TL;DR
Cyber security is a growing concern. The following are the key points to remember:
- Ask questions about your supply chain and your IT and OT teams
- Evaluate the security configuration of each vessel – each one is different
- Use Critical National Infrastructure Controls as a Guide
- Use strong due diligence in purchasing systems
- Attacks are inevitable – be prepared by validating and testing systems, processes, and separation
- Training is important!
Regulation changes
The International Maritime Organization has enforced Resolution MSC since January 1, 2021. 428(98), International Safety Management Code (ISM).
Vessel owners are encouraged to ensure cyber risks are addressed in their safety management systems (SMS).
Vessel owners need to show evidence that cyber risks related to SMS have been addressed. A PSC deficiency could then be issued. This could be Rectify prior to Departure (Action code 17) or the Vessel could possibly be detained (Action code 30)
To quote the IMO Website,
Recognizing the fact that no two shipowners or shipping companies are alike and that ships operate in a variety of conditions, the Code was created on the basis of general principles and objectives. These include assessing all risks to a Company’s ships and personnel, as well as establishing appropriate safeguards.
The Code is written in broad terms to allow for its widespread application. Different levels of management at different locations, shore-based or on the sea, will need to have different knowledge and awareness of these items.
As you can see, there is ambiguity.
This can lead to misinterpretation and misunderstanding of the requirements for security. This has led to varying levels and acceptable security.
What does all this mean?
Fortunately the Maritime Industry can take lessons from other industries that have been subject to regulation – cyber security is not a box exercise.
You can use the recommendations, guidance and frameworks as a starting point to build a robust assessment framework specific to your vessel and the businesses that work with you.
It all starts with a question
Where can you begin? By asking some questions:
- Are you aware of your assets?
- Are you familiar with who is responsible for these assets (think maintenance, security, and installation)?
- Are you able to identify these assets?
- Which are the best places to find them?
- Do you know when those assets need to be updated/replaced/tested?
This isn’t an easy task…
Learn from others
This industry is facing the same problems as Critical National Infrastructure. At a technology level, the Operational Technology (OT), on a vessel, is likely to be the same as at a water treatment facility.
The OT world faces the same challenges as you:
- Legacy software and infrastructure
- Complex supply chain
- Undocumented Backdoors, Unknown-Unknowns (that’s hard to quantify)
- Hard to update or change.
- Increasing internet connectivity.
- Limited skilled workforce
- In a workplace there could be up to five generations, each engaging with the technology in their own way.
Other OT industries have solved these problems by using the concept ‘Secure by Design’ and by using threat modeling and testing to reduce risk.
They are now asking tough questions to vendors and using skilled technicians to purchase solutions. This allows them to discern the truth from marketing hype. They even conduct Proof of Concept (PoC), testing before purchasing.
Do not be afraid to leave
Organisations need to realize that they have the option of walking away depending on the outcome.
It is important to note that not all products and vendors are bad. There are many great ones. As with every industry, there are vendors that need to improve their technology stacks and take responsibility.
These types of assessments have revealed undocumented backdoor accounts, rogue codes that could be manipulated, and in some cases just open access. No authentication is required, only reliance on physical controls.
This behavior is unacceptable in a cyber-resilient organisation.
It’s not if, but when…
Organisations are realizing that it’s not a question of when but if the world is becoming more connected.
This holds true for both technology solutions aboard vessels and connected environments back on dry ground. It is essential to ensure that the vessel is adequately secured against attack, both remotely as well as in the event of a machine being compromised. This is no easy task.
The following areas should be considered when completing your assessment:
- Validate segregation among onboard networks to ensure crew/third party/corporate network are separated from safety critical (OT, bridge, etc.)
- Connections back from shore, especially around content filtering and Internet access. Privilege access to other systems, such as the home office or 3rd party.
- Security configurations and segregation wireless networks on board
- Review bridge and navigation systems. Particularly, review software versions, updates (online/USB), wider USB usage and other possible interfaces.
- Other systems of concern include integrated bridge equipment (IAMCS), ECDIS, GPS and AIS, synthetic radars, BNWAS, VDR and any other systems connected to a network.
- Security of OT control system, OT can react adversely to testing exercises. Therefore, review process will include investigating configuration and use
- Check out other systems that are connected to see if they have versions or patch levels that might not be available to the organisation.
What can I do other than this?
It’s important to offer cyber security training to your crew members. This can be done in person or remotely and focuses on the main risks mariners face in port and at sea. It is important to train individuals how to protect themselves and the vessel against scams and other attacks.
OTSEB provides training for engineers on how attackers connect with networks, the tools they use, and technical indicators to watch out for.
Supply chain management and due diligence are key principles.
Technology is constantly evolving and cyber resilience must keep up. With some simple suggestions, the industry can make substantial improvements in a very short time.