Marco (Marc) Ayala is a process automation professional with more than 25 years of experience working in petrochemical facilities where he designed, implemented, and maintained their process instrumentation, automation systems, and process control networks. Currently the director and ICS cybersecurity section lead at 1898 & Co. (part of Burns & McDonnell), Marco has expertise with safety systems, advanced process control, enterprise historians, and industrial network security where he worked with enterprise IT to implement a corporate PCN security solution. He is active in cybersecurity efforts for the oil and gas, maritime port, offshore facilities, and chemical sectors, working alongside federal, local, and state entities for securing the private sector.
Marco is very active in ISA and has been a member for about 20 years. He is now a senior member and a certified cyber instructor for ISA. He sits on the Safety and Security Division (SAFESEC) committee and is their liaison to the ISA Global Cybersecurity Alliance. He is also the membership chair of the Smart Manufacturing and IIoT Division (SMIIoT).
“Safety, security, and digitalization are all so important,” Marco says. “There’s just so much to do.”
His activities outside of ISA also dovetail with his drive to contribute in these areas. Marco is the Sector Chief for the Maritime Domain Cross Sector Council (CSC) with InfraGard. He is a member contributor of the AMSC Gulf of Mexico (GOM) cyber panel, as well as the chair of the cybersecurity subcommittee of AMSC. Marco served on the working group that developed the “Roadmap to Secure Control Systems in the Chemical Sector” in 2009.
ISA sat down with Marco recently to discuss the “big picture” view of maritime cybersecurity in 2021, the importance of a standards-based approach to cybersecurity, and the personal highlights of his day-to-day work.
ISA: Thanks for taking the time to chat today! What would you say are some of the biggest challenges surrounding cybersecurity in the maritime industry right now?
Marco Ayala: I think one of the biggest challenges right now is understanding—from an operational technology or automation standpoint—what you have as far as asset inventory, your operating systems, all the way down to every node that's on your control system network. Many of our systems nowadays are Ethernet-based. With the drive to digitalization in the maritime industry, we are further increasing our connectivity to these systems. It's not much of a headache, exactly, but it's on a to-do list—asset owners need a good handle of what their operational technology systems are, and then they need to do a risk assessment. That could be using the ISA/IEC 62443-3-2 standard, which has a very good approach; it could be a combination of NIST 800-82 and 800-53. Or it even can be looking at it from a Consequence-based, Cyber-informed Engineering perspective as well—CCE, the Idaho National Labs concept. Right now, the maritime industry is looking to answer questions like, What do I have? How is it connected? What are my vulnerabilities?
As far as recent events, especially in the United States, the Maritime Transportation Security Act (MTSA) of 2002 has developed this circular, the NVIC 01-20. For folks in the United States and U.S. territories, at least, there’s an understanding that the U.S. Coast Guard is looking at MTSA facilities. It’s not just ports of return. It could be a chemical facility that’s port-facing or has maritime operations. It could be a petrochemical facility. It could be pulp and paper with a port; it could be mining and minerals with a port that may have MTSA regulatory. Starting this October 1, companies that fall under MTSA need to capture their vulnerabilities and document that into their facility security plan—which has traditionally been their physical security plan. So many of the folks responsible for the facility security plan need to now incorporate cyber. For some of those who maintain those plans for the Coast Guard and their companies, that’s a challenge, because they don’t natively speak cyber for the most part. Some have that technology background or have taken some training, but I would say the majority are focused on guards, gates, guns, dogs, cameras, and so forth. So, starting October 1, they need to be able to document cybersecurity into their facility security plan or annex that into their assessment. It means that many people are trying to look at their asset inventory in depth this year. They are working with their OT and IT security people to understand what risks they have, and to document them.
That’s one challenge that the maritime industry is facing in the U.S. Looking globally, the IMO 2021 is requiring vessel operators to document their cybersecurity and have a cybersecurity plan. That affects operational companies like Maersk, MSC, global carriers, even some cruise lines that operate in international waters. It started in January of this year.
The effects of a cybersecurity incident in the maritime industry can be severe. Cybersecurity plays a huge part in our day-to-day operations in the maritime industry.
ISA: Could you share a bit about the adoption of standards in maritime cybersecurity?
MA: ISA is a great organization, and they build great standards. Trying to make sure those standards align with even the maritime industry is a very important feat. Thankfully, many of the companies are adopting the ISA/IEC 62443 series of standards. That stems from the great work of ISA99, which is truly remarkable.
In the maritime industry right now, there are a lot of things happening, a lot of gears and levers moving. It’s very important that companies adopt strong standards. You’ll find that many companies that do classifications are wrapping ISA/IEC 62443 into their own recommended practices and class programs such as DNV-GL, for example. So you may be looking at a document and say, wait, this looks very familiar. They’re implementing 62443, but they’re wrapping it into their own document. 62443 is really widening its reach, and that is very significant.
We have to keep in mind that maritime is not just vessels and ports and terminals—it’s also offshore drilling platforms, and even offshore floating assets that are key to our nation. Security is very important to the assets off of our coasts. Not only that, but cybersecurity also ties into environmental effects and operational impact. There are just so many pieces to it.
So companies are getting ahead and doing assessments, and they’re working on remediation plans. Many of these remediation plans tie back to best practices and generally accepted good engineering practices. Being active with ISA and the maritime industry and InfraGard has really helped get the word out there about ISA standards.
ISA: What do you enjoy most about your work in maritime cybersecurity?
MA: The people. I enjoy so much about the people in the maritime industry. They’re so diverse. What is really nice about the job is not just working with the OT security and the IT security people, but also working with the physical security people. That convergence of physical and cyber is just amazing, because you have so many different views and opinions, and when they all come together and work together, it’s really special.
Traditionally, security like gates and cameras were all islands of information. They were localized; they didn't exit out of the plant. Now with all the systems being tied to Ethernet, and even cloud-based technology, a lot of these systems are susceptible and also vulnerable. Sometimes, though, they may even traverse the same infrastructure as the operational technology. I've seen deployments where they've utilized security footage in the control room, and they partitioned and did some security around it, which gave their operators a view into not just the operations themselves from a control system standpoint, but a physical view into the plant. These can be really good things that marry up well together if done properly with cybersecurity in mind.
So, I get joy out of dealing with the folks from the ports and the terminals in the petrochemical ports and the MTSA facilities. To add on to that, especially in the Houston area, it’s amazing to work here locally with the Cybersecurity and Infrastructure Agency (CISA), an operational component of the U.S. Department of Homeland Security (DHS), and to work with District 8 of the U.S. Coast Guard. We get to see the perspective from the federal level, and even the state and the local.
With the Houston Fusion Center and with the Texas Department of Public Safety's Maritime Intelligence, cybersecurity is here. What really excites me is that I'm working not just with asset owners and operators, but also working with the message from regulatory, CISA, local, state, and again, Fusion Centers. It's exciting when you can get a group of folks together and have the discussion of physical security and cybersecurity, the convergence, the importance of a standards-based approach, things that work, and what's good engineering practice—and especially help plan for the NVIC 01-20, this new security requirement that goes in effect on October 1.
It is exciting to work with these folks, and I’m also glad that I have been a Senior ISA member for about two decades now. I'm very grateful to be doing what I'm doing. I really enjoy sending the message about cybersecurity and working with such amazing folks.
Interested in reading more articles like this? Subscribe to ISA Interchange and receive weekly emails with links to our latest interviews, news, thought leadership, tips, and more from the automation industry.