98) cyber risks are now included within this remit.
  • This paper explores the benefits to an organisation by developing a cyber safety culture, including: demonstration of compliance, reduction in the human risk, lower financial implications and potentially better insurance premiums.
  • The paper also discusses the practical implications of developing a cyber safety culture, and how through experiencing these cultures early on in their career can have positive improvements on the safety of operations.

References

Alshaikh, M. (2020). Developing cybersecurity cutlure to influence employee behavior: A practice perspectice. Computers & Security, 98, 1-10. https://doi.org/10.1016/j.cose.2020.102003

American Bureau of Shipping. (2014). Safety culture and leading indicators of safety. Retrieved from https://maritimesafetyinnovationlab.org/wp-content/uploads/2016/03/abs-safety-culture-and-leading-indicators-of-safety.pdf

American Bureau of Shipping. (2016). Ergonomic & safety discussion paper. Retrieved from https://ww2.eagle.org/content/dam/eagle/innovation-and-technology/safety-and-human-factors/Discussion-Paper-MSRI-Safety-Culture.pdf

American Bureau of Shipping. (2019). Annual review 2019. Retrieved from https://ww2.eagle.org/content/dam/eagle/publications/annual-review/ABS-Annual-Review-2019.pdf

Anderson, P. (2003). Cracking the code - The relevance of the ISM code and its Impacts on shipping practices. London: The Nautical Institute.

Ashford, W. (2019). NotPetya offers industry-wide lessons, says Maersk's tech chief. Retrieved from https://www.computerweekly.com/news/252464773/NotPetya-offers-industry-wide-lessons-says-Maersks-tech-chief

Barnett, M. L., & Pekcan, C. H. (2017). The human element in shipping (pp. 1-10). Encyclopedia of Maritime and Offshore Engineering: Wiley Online.

Baxter, G., & Sommerville, I. (2011). Socio-technical systems: From deisgn methods to systems engineering. Interacting with Computers, 23(1), 4-17. https://doi.org/10.1016/j.intcom.2010.07.003

BBC. (2018). BA investigation into website hack reveals more victims. Retrieved from https://www.bbc.co.uk/news/technology-45953237

Berg, H. P. (2013). Human factors and safety culture in maritime safety. TransNav, 7(3), 343-353. https://doi.org/10.12716/1001.07.03.04

Bockmann, M. W. (2019). Seized UK tanker likely 'spoofed' by Iran. Retrieved from https://lloydslist.maritimeintelligence.informa.com/LL1128820/Seized-UK-tanker-likely-spoofed-by-Iran

Boletsis, C., Halvorsrud, R., J B Pickering, S. P., & Surridge, M. (2021). Cybersecurity for SMEs: Introducing the human element into Socio-tehnical cybersecurity risk assessment. In Poceedings of the 16th International Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications.

Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015). The persuasion and security awareness experiment: Reducing the success of social engineering attacks. Journal of Experimental Criminology, 11(1), 97-115. https://doi.org/10.1007/s11292-014-9222-7

Centre, N. C. S. (2020). Phishing - still a problem, despite all the work.

Clark, T. R. (2020). The 4 stages of psycholigical safety. Oakland: Berrett-Koehler Publishers.

Corrigan, S., Kay, A., Ryan, M., Ward, M. E., & Brazil, B. (2019). Human factors and safety culture: Challenges and opportunities for the port. Safety Science, 119, 252-265. https://doi.org/10.1016/j.ssci.2018.03.008

Department for Transport. (1987). Herald of free enterprose formal investigation. Retrieved from https://assets.publishing.service.gov.uk/media/54c1704ce5274a15b6000025/FormalInvestigation_HeraldofFreeEnterprise-MSA1894.pdf

Dickety, N., Collins, A., & Williamson, J. (2002). Analysis of accidents in the foundry industry. London: Crown Press.

Drouin, P. (2010). The building blocks of a saafety culture. Seaways. Retrieved from http://www.safeship.ca/uploads/3/4/4/9/34499158/safety_culture_pauldrouin.pdf

Emery, F. E., & Trist, E. L. (1960). Socio-technical systems (pp. 83-97). In Churchman, C. W., & Verhulst, M. (Eds.). Management Science Models and Techniques (Vol. 2). Oxford: Pergamon.

European Union Agency for Network and Information Security. (2017). Cyber security culture in organisations. Retrieved from https://www.enisa.europa.eu/publications/cyber-security-culture-in-organisations

Fernandez-Salvador, C., Oney, R., Song, S. A., & Camacho, M. (2017). From nuclear submarines to graduate medical education: Applying David Marquet’s intent-based leadership model. Military Medical Research, 4(1), 31. https://doi.org/10.1186/s40779-017-0140-7

Glendon, A., & McKenna, E. (1995). Human safety and risk management. London: Chapman and Hall.

Golay, M. W. (2000). Improved nuclear power plant operations and safety through performance-based safety regulation. Journal of Hazardous Materials, 71(1-3), 219-237. https://doi.org/10.1016/s0304-3894(99)00080-1

Gordon, R., Perrin, E., & Kirwin, B. (2007). Measuring safety culture in a reaserch and development centre: A compaison of two methods in the Air Traffic Management domain. Safety Sciece, 45(6), 669-695. http://dx.doi.org/10.1016/j.ssci.2007.04.004

Hambling, D. (2017). Ships fooled in GPS spoofing attack suggest Russian cyberweapon. Retrieved from https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon

Health & Safety Laboratory. (2002). Safety culture: A review of the literature. Retrieved from https://www.hse.gov.uk/research/hsl_pdf/2002/hsl02-25.pdf

IHS Markit. (2020). Safety at sea and BIMCO cyber security white paper. Retrieved from https://ihsmarkit.com/Info/0819/cyber-security-survey.html

Information Commissioner's Office. (2020). Penalty notice - British Airways. Retrieved from https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf

International Association of Classification Societies. (2022a). E26 - Cyber resilience of ships. London: International Association of Classification Societies.

International Association of Classification Societies. (2022b). E27 - Cyber Resilience of on-board systems and equipment. London: International Association of Classification Societies.

International Atomic Energy Agency. (2020). Safety culture practices for the regulatory body. Retrieved from https://www-pub.iaea.org/MTCD/Publications/PDF

International Maritime Organization. (1988). Resolution A.596(15) - Safety of passenger Ro-Ro ferries. London: International Maritime Organization.

International Maritime Organization. (1989). Resolution A.647(16) - IMO guidelines on management for the safe operation of ships and pollution prevention. London: International Maritime Organization.

International Maritime Organization. (2003a). MSC.77/17 - Role of the human element. London: International Maritime Organization.

International Maritime Organization. (2003b). Resolution A.947(23) - Human element vision, principles and golas for the organization. London: International Maritime Organization.

International Maritime Organization. (2011). MEPC 62/17/2 - Human and organizational factors - The critical role of “Just Culture”. London: International Maritime Organization.

International Maritime Organization. (2014). The International Safety Management Code. London: International Maritime Organization.

International Maritime Organization. (2016). International Convention on Standards of Training, Certification and Watchkeeping. London: International Maritime Organization.

International Maritime Organization. (2017). Resolution MSC.428(98) maritime cyber risk management in safety management systems. London: International Maritime Organization.

International Maritime Organization. (2020). International convention for the safety of life at sea. London: International Maritime Organization.

International Maritime Organization. (2021). Maritime cyber risk. Retrieved from https://www.imo.org/en/OurWork/Security/Pages/Cyber-security.aspx

International Nuclear Safety Advisory Group. (1986). INSAG-1 - Summary report on the Post-accident review meeting on the chernobyl accident. Retrieved from https://www.iaea.org/publications/3598/summary-report-on-the-post-accident-review-meeting-on-the-chernobyl-accident

International Nuclear Safety Advisory Group. (1991). Safety series No.75-INSAG-4 - Safety culture. Retrieved from https://www-pub.iaea.org/MTCD/publications/PDF/Pub882_web.pdf

International Transport Forum. (2018). Safety management systems. Retrieved from https://www.itf-oecd.org/sites/default/files/docs/safety-management-systems.pdf

Kevin, D. J., Kimberly, T., & Papadaki, M. (2016). Threats and impacts in maritime cyber security. Engineering & Technology Reference, 1, 1-11. https://doi.org/10.1049/etr.2015.0123

Kia, M., Stayan, E., & Ghotb, F. (2000). The Importance of Information technology in port terminal operations. International Journal of Physical & Logistics Management, 30(3/4), 221-344. . https://doi.org/10.1108/09600030010326118

Kongsvik, T., Antonsen, S., & Størkersen, K. V. (2013). The relationship between regulation, safety management systems and safety culture in the maritime industry (pp. 467-473). In Steenbergen, R. D. J. M., van Gelder, P. H. A. J. M., Miraglia, S., & Vrouwenvelder, A. C. W. M. (Eds.). Safety, Reliability and Risk Analysis: Beyond the Horizon. London: Taylor & Francis Group.

Lloyd’s Register. (2021). Cyber safe for marine. Retrieved from https://www.lr.org/en-gb/cyber-safe-for-marine

Maritime & Coastguard Agency. (2004). Drving safety culture. Retrieved from https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/288336/rp521_final_report-4.pdf

Maritime & Coastguard Agency. (2015). MSN 1856 (M+F) UK requirements for master and deck officers. UK Government. Retrieved from https://www.gov.uk/government/publications/msn-1856-mf-uk-requirements-for-master-and-deck-officers

Marquet, D. (2015). Turn the ship around!: A true sotry of turning followers inro leaders. London: Penguin.

May, P. J. (2007). Regulatory regimes and accountability. Regulation & Governance, 1(1), 8-26. https://doi.org/10.1111/j.1748-5991.2007.00002.x

Meshkat, L., Miller, R. L., Hillsgrove, C., & King, J. (2020). Behavior modeling for cybersecurity. In Proceedings of the 2020 Annual Reliability and Maintainability Symposium.

Møller-Mærsk, A. P. (2019). Cyber security in the maritime sector. In Proceedings of the International Maritime Organization. Maritime Safety Committee 101, London.

Nuclear Energy Institute. (2019). Chernobyl accident and its consequences. Retrieved from https://www.nei.org/resources/fact-sheets/chernobyl-accident-and-its-consequences#:~:text=Key%20Facts,design%2C%20combined%20with%20human%20error

Parker, D., Lawrie, M., & Hudson, P. (2006). A framework for understanding the development of orgniasational safety culture. Safety Culture, 44, 551-562. https://doi.org/10.1016/j.ssci.2005.10.004

Pidgeon, N., & O'Leary, M. (2000). Man-made disasters: Why technology and organizations (sometimes) fail. Safety Science, 34(1), 15-30. https://doi.org/10.1016/S0925-7535(00)00004-7

Quezadra, R. D. L. (2016). Introduction to “Just Culture”. In Proceedings of the ATS Incident Analysis Workshop.

Räisänen, P. (2009). Influence of corporate top management to safety culture: A literature survey. Turku University of Applied Sciences. Retrieved from https://www.merikotka.fi/wp-content/uploads/2018/08/isbn9789522161048.pdf

Reason, J. (1997). Managing the risks of organisational accidents. Aldershot: Ashgate Publishing.

SANS Institute. (2016). Leveraging the human to break the cyber kill chain. Retrieved from https://www.sans.org/blog/leveraging-the-human-to-break-the-cyber-kill-chain

Singleton, W. T. (1973). Theoretical approaches to human error. Ergonomics, 16(6), 727-737. https://doi.org/10.1080/00140137308924563

Tam, K., & Jones, K. (2019). MaCRA: A model-based framework for maritime cyber-risk assessment. WMU Journal of Maritime Affairs, 18(1), 129-163. https://doi.org/10.1007/s13437-019-00162-2

Tam, K., Hopcraft, R., Crichton, T., & Jones, K. (2021). The potential mental health effects of remote control in an autonomous maritime world. Journal of International Maritime Safety, Environmental Affairs, and Shipping, 5(2), 51-66. https://doi.org/10.1080/25725084.2021.1922148

The Guardian. (2013). Five Costa Concordia staff convicted over shipwreck in Italy. Retrieved from https://www.theguardian.com/world/2013/jul/20/five-costa-concordia-guilty-shipwreck-italy

The Nautical Insititue. (2020). 202063 - Assumptions can lead to bad outcomes. Retrieved from https://www.nautinst.org/resources-page/202063.html

Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users really do plug in USB drives they find. In Proceedings of the 2016 IEEE Symposium on Security and Privacy.

United States Coast Guard. (2019a). MSIB 04-19 - Cyber adversaries targetting commercial vessels. United States Coast Guard. Retrieved from https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_004_19.pdf

United States Coast Guard. (2019b). MSIB 10-19 - Cyberattacks impacts MTSA facility operations. United States Coast Guard. Retrieved from https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf

United States Coast Guard. (2020). CVC-WI-027(1) - Vessel cyber risk management work instruction. Retrieved from https://www.dco.uscg.mil/Portals/9/CVC-WI-27%282%29.pdf

Veiga, A. D., Astakhova, L. V., Botha, A., & Herslemann, M. (2020). Defining organisaational information security culture: Perspectives from academia and industry. Computers & Security, 92, 1-23. https://doi.org/10.1016/j.cose.2020.101713

Verizon. (2020). 2020 data breach investigations report. Retrieved from https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2020-data-breach-investigations-report.pdf

Verizon. (2021). 2021 data breach investigations report. Retrieved from https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2021-dbir-executive-brief.pdf

World Nuclear Association. (2021). Chernobyl accident 1986. Retrieved from https://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/chernobyl-accident.aspx

Zhang, H., Wiegmann, A., Thaden, T. L. V., Sharma, G., & Mitchell, A. A. (2002). Safety culture: A concept in chaos? In Proceedings of the 46th Annual Meeting of the Human Factors and Ergonomics Society, Sanat Monica.

Downloads

Published

2023-01-01