A few weeks ago we ran a piece on IASME’s new maritime cybersecurity standard. Today then we continue to look at security for the seas, with some top tips for good measure! IASME’s scheme is essentially an enhanced version of our own CMCA solution for cruise. We’re delighted that they have stepped into this arena, which is such a vital one for us all at theICEway.
Security for the seas
Maritime cybersecurity is becoming an increasingly hot topic, as is IT security in general. Anybody working with a PC, laptop or other device is a potential target for cyber-criminals. The more devices used and the greater the amount of data processed, the higher the risks involved of an attack or breach. Then when you consider the intricacies of interconnected devices and systems, servers and networks, the need for security is clear.
Whether it is cruise ships or cargo ships, the maritime industry in general is one with perhaps more cyber vulnerabilities than most. There are the vessels themselves to consider, then the onshore support mechanisms. Of course, connectivity is of vital importance. The sheer volume of different IT systems required is staggering.
CRIBB Cyber Security is privileged to be part of theICEway ecosystem of companies. Their work in the cruise industry is well-known by those familiar with the sector. We’re delighted to offer guidance and advice to cruise lines on all things cybersecurity related. So then, we now turn our attention specifically towards maritime cybersecurity. Much of what you will read here applies to all other industries though, so if you are not in cruise or cargo then do not despair!
Cyber security tips for those in cruise & cargo
If that is you, then the experts at CRIBB recommend you build cyber awareness of:
- The different types of cyber-attacks
- Cyber-attack stages
- How to identify vulnerabilities
- Then how to create a plan
- Cybersecurity processes (this will require regular training)
Cyber-attacks: Types and stages involved
Marine organisations need to be aware of two general types of cyber-attack: Untargeted and targeted attacks. Cyber-criminals adopting the former are seeking potential weaknesses in multiple companies or ships. Targeted attacks are aimed at specific companies or ships and these can be much harder to deter. Both attack types can see the use of various techniques, including:
Malware: Harmful software designed to damage a computer system, such as spyware, viruses, worms and trojans.
Phishing: This sees cyber-criminals generally sending an email to a group of people with a general message containing a link or an attachment.
Spear-phishing: Similar to phishing but aimed at a specific person or company.
Water Holing: A fake website is deployed to illicit information from users.
Social Engineering: Cyber-criminals sometimes attempt to contact and influence people to give up potentially harmful information through social media.
Impersonation: Some criminals impersonate employees or official figures to gain access to company or vessel systems.
Brute Force: The deployment of programs attempting to guess passwords.
Denial of Service: A network is flooded with data and legitimate users cannot then gain access.
Subverting the Supply Chain: This sees criminals attempting to compromise electronic systems before they turn to companies or ships.
Generally there are four stages cyber-criminals take to carry out a cyber-attack:
- Survey and Reconnaissance
Survey and Reconnaissance: Hackers directly targeting a company or ship may initially obtain information via public and unprotected sources. For example, they may go through related publications and websites. They could then turn to technical forums and even social media to try to uncover potential vulnerabilities. It is vital to know that they can also intercept and monitor the data flowing to and from a company or ship.
Delivery: Data is either stolen or malware delivered.
Breach: This stage sees an attacker entering a system and then wreaking havoc.
Pivot: Once they have access and are inside your network, cyber-criminals can then get into other systems.
Perhaps the most critical aspect of improving your cybersecurity efforts lays in identifying your weaknesses. Various maritime organisations have admitted that in the past it took an average of 140 days to identify a cyber-attack. Effectively, that gave cyber-criminals almost 5 months in which to cause damage or steal precious data.
Now that overall awareness of IT security is growing, however, this window is narrower. How then can you take advantage of this by strengthening your other weaknesses?
- Enlist a maritime cybersecurity specialist with a good knowledge of maritime IT and IO systems to perform an assessment
- Pay particular attention to ship systems integrated with the internet or other systems. These are more likely to be the target of a cyber-attack
- Key onboard system targets for cyber-criminals are: Bridge Systems; Propulsion, Machinery and Power Control Systems; Cargo Management Systems; Passenger Service and Management Systems; Public Networks; Communication Systems
- Ensure that you have regular training sessions on all aspects of IT security. Human error is still a big factor behind system vulnerabilities
Common vulnerabilities in marine systems
- Obsolete operating systems that no longer have updates
- Outdated anti-malware software
- Missing, or gaps in, security protocols
- Integrated systems without the proper safeguards
- Systems connected to a land-based server or system
- Missing access controls for third parties
Creating a solid plan
Whilst cyber-criminals are of course a threat to IT security, negligence and a lack of cyber awareness can also prove harmful. It is important then to ensure the policies for your marine IT and OT systems are developed with this in mind. Structure your plan thus:
- Identify ALL threats (external and internal)
- Prioritise data by value and sensitivity, then think of how cyber-criminals might try to get it
- Uncover ALL vulnerabilities (within systems, software and also protocols)
- Create a risk register and assess the risk exposure (evaluate the impact a cyber-attack may have)
- Develop tools for detection and protection (updated software, alerts in the case of a cyber-attack)
- Establish contingency and response plans
Processes and training
Developing processes is vital when it comes to ensuring your workforce is ‘on the same page’. Implement a process and then encourage it to be followed for there is little point in establishing a protocol only for it to then be ignored. This is where training comes in and consistency becomes key.
Maritime cybersecurity is an incredibly important area for us here at CRIBB. As a UK cyber security company in Hertfordshire, we’re raising general cyber awareness. As part of theICEway, we’re supporting the cruise and maritime industry. It is this particular ‘hat’ that we wear for this article and if you work in this crucial sector and require assistance, then we’re here for you.