Anthony Daly, a security analyst at PGI, provides readers with plenty to think about.
An increase in internet access at sea will lead to an increased risk of suffering a cyber-attack.
However, if addressed correctly, this risk can be lowered to sit comfortably within the acceptable risk tolerance levels of an organisation.
The maritime sector is a very competitive one. If there is a perceived lack of preparedness against all threat vectors, then a customer may very well choose to use a competitor. Can you really afford to lose a contract because of a lack of due diligence?
Remember that when you conduct a risk assessment of your systems, irrespective of being shore based or at sea, the three pillars of information security are to maintain the confidentiality, integrity and availability of data.
Have you got an incident handling and incident response plan in place? Are they fit for purpose and have they been tested? Have you allowed for scenarios such as a total loss of connectivity at sea where you may need someone onboard taking charge of a cyber security incident with minimal shore-side support or having your vessel full of contractors in a maintenance period where you may not have full supervision on what systems they are accessing?
Are your networks locked down – do you really need to allow USB access to IT systems that are connected to OT systems? Are your IT teams ensuring that access to ports, protocols and services are minimised to meet compliance with your organisation’s security policies? Are your network devices correctly configured? Losing services at sea due to an incorrectly configured firewall is a painful (and costly) way of finding out that they aren’t.
Are your user accounts locked down so that users only have the least amount of privileges in order to do their job? The use of accounts with administrator privileges should be limited to an absolute minimum. Are user accounts of ship’s personnel disabled when they leave the ship at the earliest opportunity? When you are transmitting data from ship to shore or vice-versa, is your data being encrypted to avoid interception of sensitive data? Are you ensuring that there is a policy in place to ensure patch management is taking place and anti-virus software is being updated on a regular basis? This can be quite tricky if you have limited bandwidth to start with. Are your users aware of the threat they can pose to themselves if they are not cyber security aware?
Does your organisation have a user education policy in place? If not, why not? It is very easy for someone who works in cyber security to preach on about the risks of iInternet usage but we do this day in, day out. If you have a user who rarely uses IT in their job, then it’s understandable that they would not have as great of an awareness of the risks involved. If it is a case of cost, can you afford to carry out the remedial action needed in the event of your users creating a cyber security incident through a lack of awareness?
If the worse does happen and you suffer a cyber-attack at sea that may affect such systems such as propulsion or navigation, have you got the right policies and procedures in place that ensure that business can carry on relatively unaffected at sea? Have these policies been tested? You do not want to find out the policies do not work when you’re at sea with no connectivity and your propulsion and navigation systems have been disabled. When was the last time you practised navigation using a chart? Now is not the time to find out your charts are out of date and you do not have the latest Notices to Mariners.