Coping with the threat of cyber attacks is something that all shipowners and operators will have to learn to do but the complexity of the issue is something that even many IT experts and security consultants will have difficulty in addressing adequately. There has been no shortage of advice given to shipping but aside from this it could be said that not much has been done in practical terms. That is changing and one of the organisations at the forefront is communications specialist Inmarsat.
It is fitting that Inmarsat Maritime as a leading communications organisation has stepped up to the plate because, when it comes to ships at sea, it is the communications network that is one of the weakest links in protecting against cyber threats. It is not the only threat of course especially on a modern ship with a myriad of electronic navigation devices, engine and machinery monitoring and control and an administrative network of computers.
One of the most recent vulnerabilities has also came about as a consequence of the communications revolution that followed the introduction of GMDSS and that is crew connectivity. Whereas this began with the provision of a simple telephone that crew could use to make voice calls, it has since expanded to encompass crew members’ personal equipment such as smartphones, tablets and other devices that are loaded with both operating software and numerous apps.
Regardless of how disciplined the crew may be in operating the ship’s computer network – and in many cases that discipline can be very lax or even non-existent – when it comes to their personal equipment their guard is usually lower still. Opening emails, streaming media or merely purchasing games and video content from suspect sources all increases the risk of the ship’s networks becoming contaminated.
Virtually all ships are equipped with at least one satellite receiver required for GMDSS that is capable of receiving emails and in addition there are an estimated 30,000 vessels globally which have some sort of access to always-on Internet via satellite. Inmarsat Maritime alone has 10,000 vessels committed to its Fleet Xpress service of which 2,500 are already fitted and in operation.
With Fleet Xpress, Inmarsat Maritime has shifted its traditional position and as well as working with communications service providers, it now also works directly with content providers. This is best demonstrated in its Certified Application Partner Programme (CAPP) devised by Inmarsat Maritime to cultivate third party development of management software that can fully exploit Fleet Xpress connectivity.
Working to a more secure environment
In September this year Inmarsat Maritime launched a new service under the title Fleet Secure describing it as the shipping industry’s first and only fully-managed service to detect vulnerabilities, respond to threats and protect ships from widespread cyberattack. Initially the subscription service will only be available for Fleet Xpress users but the company is planning to adapt it to legacy products such as FleetBroadband possibly sometime next year.
Fleet Secure is a Unified Threat Management (UTM) and monitoring service that will power cyber resilience at sea, offering vessel owners and managers continuous transparency on the status of their digital security and a 24/7 response to cybercrime. It detects external attacks via high-speed satellite broadband connectivity, while also protecting vessel networks from intrusion via infected USB sticks and crew devices connected to the onboard LAN. Fleet Secure will seamlessly integrate with Fleet Xpress for no additional outlay on hardware and no impact on the customer’s contracted bandwidth.
Peter Broadhurst, Senior Vice President Safety and Security, Inmarsat Maritime, told ShipInsight that unlike some of the available services presently being offered the new service will provide an all-inclusive, real-time managed monitoring service rather than a partial solution that only addresses some aspects of cyber security. Inmarsat Marine is also supporting a joint working group set up by the International Association of Classification Societies (IACS) to formulate a robust set of recommendations for cybersecurity at sea.
Proactive protection provision
Fleet Secure is powered by Singtel subsidiary Trustwave. Singtel is an Inmarsat service provider and its subsidiary is acknowledged as a world-leading provider of information security solutions. The organisation has its own contingent of ‘ethical’ hackers who constantly comb the internet searching for new vulnerabilities and working to neutralise them before they can create problems. Once identified any new threat will be added to the library of viruses and the details distributed seamlessly to all customers’ systems allowing any attacks to be dealt with.
The fact that Inmarsat itself owns the entire satellite and ground network adds an additional level of security.
In practical terms, the service requires nothing additional in the way of hardware and works in the background. The lack of any hardware means there is no additional expense or loss of the service in case of equipment failure. It Incorporates a firewall, web content filtering, application control, intrusion prevention system and Gateway anti-virus into one service, to provide a seamless and comprehensive threat management service.
Anti-virus signatures have been customised to match the maritime threat footprint to provide tailored protection and are regularly updated. Any data transfer used to operate and maintain the system is excluded from the customer’s bandwidth usage so aside from the monthly set service fee, there is no impact on communications budgets.
The subscription service is available in three levels to suit the range of protection requirements and budgets that customers may have. The highest level is the fully-managed ‘Gold’ standard, with real-time threat monitoring and analysis. This service includes immediate notifications to the customer with high severity level security threats followed up by telephone to escalate threat management. For low and medium level security threats e-mail notifications are used.
In addition to a display on the customer portal, alerts are sent to Trustwave’s global threat operations team which analyses the alerts and takes responsive action. The specialists there can identify the unique IP address of the threat source and quarantine the device with that IP address. As all devices connected to the network are assigned a unique IP address, this is a rapid action preventing the threat from spreading and allowing essential systems to continue operating. The suspect source will then be cleansed and checked before being allowed to reconnect or if it happens to be a crew member’s personal device it may be simpler to disallow further access. Broadhurst makes the point that it would be best practice to segregate networks on any ship so that one would cover the commercial communications, another monitoring and control functions and another for crew use only.
The mid-range ‘Silver’ level includes a daily review and threat analysis. The daily review of logs is by a cyber security analyst and can be viewed on the managed security portal. Users are notified of any suspicious activity for further actions and they can also access automatically generated alerts and daily, monthly and quarterly reports.
The third ‘Bronze’ level enables users to self-check the vessel’s network status via an online portal.
Best Practice is just another risk assessment
On the matter of shipping coming to grips with the cyber threat, Broadhurst makes the point that, in essence, protecting against attacks is just another form of risk assessment. “Shipping is very good at assessing risks, it is something it does all the time”, he says, “it is just a matter of understanding what the risk is”. With regard to Inmarsat’s role, Broadhurst says that just as with safety, Inmarsat wants to play a role in tackling the cyber threat and does not want to be ‘just the bit in the middle’.
He believes that understanding and combatting cyber threats is something that the industry will need to take on board and in some instances shipowners will need to prove that the risk has been properly assessed. This could result from an insurance claim where critical systems have been compromised or even a requirement of the flag or port states.
Adopting Fleet Secure could be part of that risk assessment but even if it is, the owner and crews will need to consider implementing best practice to protect against a number of issues including;
• Physical security issues (unprotected server room etc.)
• Breach from poor password policies (default admin credentials)
• Endpoint virus protection –Though the UTM will stop the spread of the malware from the endpoint through the network. It will not protect that endpoint from initial local infection
• Human error –this includes but does not limit to the above examples. Further examples could be leaving unmonitored admin sessions open, allowing poorly configured firewall rules and not updating software
• Awareness training