Best Practices for Finding Cyber Threats and Vulnerabilities
Last year's (Not)Petya ransomware attack had a significant impact on Danish shipping giant A.P. Moller-Maersk. In this incident, several port terminals across multiple countries experienced massive disruptions, costing the company $300 million.
This security breach reaffirms the importance of a proactive approach to cybersecurity in the maritime industry. For many, knowing where to start this process can feel overwhelming.
So, how should ports and shipping companies approach cybersecurity? Let's take a look at the essentials.
Maritime Cybersecurity Risk Assessment
The first step is to conduct a cybersecurity risk assessment to identify vulnerabilities. Before you get started, create an environment where employees can provide honest feedback on system hardware and processes without fear of reprisals. These front-line people will hold key information and may have invaluable insights from which you can build the foundations of your assessment.
Next, as with many things in life, good preparation is the key to success. With that in mind, there is a pre-assessment checklist you should try to complete before any third party security audit:
• Map the organization and ship's key functions and systems
• Identify main producers of critical shipboard IT and onboard equipment
• Review all documentation related to critical IT and maritime systems
• Establish contacts with all manufacturers and develop working relationships
• Review detailed documentation on the ship's maintenance and support records
• Establish contractual requirements and obligations for the ship's owner/operator
After completing these tasks, a self-assessment of your business' cybersecurity is a good way forward. You are the expert on your own company, and you and your employees may already be aware of areas of weakness.
Most businesses find that this self-assessment is well complemented by a third-party risk audit. The outside perspective and expertise of a third party helps to cover all bases and identifies inevitable gaps missed during the self-assessment.
Next, conduct extensive penetration testing on critical IT and onboard infrastructure. At this stage, it is best practice to invite a third party that has proven experience of performing the testing. This is because if you perform the testing yourself, unless you are a professional, gaps and vulnerabilities in the system can be easily missed. The purpose of penetration testing is to identify whether the actual cybersecurity defense level matches the desired level of cybersecurity outlined in the company strategy. If you do not yet have this in your strategy, then now is the time to add it!
If the penetration testing identifies a significant risk to onboard systems, then passive testing approaches are a useful next step. This entails scanning the data transmitted by the system without actively accessing the system or installing any software on it. This minimizes the risk of compromising the existing system software.
It stands to reason that stand-alone systems are less vulnerable to external cyber attacks than systems attached to open networks or those connected directly to the internet. Again, your third party should review your network design and infrastructure to assess this. They will also closely assess the connections between your shipboard systems and open networks.
It's essential to perform a cybersecurity risk assessment for each of the systems, equipment and technologies listed below:
Core infrastructure systems
Back-end and administrative systems
Cargo management systems
Access control systems
Propulsion and machinery management and power control systems
Passenger servicing and management systems
Core infrastructure systems
Administrative and back-end systems
In the overall assessment process, it is important not to overlook the human element. Poor staff training, lack of procedural awareness or social engineering and phishing attacks can affect corporate security on a major level.
If you are planning to work with new contractors, you should always gain a thorough insight into their cybersecurity awareness and procedures. To do this, ensure you vet them extensively. It is not uncommon to find companies lacking appropriate awareness and training, leading to them create new sources of vulnerability in your systems.
The solution here is to update your company's cybersecurity policy to ensure that adequate training and governance procedures are implemented for accessible IT and onboard systems. The same applies to any visitors on the ship that connect their hardware to onboard systems.
These are some of the more common cybersecurity vulnerabilities found in a corporate environment and onboard:
• Obsolete and unsupported operating systems (even the HMS Queen Elizabeth was guilty of this!)
• Outdated or missing antivirus software (including malware)
• Inadequate security configurations and unimplemented best practices
• Shipboard computer networks which lack network segmentation and boundary protection
• Lack of security when it comes to critical equipment or systems that are always connected to the shore
• Inadequate access controls for third parties including contractors and service providers
Accountability and Ownership Challenges
To enhance maritime cybersecurity, senior management should be responsible for accountability and ownership of the risk assessment, instead of immediately delegating it to IT professionals. This is because enhancing cybersecurity protocols may impact standard business procedures and operations. As a result, it's important to evaluate and make decisions based on risk versus reward trade-offs.
Furthermore, several initiatives to boost security will be related to business processes and training, not IT systems. These procedures may impact how the business interacts with port authorities, customers and suppliers (requiring new cooperation agreements).
Based on the senior management's strategic decisions, robust contingency plans should be established to respond effectively to an active security event. This includes delegating authority and allocating adequate budgets to conduct risk assessments and respond to breaches.
As the shipping industry embraces new technology like the Internet of Things, the potential attack surface for bad actors will grow exponentially. Consequently, it demands comprehensive approaches to cybersecurity both now and in the future.
Today, everyone has to be vigilant, from the boardroom down to the deck to defend against cyber attacks. Shipping companies and port organizations may need to do a complete overhaul of their security policies, safety management systems and ship security plans to respond effectively to rising cybersecurity threats.