BUILDING A SUSTAINABLE MARITIME OT CYBER SECURITY PROGRAM
The maritime industry including shipping companies, cargo carriers, and cruise lines is undergoing a massive digital transformation. It is seeing a dramatic shift from legacy, standalone Operational Technology (OT) to systems that are increasingly automated, complex and interconnected to both onboard and shoreside resources.
While this digital transformation is meant to improve OT productivity and visibility while simplifying management and reducing costs, it has opened the maritime industry to cyber security risks. Already, the maritime industry has seen cyber security incidents that have resulted in vessels going off course and cost a major shipping line hundreds of millions of dollars in lost revenue.
Yet many maritime organizations are ill-equipped to mitigate cyber security risks. Additionally, the maritime industry faces unique challenges regarding technology, staffing, and operating procedures that make implementing cyber security solutions more challenging than for the average organization.
Nonetheless, resources are available to help maritime companies develop a sustainable maritime OT cyber security program. This white paper details what maritime organizations should look for to find the right approach and technology to address their unique OT cyber security challenges.
Why Ships Are Increasingly Prone to Cyber Attacks
Not long ago, maritime organizations relied on standalone systems for managing OT functions like bridge, cargo, navigation, propulsion, machinery, power control and access, passenger service and management, administrative and crew welfare, and communications.
Today, maritime companies are increasingly adopting new technologies as legacy systems reach end of life (EOL) and their support costs become prohibitively expensive. With vessel sizes increasing and crew sizes decreasing, maritime company owners
and operators are using new technologies to connect OT systems locally and remotely via satellite communications (SATCOM) and the internet to enable remote monitoring and navigational support. Industrial Internet of Things (IIoT) solutions that transfer data from sensors on equipment over satellite or the internet for analysis are growing in popularity as well.
These new integrated technologies deliver many benefits to maritime owners and operators. The ability to remotely monitor OT systems improves productivity and reduces labor costs by allowing companies to consolidate the management of OT assets shoreside. These technologies also give owners and operators greater visibility into OT assets and enable them to analyze data across ships to increase fleet efficiency.
Better still, these technologies enable owners and operators to optimize their operations. For example, an active IIoT system onboard a vessel coupled with a fuel optimization application can collect data, send it ashore, and use it to plot the most fuel-efficient route. Technologies are also increasingly available that enable pre-emptive maintenance and remote technical diagnostics to improve operational efficiency and safety for crew and passengers. Data from IIoT sensors on equipment, coupled with machine learning, can determine patterns that indicate when a machine is about to malfunction, so shippers can prevent problems from occurring at sea.
Growing Cyber Security Risk
The dark side of growing automation is greater cyber security risk.
Older ships that have not been retrofitted or upgraded provide significant barriers to risks, such as criminal exploitation, insider threats, or lack of cyber awareness by shipboard personnel. With standalone systems, a human must physically board the vessel and plug in a rogue mobile device such as a laptop, tablet, diagnostic test equipment, or packet sniffer, to access data or transmit a virus or
But the incorporation of connected digital technologies makes equipment more accessible to outside entities and more vulnerable to intentional and unintentional risks from internal sources.
As a result, the attack surface has become much larger. Indeed, a survey of the maritime industry conducted by I.H.S. Fairplay in 2017 found that 34 percent of respondents had experienced a cyberattack in the previous 12 months. https://fairplay.ihs.com/safety-regulation/article/4291946/shipowner-cyber-risks-on-the-rise-survey-shows
Minimal Cyber Security Safeguards
Despite growing cyber security risks, many maritime organizations lack even rudimentary safeguards. OT equipment remains vulnerable to staff and vendor personnel who plug Transient Cyber Assets into onboard systems. Antivirus software and operating systems are not updated or updated inappropriately—indeed, in some OT systems they cannot be updated. Networks can be poorly understood, undocumented and managed ineffectively. Fleet broadband systems may be protected by firewalls using default configurations that have never been updated. Administrator rights may not be segmented. Maritime organizations can benefit from
additional training for administrators and end users in good cyber security practices, such as changing default usernames, using strong passwords, and changing passwords frequently.
When maritime organizations do incorporate cyber security, they may rely on OT and IT system vendors who manage the cyber security of their own products in a siloed manner. Because no one entity owns cyber security on ships, organizations have no single pane of glass solution to manage cyber security across the organization. The resulting challenges in identifying cyber security vulnerabilities and incidents leave maritime organizations open to cyber attacks and their consequences.
Cyberthreats at Sea and Their Consequences
Just a few of the threats that impact the maritime industry include SATCOM hacking and navigational system spoofing.
- SATCOM Hacking – Satellite communications systems are prone to cyberattacks that make the devices and machinery to which these systems are connected into potential targets for hackers.
- Navigational system spoofing – Ship navigational systems receive data via radio frequency transmission at sea. Hackers can potentially manipulate or distort signals to send a vessel off course without the system detecting the change, potentially causing a collision or allowing hackers to hijack the vessel’s GPS. For example, in June of 2017, GPS signals for about 20 ships in the Black Sea were manipulated, saying the ships were located 20 miles inland, even though the navigation equipment seemed to function correctly.
Consequences of these attacks include financial losses, safety issues, bad publicity, and compliance risks:
- Financial losses – Container shipping company Maersk had computer issues triggered by a Petya-like cyberattack that cost it $300 million in revenue.
- Safety issues – A cyber security incident that corrupts chart data held in electronic navigational charting systems (e.g. ECDIS) or misdirects GPS signals can cripple vessels, affecting the safety of onboard personnel, ships, and cargo.
- Bad publicity – Cyber security incidents can result in media reports that can harm a maritime company’s reputation.
- IMO Compliance risks – The International Maritime Organization (IMO) is giving maritime organizations until January 1, 2021 to incorporate cyber risk management into ship safety. Owners risk having their ships detained if they have not included cyber security in the ISM Code safety management on ships by that date.
Maritime-Specific Cyber Security Challenges
While many cyber security solutions are on the market today, maritime organizations need solutions that can meet the unique issues that arise from legacy OT systems and operations at sea. These challenges span technology, staffing, and cyber security operating procedures.
Maritime organizations can be overwhelmed with the task of implementing cyber security processes and technologies across their fleet and remote and shoreside management locations. In many cases, these companies have a vast array of legacy OT systems deployed, much of which was not designed with cyber security in mind at all. To make matters worse, every ship can have different OT system configurations and architectures, making it difficult to get a handle on the network infrastructure and topologies aboard ship that need to be secured.
Maritime organizations should select and integrate appropriate technologies (e.g. antivirus, firewalls, intrusion detection/prevention systems, endpoint security and more) to provide comprehensive cyber security protections for these OT systems. But because digital OT technologies lag other industries, many vendors exist in each category, making it difficult to choose the best. Companies may even need to utilize different cyber security vendors for ships based on their geographical location, different locations, making it even more difficult to leverage cyber security technology expertise across the global enterprise.
Even when organizations use shoreside solutions to remotely monitor ships, these operations aren’t standardized. For example, some organizations might use satellite technologies for remote access to support incident response and recovery while others may rely on more manual procedures and legacy communication technologies.
While staffing shortages exist throughout the cyber security industry, these issues are compounded at sea. Cyber security talent is concentrated in certain geographic regions. Yet ships travel to remote ports of call, making it difficult to find talent. Each OT solution on board is highly specialized, and each ship employs many OT systems, making it costly to assemble an onboard team with the requisite expertise. Vessels are often staffed with employees from various nationalities, which can make it difficult to provide consistent training because of differing languages and cultural influences. Frequent crew changes also create significant challenges. And even when organizations do have cyber security experts onboard, they may combine their cyber security roles with other duties, leaving little time to monitor threats or remediate cyber security breaches.
Maritime organizations may not have or follow standard cyber security operating procedures across their operations. Different ships based in different ports must comply with different local requirements and regulations. Because operating procedures are typically the responsibility of the captain of each ship, different ships from the same line may follow different procedures. Inconsistent cyber security procedures also make it difficult to know whether each vessel is secure and fully prepared to deal with cyber security incidents and impede the organization’s ability to mitigate cyber security risks.
What Maritime Companies Should Look for in a Cyber Security Solution
The complexity and lack of standardization in maritime OT environments mean that a one-size-fits-all approach to managing cyber security risks will not address the demands of maritime organizations. Instead, these organizations need a roadmap that incorporates risk intelligence, technology, personnel, processes, and cyber security operations services (such as continuous monitoring, auditing and continuous improvement) into a comprehensive and sustainable solution that addresses their unique requirements.
Identify Risks, Threats, and Gaps in Controls
The first step in the roadmap is to determine the organization’s current state with regards to cyber security by identifying existing risks, threats, controls and gaps in risk mitigation. This analysis includes:
- Mapping all critical OT assets – Organizations need to identify all OT/IT systems, access, data, capabilities, and connectivity that could pose risks to the ship’s operations and safety if disrupted.
- Cyber Security Risk Assessment – Organizations should assess the cyber security risk on each critical OT system for developing appropriate protections for those systems.
- Determining threats – Organizations should determine threats and methodologies most likely to be used by internal or external attackers or from inadvertent mistakes.
- Assessing vulnerabilities – Organizations should assess all critical systems for vulnerabilities through threat modeling, attack simulation, and penetration tests.
- Assessing risks from third parties – Technicians, vendors, port officials, marine terminal representatives, agents, pilots, and other technicians may board a ship and plug in devices such as laptops and tablets. Some technicians may use removable media to update computers, download data and perform other tasks. Customers, officials and port state control officers may also board a ship and request use of a computer. Third-party systems can offer remote control, access or configuration functions. Shipowners need to assess and document the extent and connectivity of this third-party equipment.
- Evaluating existing cyber security controls – Organizations need to assess the robustness of existing cyber security controls, including technology and onboard operational procedures, to handle the current level of threat.
- Prioritizing risks that must be remediated – not all risks are equally important. Organizations should determine which are critical systems that have a higher risk, and thus a greater impact, and need to be remediated first.
Organizations should use these assessments as the basis for a mitigation strategy centered around risks with the greatest adverse impact to operations.
Gain the Proper Cyber Security Expertise
Monitoring OT operations and responding to cyber security incidents requires that a maritime company have the right cyber security personnel assigned to key roles. These may include:
- A cyber security officer who assembles, organizes and manages the team and ensures it meets its goals.
- An OT system owner or engineer to assign authority to interrupt operations in the event of an incident and act as a liaison to the cyber security officer, executive management and external parties.
- A chief OT engineer to coordinate the delegation of authority and assign resources to an incident.
- Subject matter experts with in-depth knowledge of the control system architecture, vulnerabilities, exploits, as well as incident prevention and recovery.
If the maritime company itself does not have all these experts onboard each vessel or in a remote monitoring center, they should be able to turn to outside consultants to augment their staff. The outside organization should provide resources that the maritime company can leverage and provide different experts as cyber security requirements mature.
Processes and Procedures
To protect the availability, integrity and confidentiality of their critical OT systems, maritime organizations need to establish standard procedures and processes that align with industry best practices and comply with applicable regulations. Among the best practices that maritime organizations might adhere to are:
- International Maritime Organization (IMO) referenced best practices.
- The U.S. Coast Guards’ draft Navigation and Vessel Inspection Circular 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA). These guidelines offer a cyber risk framework for the maritime industry based on the National Institute of Standards and Technology (NIST) Cyber Security Framework.
- International ISO/IEC 27000 series information security standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
But while processes for mitigating cyber security risks should be guided by best practices, they should also be ship specific. For example, vessels using older technologies will require different cyber security processes than newer vessels that have incorporated additional automation and interconnectivity.
Examples of processes that should be developed include those for safely operating ships and for responding to cyber security incidents. Instructions and procedures to ensure the safe operation of ships and protection of the environment must comply with relevant international and flag state legislation. These instructions and procedures should consider risk arising from the use of IT and OT onboard as appropriate considering applicable codes, guidelines and recommended standards. Standardized processes that should be developed to support these objectives include:
- Identifying, categorizing and tracking assets
- Identifying and prioritizing vulnerabilities/risks
- Training staff on cyber security best practices
- Performing configuration management/change management to stay up to date on configurations, so organizations can respond to any incidents appropriately based on the assets they have
- Determining how the identified vulnerabilities should be remediated
- Quantifying the risks associated with third parties and how to treat third parties based on risks
Cyber Incident Response and Incident Handling (IR/IH) plans should include pre-determined action plans, tabletop exercises, and IR/IH resources that are pre-staged to minimize the damage of a cyber security attack to maritime and port operations. Such a plan will include standardized procedures for:
- Managing an incident
- Identifying and classifying an actual incident
- Containing the incident by limiting its scope and magnitude
- Investigating the incident to determine what happened to the system, device, or network interface
- Eliminating the issue
- Returning the OT device to normal operation
- Following up to ensure the incident doesn’t happen again
As maritime organizations incorporate more automated OT systems, they need to increase their cyber security technology investment. Cyber security best practices demand a defense-in-depth or layered defense strategy that defends a system against possible attacks by using several independent methods. Organizations need to identify the specific technology controls that address their risk management priorities. These technologies include firewalls to protect and segment network, intrusion detection/prevention solutions, software white listing, user access controls, endpoint controls, GRC tools and IT/OT/endpoint and end-to-end monitoring and threat detection tools To simplify the process of monitoring the data and alerts coming from these cyber security solutions, organizations need a platform that can take data from point cyber security solutions and provide a comprehensive assessment and analysis of what those tools are saying. This platform should provide dashboards, analytics and reports to provide a consolidated view of assets, vulnerabilities, and system health and continually monitor a variety of threats.
Consulting services can also input data from manually documented penetration tests and put the findings into the system.
Ongoing Monitoring and Analysis with a Security Operations Center
Because many maritime organizations are understaffed when it comes to onboard cyber security personnel, they can benefit from solutions that offload cyber security-related activities. Maritime organizations should consider an onshore security operations center (SOC) service that centralizes cyber security solutions for the enterprise and fleet assets. Such a service reduces personnel requirements and costs and improves efficiency by slashing the need for cyber security resources aboard each vessel. Centralized onshore resources serve multiple vessels simultaneously. A SOC can also provide specialized cyber security personnel to take over select activities, so the organization can focus its resources elsewhere. Available cyber security services can include monitoring, performing incident response and remediation, and even applying custom weights to rank threats so enterprises can focus monitoring and remediation efforts on the riskiest systems and vendors. The service should accommodate each organization’s choice of monitoring approaches. Some organizations may prefer batch mode, which monitors systems on the vessels and uploads the data at the next port of call. Others may want a service that provides satellite connections for ongoing monitoring of critical alerts.
Improve Your Cyber Security Game
Maritime organizations are flocking to connected OT solutions to benefit from remote monitoring, better visibility, and lower costs. But as they do, they open themselves up to new cyber security risks. Risks that standard cyber security solutions are unable to effectively mitigate due to the unique demands of the maritime industry.
Nonetheless, effective and sustainable technologies are available for maritime organizations. Look for a comprehensive solution that helps identify risks, threats, and gaps in controls, helps with selection and implementation of the right cyber security technologies, augments your internal cyber security staff, drives the development of standard operating processes across the enterprise, and provides tactical incident monitoring and response as needed. With such an end-to-end solution, maritime organizations can have the best of both worlds: the operational and cost efficiencies of OT solutions with the peace of mind that comes from having effective cyber security.