As recently as a decade ago vessels were not connected, they went to Sea where the captains and crew were fortunate to have email, mostly relegated to using their vast experience or consulting reams of paper for information about the vessel.
Today the internet at sea is seen as a benefit and becoming as much of an entitlement as it is in an office. Captains and crew have the luxury of communications with their families using the same social media platforms as their contemporaries on shore. Crews use electronic maps and GPS to guide them, get analytics from their engines to inform them of issues and have readily available information about all aspects of the vessel.
Unfortunately, with these advantages technology has also brought the accompanying downside, cybercrime.
Perpetrated in part to find new horizons to spoof, phish and exploit, in part to watch for ready opportunities to hop to the shore and infiltrate the corporate offices, the cyber criminals are using vessels as a springboard. Initially the attacks were directed at a specific network using direct penetration methods to take as straight a route as possible to fulfill the intended disruption or financial gain and while these types of attacks are certainly not gone, cyber security has advanced in cyber crime prevention. The criminals too advanced at finding alternatives to circumvent these defenses, using social engineering to trick well-meaning recipients into revealing information and not only inviting the criminal into the network but pointing the way to the payload. Even newer methods recently employed include planting a spy that will observe, sometimes for years, providing information back to the mother ship until an opportunity is presented to penetrate the external defenses.
According to the comsys Maritime VSAT Report by the end of 2020 roughly 1/2 of all commercial vessels will employ internet capable communications. Cyber incidents have also matched that rise. To respond, the International Maritime Organization (IMO) and others, have identified Cyber Security measures to include in onboard Safety Management Systems that will be compulsory by 2020.
Cyber risk management programs and processes which satisfy these upcoming requirements can take some time to plan and implement. However, there are reasonably easy and immediate measures that can be done without a large investment to protect the vessels and by extension the corporations that support them.
Protection comes from a basic understanding of the vessel ecosystem.
- Vessels typically have two networks, one for the IT or Information Technology (transactional) side and one the OT or Operational Technology (machine analytics, navigation)
- Certain crew members have administration rights to the onboard systems
- Most of the Operational Technology systems are vendor provided.
- Like shoreside personnel, not all crew members are comfortable with technology.
With that ecosystem in mind the following are some methods that can be used to protect our floating assets in parallel with the implementation of a holistic cyber program.
- Protect both the perimeter and the interior transference of data.
It is difficult to block every entrance that can be imagined into a ships network, the bad actors are constantly finding new ways to circumvent security. Every vessel should have one point where internet traffic is funneled to lessen the number of avenues that have to be managed. In addition, all computers on board, regardless whether they are connected to the internet should have protection. That way, if the exterior defenses are breached, the interior defenses will continue the fight and limit the damage. This includes the often overlooked onboard servers.
- Look to stop behavior
Each computer on board regardless if they are connected to the internet should be equipped with cyber security programs that prohibit behaviors such as executing an encryption routine or installing software. Because updating virus software can be problematic at sea, using software that detects destructive behavior provides a new layer of protection in addition to scanning for specific virus signatures.
- Preserve the segregation of the two networks.
Ensure that while implementing IOT vendors and others do not cross the IT and OT networks allowing a virus on one network to hop to the other. The two separate networks ensure that the part of the network which allows for social activities of the crew and business activities with the shore are conducted separately from the operational activities of the vessel connected with critical components of the vessel operation. The crossing of networks can occur unless vendors are clear that consolidated displays on the bridge must not span the boundaries. It is better to err on the side of adding another computer for the OT display than to clean up a virus that has jumped across the networks.
- Separate admin accounts
Because of the isolation a vessel has while sailing, it is important to ensure that certain members of the crew have administrative access to manage situations that either cannot be performed due to loss of connectivity or because proximity is required. As this generation of cyberattacks lean on social engineering and prey on good intentions, consider using secondary logins for computer administration. Using a primary account for all business activities and the secondary account only to perform administrative functions ensures that even if the crew end up providing the wrong information the account will have little to no authority to perform administration functions thereby rendering the attack harmless.
- Use allowable sites rather than blocking bad sites.
Install an appliance that allows only certain sites to be accessed rather than allowing all sites and blocking the ‘bad’ ones. This ensures that any site that is accessed via the internet comes through a secured appliance and is validated as trusted before it can be accessed by the crew or the equipment. If sites are only blocked then every site a crew member might access with a virus has to be anticipated. White listing sites is a bit more administration but also dramatically decreases the number of spoofed sites accessed by the Crew.
- Block the USB ports and use a ‘safe computer’
Provide a computer onboard that is not connected, has advanced detection software so that removable media can be scanned before it used. Make sure to block all USB ports on computers throughout the vessel and allow only access to the USB with an administrative account. Require vendors that are going to do firmware updates to scan their removeable media before it is plugged into any vessel computer.
- Train the crew
Training the crew to recognize suspicious communications and how to react quickly to stop the spread of a virus if they have released the krakens into the system is critical to reducing the impact. It can be as simple as unplugging the computer from the network in some cases, but the crew need to recognize the need and know how to react.
As it was impossible to predict 3 decades ago that someday our vessels would be connected at sea it is equally impossible to predict what the next generation of cyber crime will entail. With all the cyber security we have available today, the best defense continues to be a crew that is vigilant and educated on how best to use their technology.