There are growing concerns of cyberattacks in the maritime sector.
Are you prepared?
Like most industries, the maritime industry has become increasingly dependent on digitalisation, connectivity, and automation to improve its efficiency and reliability.
Unfortunately, it has left businesses vulnerable to cyber threats, such as ransomware attacks, which are becoming more prevalent in commercial operations worldwide.
These exposures were recognised by the International Maritime Organization (IMO) in 2017, which adopted resolution MSC.428 (98) requiring shipping companies to incorporate Maritime Cyber Risk Management into their safety management systems (SMS) to address this growing concern and create operational resilience to support safe and secure shipping. They urged all maritime industry stakeholders to expedite their efforts in safeguarding their systems.
This encompasses the following marine, or marine related, systems:
1. Bridge systems
2. Cargo handling and management systems
3. Propulsion and machinery management and power control systems
4. Access control systems
5. Passenger servicing and management systems
6. Passenger-facing public networks
7. Administrative and crew welfare systems
8. Communication systems.
Where to start
Even though the IMO identifies cyber security risks, and outlines helpful guidelines through this amendment, they also emphasise that responsibility falls to the company itself to take the necessary measures to implement and maintain a resilient cyber security posture. Being that this is not an area of expertise for most in the maritime industry, it is best to seek professional advice, and have systems and procedures assessed by a cybersecurity expert. More on this to come…
For now, let’s discuss the recommendation from the IMO that has incorporated the National Institute of Standards and Technology (NIST) five-functions plan.
The NIST 5-functions Plan Breakdown:
This cyber security framework acts as a guideline and shows best practices to help companies build and improve their defences against cyberattacks.
The 5 Areas of this framework include:
Understanding the origins of your exposures enables a company to focus its efforts to create stronger defences. That is why identifying the company’s critical assets, people, stakeholders and supply chain is step 1 in the development of cyber security.
This can be broken down into the following groups:
- Asset Management
Your critical assets –
- How do you access these?
- What security is in place to protect them?
These are simple questions to be asked for each critical asset identified.
- Business Environment
Your business environment is the sum of all factors external to your company that greatly influence its functioning. It covers customers, competitors, suppliers and government, not to mention social, cultural, political, and technological factors.
Understanding who has access to your company, and what that looks like, is imperative to blocking bad actors from accessing critical systems or allowing outside access via a backdoor.
Governance is the framework of rules, relationships, systems and processes within your company by which authority is exercised and controlled. It encompasses the mechanisms by which companies, and those in control, are made accountable.
What do your company’s rules and regulations look like?
For example, what is your company’s rule for an outside contractor plugging a USB into a computer? It sounds so inconsequential but is actually a very serious security breach that can easily compromise a company. It surprises me just how few small to medium companies have rules/guidelines that protect against these types of system compromises.
- Risk Assessment
From the perspective of cyber security, this is the process of assessing the risks to systems and procedures relating to critical assets, staff and infrastructure within the company. It is an examination of all aspects of work that considers what could cause injury or harm should a related system be compromised, and what safeguards are in place to avoid this happening.
- Risk Management Safety
This is the process of identifying, analysing, evaluating, and addressing your company’s cyber security threats. This leads into the second area of the NIST framework, which we will move onto in just a moment.
The first part of any cyber risk management programme is a cyber risk assessment. Review your company’s cyber capabilities and identify what channels you use, their vulnerabilities and the risks of using them. An example of this may be what browsers are used. Who is using them and what security settings do you have on them, if any?
This goes further than implementing software and protective technology. Protecting your business’s digital assets requires awareness-raising training and adopting revised processes and procedures to mitigate or prevent exposures that leave systems and sensitive data vulnerable. Once exposures have been identified, you can map out the appropriate protective strategy and requirements to create a robust and secure digital environment.
Ways this can be achieved:
· Identity Management and Access Control
Who has access and why? Are personnel given unique login details for identification? Are levels of access measured and restricted?
A simple solution is to provide a personalised login for each team member. Provide access depending on role and position, limit access, and also track critical systems access and usage.
· Awareness and Training
Training and awareness are paramount to helping safeguard your company and giving your team the skills to develop good habits moving forward.
· Data Security
Ensure firewalls are in place and email spam trackers have been implemented – just some examples of protecting your data.
· Information Protection, Processes and Procedures
Insert procedures and create train best-practice methods.
It’s ideal for team members to log off from any system before leaving the computer. However, we know that human behaviour leaves room for error. Add programs that have timers set to trigger an auto logout, ensuring abandoned computers are only accessible with a user login.
· Maintenance and Protective Technology. Maintaining healthy computers is just as important as installing these security measures. Make sure software updates are kept current and have set timeframes to reevaluate policies and procedures.
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Having systems in place that enable the timely discovery of intrusions, or identify abnormalities can help prevent extended problems, or assist in locking down sections of your business to avoid widespread damage.
Examples of some functions for detection software include:
· Anomalies and Events tracking
· Security Continuous Monitoring; and
· Detection Processes.
Responding to a cyber security event is much easier when a plan is in place and you have a blueprint to follow. A plan designed in advance will limit damages to your company and reduce the recovery time.
This plan should include:
· Planning – what do you do? How do you do it? What steps should you take? How do you assess the risk? What are our emergency contacts? Having a well-detailed cyber emergency plan in place that your team is familiar with is paramount to mitigating a disaster.
· Communication – Who should be notified in the event of a hostile cyber event? If your communication systems are compromised, as a lot of telecommunication systems tie in seamlessly to the internet and software, do you have a backup to reach your remote teams? How often do you test it? Part of your Planning should cover in detail communication methods, level of involvement, and what outside contractors to involve if you have an outside IT support group. Remember to check that they have an after-hour support line.
· Mitigation measures – In the worst-case scenario, how do you mitigate spread? Are your systems able to be isolated? Can you shut down systems while still maintaining overall control? Having a structured backend for your software can allow you to compartmentalise your system and can really aid in maintaining operational control of your business should your system get compromised.
After a cyberattack, restoring the original state of the information systems is the first step to returning to the status quo before the attack occurred.
How is your system backed up? Do you have remote servers? Cloud backups? There is a strong chance after a cyber attack that your existing data will be corrupted, or inaccessible. So, having data stored externally will streamline the recovery process to get back on your feet as fast as possible, limiting further exposure, damage to your reputation and, of course, limiting expense.
This all sounds complicated
Developing a sound cyber security strategy can be time consuming and seem complicated. If you need further advice, we are more than happy to make some further recommendations.
Creating this is as important as having a good SMS.
As ransomware attacks become more common, bad actors are constantly widening their search for soft targets. Avoid becoming a target with some good housekeeping and implement a solid and sustainable plan that protects your growing company for years to come.
What are you doing today to prepare your business?
We would love to hear your thoughts and feedback. If you liked this article, please share, and feel free to head on over to the website for more articles like this or to say ahoy.