b'challenges faced by the maritime industry: dation for a robust cybersecurity approach. This is also the approach prescribed by the PVA SMS framework. Business continuity disruption due to breachesDevelop and regularly update cybersecurity Lack of comprehensive response plans policies aligning with organizational needs and threatlandscape changes.Growing reliance on automationIdentify clear roles and responsibilities for all concerned Insufficient awareness with cyber security aspects of the SMS.Vulnerabilities in cloud computing Step 3: Contextualize RiskRise in phishing and social engineering attacks Consider the broader context of operations, trade patterns, technology, and legislative factors.Internal threats and attacks I dentify stakeholders, online networks, assets, critical Controlling both information technology and operationalcomponents, and business-sensitive information.technology systems is critical to fortifying cybersecurity. Various systems within the small passenger vessel sector areStep 4: Risk Assessment (3D Framework)susceptible to cyber threats, including bridge systems, ac- Leaving hazards as uncertainty is a drawback. It is the re-cess control systems, passenger servicing and managementsponsibility of leadership to convert uncertainty to risks systems, and communication systems. Below I have out- inthecontextoftheorganizationandthenprioritize lined ten steps an organization can take to improve theirthe risks.cybersecurity posture. Organizations must assess probability, severity, andTHE TEN STEPS TO ENHANCE detection likelihood.MARITIME CYBERSECURITYWhen addressing cybersecurity of assets organizations mustPrioritize risks considering confidentiality, integrity,consider the security of the information and the asset onand availability of information.which it is stored. Controlling both information technology (IT) and operational technology (OT) systems is critical toStep 5: Build Controls into Processesfortifying cybersecurity. Additionally, they must considerControls can be split into various categories including the confidentiality, integrity, and availability of informationadministrative,physical,humanandtechnological.In and how these three aspects may be compromised. cases one control may suffice, but for the most part a combination of controls will need to be implemented. Step 1: Leadership Commitment Identified controls should be implemented based on the Leadershipmustdrivetheneedforcybersecuritytobefeasibility rule. So, while it may look good on paper how baked in and not buttoned on. They need to engage theeasy is it to implement? Information security should be workforce to contribute to the system. To do this they can: a part of all that the organization doesnot an add on. This includes:Appoint a cybersecurity manager to ensureaccountability and garner buy-in.I mplementing technical security controls like firewalls and intrusion detection systems. Make cybersecurity integral to business processes andconsider risks versus rewards.Adopting a layered security approach (defense in depth)to mitigate various threats effectively. This entails creat-Step 2: Use a System Framework ing multiple barriers to prevent access to information. e.g. Employ the PDCA cycle (plan, do, check, act) as the foun- physical, passwords, firewalls, VPNs etc.23 DECEMBER 2023'