IN 1295 – Marine cybersecurity update

The EU proposes under the 2013 EU Cybersecurity Strategy, to establish the Network and Information Services (NIS) Directive. This has moved a step closer with the EU Council of Ministers agreeing to rules which will:

• Improve cybersecurity capabilities in member states.
• Improve member states’ co-operation on cybersecurity issues.
• Require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services (e.g. search engines and cloud computing), to take appropriate security measures and report incidents to national authorities.

Following the political agreement, formal approval of the text will be required from the European Parliament and Council. After that it will be published in the EU Official Journal and will officially enter into force.

Member states will have 21 months to implement this Directive into national legislation and a further six months to identify operators of essential services.

Businesses with an important role for society and economy, referred in the Directive as ‘operators of essential services’, will have to take appropriate security measures and to notify relevant national authorities of ‘serious’ incidents.

Included in the definition of ‘operators of essential services’ is the oil and gas industry which is described in Annex II of the EU proposal document as comprising the following:

• Oil
  
  • Operator of oil transmission pipelines.
  • Operators of oil production, refining and treatment facilities, storage and transmission.
• Gas
  • Supply undertakings as defined in Article 2(8) of Directive 2009/73/EC.
  • Distribution system operators as defined in Article 2(6) of Directive 2009/73/EC.
  • Transmission system operators as defined in Article 2(4) of Directive 2009/73/EC.
  • Storage system operators as defined in Article 2(10) of Directive 2009/73/EC.
  • LNG system operator as defined in Article 2(12) o Directive 2009/73/EC.
  • Natural gas undertaking as defined in Article 2(1) of Directive 2009/73/EC.
  • Operator of natural gas refining and treatment facilities.

Members will wish to be aware that further new guidance and advice on cybersecurity measures for marine and offshore operations have been published by the ABS under the title of Guidance Notes on the Application of Cybersecurity Principles to Marine and Offshore Operations.

The purpose of this document is to ‘provide cybersecurity best practices and recommendations to marine and offshore organisations and they are intended to enable members of the marine and offshore communities to take verifiable steps to protect an asset, its cyber-connected systems, its personnel, and its information from cyber intrusions’.

Further details are available on the ABS website.

BSI has published two new standards documents on the subject of information technology security.

The first is BS ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements. It is designed to ‘provide requirements for establishing, implementing, maintaining and continually improving an information security management system’. An information security management system should aim to preserve, "the confidentiality, integrity and availability of information by applying risk management process and to give confidence to interested parties that risks are adequately managed".

This document supports the information and guidance contained in ISO/IEC 27000 Information technology – Security techniques – Information security management systems – Overview and vocabulary.

The second document is BS ISO/IEC 27013:2015 Information technology – Security techniques – Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 which deals with the relationship between information security management and service management.

The aim of this document is to improve credibility of an effective and secure service, reduce costs through efficiencies of integration, speed up implementation, and also improve communications and understanding between personnel.

Further details can be found at the BSI or ISO websites.