#45 How Do You Start Designing Your On-Vessel Maritime Cybersecurity Action Plan?

-

Your maritime cybersecurity action plan will take some time to pull together, you can do several things in the short-term to jumpstart your efforts and establish an initial baseline of cybersecurity for your vessels:

Your On-Vessel Maritime Cybersecurity Action Plan

Update the admin password on critical systems and devices on your OT network

Make sure you change the admin password on your critical systems and devices from the manufacturer default. Hackers can quickly identify and access internet-connected systems that use shared default passwords. It is imperative to change default manufacturer passwords and restrict network access to critical vessel systems.

Update your passwords regularly and use multi-factor authentication, where possible

If you do not have one in place already, deploy a password management system for your critical computers and devices on your OT network. This includes adding multi factor authentication, where possible, and changing passwords (including any that are shared) on a regular basis.

Make sure your critical systems and devices are not accessible via the Internet

Most providers offer a private IP address space to keep hackers from reaching your systems over the Internet. You can determine if your vessel terminals are public by entering the IP address in a browser to see if you can route to the terminal web interface.

Update the software on critical systems and devices

Most updates include fixes for security flaws, so make sure your systems are running the latest software versions and ensure they are updated every time the manufacturer publishes an update.

Secure USB ports on all ship systems

Lock down USB access to prevent malware from entering vessel systems. If critical systems can only be updated by USB, keep dedicated USB keys in a secure location.

Segment your bridge, engine room, crew, Wi-Fi and business networks on board

If a device on your vessel is compromised, segmented networks will ensure critical systems are not susceptible to an attacker. Ensure that the crew’s personal devices and laptops do not have access to navigation systems and other critical areas of the ship’s network.

Educate your crew about cybersecurity

Establish a cybersecurity training program for your crew. You can also take advantage of complimentary resources like ESET’s online cybersecurity awareness training and the Be Cyber Aware At Sea campaign to raise cybersecurity awareness and help train your crew to avoid opening the vessel to compromise. Security starts with your people.

Maritime Security: Getting Started with Your Action Plan

There is so much to consider when developing a maritime security plan. Your plan must include a significant cybersecurity component to ensure the safety of your vessels and offshore operations from the growing number of maritime cyber threats. As ships become more sophisticated in the digital era, at the same time, crews are shrinking and dedicated resources to cybersecurity may be scarce. But cybersecurity cannot be an afterthought – it needs to be elevated as a board-level priority issue.

We’ve touched on some of the security frameworks and compliance considerations that you can leverage in your planning efforts. Establishing your cybersecurity plan will not happen overnight. The burden and responsibility of cybersecurity fall on everyone – process and cultural changes will need to happen for an effective cybersecurity plan.

As you begin your in-depth cybersecurity planning efforts, the cyber risk management approach * from “The Guidelines on Cyber Security Onboard Ships,” produced and supported by BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO), InterManager, INTERTANKO, International Union of Marine Insurance (IUMI), Oil Companies International Marine Forum (OCIMF), and World Shipping Council (WSC) guides shipowners and operators on procedures and actions to maintain the security of cyber systems in their organization and onboard their vessels.

Cyber Risk Management Approach (from The Guidelines on Cyber Security Onboard Ships)

Identify Threats

The cyber risk is specific to the company, ship, operation, and/or trade. When assessing the risk, organizations should consider any specific aspects of their operations that might increase their vulnerability to cyber incidents.

There are motives for organizations and individuals to exploit cyber vulnerabilities. There is the possibility that company personnel, onboard and ashore, could compromise cyber systems and data. In general, the organization should realize that this may be unintentional and caused by human error when operating and managing IT and OT systems or failure to respect technical and procedural protection measures. There is, however, the possibility that actions may be malicious and are a deliberate attempt by a disgruntled employee to damage the company and the ship.

Identify Vulnerabilities

It is recommended that a shipping company performs an assessment of the potential threats that may be faced. This should be followed by an assessment of the systems and onboard procedures to map their robustness to handle the current level of threats. The result should be a strategy centered around the key risks.

Standalone systems will be less vulnerable to external cyberattacks compared to those attached to uncontrolled networks or directly to the Internet. Care should be taken to understand how critical onboard systems might be connected to uncontrolled networks.

Assess Risk Exposure

Cyber risk assessment should start at the senior management level of a company, instead of immediately delegated to the ship security officer or the head of the IT department:

  1. Initiatives to heighten cybersecurity and safety may also affect standard business procedures and operations, rendering them more time consuming and costly. This usually becomes a senior management level decision to evaluate and decide on risk mitigation.
  2. Some initiatives, which would improve cyber risk management, are related to business processes, training, the safety of the vessel, and the environment – not to IT systems, and should be anchored organizationally outside the IT department.
  3. Initiatives which heighten cyber awareness may change how the company interacts with customers, suppliers, and authorities, and impose new requirements on the co-operation between the parties. It is a senior management level decision whether and how to drive these changes in relationships.

Develop Protection and Detection Measures

The outcome of the company's risk assessment and subsequent cybersecurity strategy should be a reduction in risk to be as low as reasonably practicable. At a technical level, this would include the necessary actions to be implemented to establish and maintain an agreed level of cybersecurity. It is crucial to identify how to manage cybersecurity onboard and delegate responsibilities to the master, responsible officers, and, when appropriate, the company security officer.

Establish Contingency/Incident Response (IR) Plans

When developing contingency plans for implementation onboard ships, it is important to understand the significance of any cyber incident and prioritize response actions accordingly.

Any cyber incident should be assessed to estimate the impact on operations, assets, etc. In most cases, and with the exception of load planning and management systems, a loss of IT systems onboard, including a data breach of confidential information, will be a business continuity issue and should not have any impact on the safe operation of the vessel.

The loss of OT systems may have a significant and immediate impact on the safe operation of the vessel. Should a cyber incident result in the loss or malfunctioning of OT systems, it will be essential that effective actions are taken to help ensure the immediate safety of the crew, ship, cargo, and protection of the marine environment. Your crews should be trained regularly on the response plans. These plans should be regularly practiced by vessel crews, officers, and IT support management and staff – similar to the safety response exercises that are routinely done today. Third-party system providers on board the vessels should be included and required to be part of these IR exercises and planning.

Respond to and Recover from Cyber Security Incidents

It is important to understand that cyber incidents may not disappear by themselves. If, for example, the emergency chart display and information system (ECDIS) has been infected with malware, starting up the back-up ECDIS may cause another cyber incident. Therefore, it is recommended to plan how to carry out the cleaning and restoration of infected systems.

Disaster recovery (DR) plans need to be an integral part of any maritime cybersecurity plan. This includes the preservation of cyber data for forensic purposes in addition to the restoration and protection of your OT processes and ship controls. These plans should also be exercised regularly and updated as necessary both at sea and on shore. Any third-party system providers you partner with should be included and required to be part of the planning and execution of these DR exercises. Any knowledge you obtain about previously identified cyber incidents should be used to improve the response plans of all ships in your company's fleet, and you should consider an information strategy for such incidents.

We’ve touched on some of the security frameworks and compliance considerations that you can leverage in your planning efforts. Establishing your cybersecurity plan will not happen overnight. The burden and responsibility of cybersecurity fall on everyone – process and cultural changes will need to happen to ensure your success in developing an effective cybersecurity plan.

Comments

Post a Comment

Popular posts from this blog

#41 Maritime Cybersecurity

-
Image
Maritime is one of the oldest industries and lifeblood of the global economy, accounting for the carriage of 90% of world trade. Ships and other vessels may seem like unusual targets for cyberattacks. But with their growing use of industrial control systems (ICS) and satellite communications, hackers have a new playground that’s ripe for attack. In a 2020 Safety at Sea and BIMCO Maritime Cyber Security survey, despite the majority of respondents (77%) viewing cyber-attacks as a high or medium risk to their organizations, few appear to be prepared for the aftermath of such an attack, 64% of respondents said their organization has a business continuity plan in place to follow in the event of a cyber incident, but only 24% claimed it was tested every three months, and only 15% said that it was tested every six to 12 months. Only 42% of respondents said that their organization protects vessels from operational technology (OT) cyber threats, and some respondents went so far as to describe
Read more

#21 What is Mooring of Ships

-
Image
We have been intrigued by this question: How are ships ‘parked’ upon their arrival in ports, jetties, and piers? Unlike cars, they can’t simply be put off gear and parking brakes! Ships don’t have brakes in the first place. Ships need to be fastened and fixated soundly for conducting all kinds of shore operations such as cargo loading/unloading, refuelling, bunkering, ballasting/deballasting, boarding/deboarding, maintenance, repairing, and often for idle times based on voyage schedules and berth or workforce availability. So, mooring or the system of securing a vessel soundly for the purposes mentioned above is indispensable in studying ships and offshore structures.  Differences between mooring, docking and anchoring It is common to get confused with the terms mooring, docking and anchoring and may use them interchangeably. But there are stark differences between them.  Anchoring is the system of securing a vessel amid the sea when the ship is not near the vicinity of a per
Read more

#59 Manned to AI Ships Era (iota/1): Navigating the Future with Technological Waves

-
Image
“Investing on Yourself is the best investment”. 2030 year going to be a massive change throughout the world in all the fields. Starts from pollution norms, recycling, IIOT etc. Technology developments will take over all industry in a prompt time. AI is the field of conceiving, designing and developing machines which should perform tasks that usually   requires human intelligence. AI is the art and science of developing machines running  on intelligent algorithms that make them capable of   thinking, acting and learning like human beings.  In lay-man language we are expecting a intelligent machines in the field of engineering and technology. Scanner and sensors types going to increase more like thermal, light, proximity, chemicals, barometric, speech, audio, image. Human Machine Interface to synchronization for commanding/operating the ship from shore requires. Education and training are required to meet AI and to with the emerging accomplishments, experts say that full artificial intel
Read more