White Paper: Building a Sustainable Maritime OT Cyber Security Program
The maritime industry including shipping companies, cargo carriers, and cruise lines is undergoing a massive digital transformation. It is seeing a dramatic shift from legacy, standalone Operational Technology (OT) to systems that are increasingly automated, complex and interconnected to both onboard and shore side resources.
While this digital transformation is meant to improve OT productivity and visibility while simplifying management and reducing costs, it has opened the maritime industry to cybersecurity risks. Already, the maritime industry has seen cybersecurity incidents that have resulted in vessels going off course and cost a major shipping line hundreds of millions of dollars in lost revenue.
Yet many maritime organizations are ill-equipped to mitigate cyber security risks. Additionally, the maritime industry faces unique challenges regarding technology, staffing, and operating procedures that make implementing cybersecurity solutions more challenging than for the average organization.
Nonetheless, resources are available to help maritime companies develop a sustainable maritime OT cybersecurity program. This white paper details what maritime organizations should look for to find the right approach and technology to address their unique OT cybersecurity challenges.
Why Ships Are Increasingly Prone to Cyber Attacks
Not long ago, maritime organizations relied on standalone systems for managing OT functions like bridge, cargo, navigation, propulsion, machinery, power control and access, passenger service and management, administrative and crew welfare, and communications.
Today, maritime companies are increasingly adopting new technologies as legacy systems reach end of life (EOL) and their support costs become prohibitively expensive. With vessel sizes increasing and crew sizes decreasing, maritime company owners and operators are using new technologies to connect OT systems locally and remotely via satellite communications (SATCOM) and the internet to enable remote monitoring and navigational support. Industrial Internet of Things (IIoT) solutions that transfer data from sensors on equipment over satellite or the internet for analysis are growing in popularity as well.
These new integrated technologies deliver many benefits to maritime owners and operators. The ability to remotely monitor OT systems improves productivity and reduces labor costs by allowing companies to consolidate the management of OT assets shore side. These technologies also give owners and operators greater visibility into OT assets and enable them to analyze data across ships to increase fleet efficiency.
Better still, these technologies enable owners and operators to optimize their operations. For example, an active IIoT system onboard a vessel coupled with a fuel optimization application can collect data, send it ashore, and use it to plot the most fuel-efficient route. Technologies are also increasingly available that enable preemptive maintenance and remote technical diagnostics to improve operational efficiency and safety for crew and passengers. Data from IIoT sensors on equipment, coupled with machine learning, can determine patterns that indicate when a machine is about to malfunction, so shippers can prevent problems from occurring at sea.
Growing Cybersecurity Risk
The dark side of growing automation is greater cybersecurity risk.
Older ships that have not been retrofitted or upgraded provide significant barriers to risks, such as criminal exploitation, insider threats, or lack of cyber awareness by shipboard personnel. With standalone systems, a human must physically board the vessel and plug in a rogue mobile device such as a laptop, tablet, diagnostic test equipment, or packet sniffer, to access data or transmit a virus or
But the incorporation of connected digital technologies makes equipment more accessible to outside entities and more vulnerable to intentional and unintentional risks from internal sources.
As a result, the attack surface has become much larger. Indeed, a survey of the maritime industry conducted by I.H.S. Fairplay in 2017 found that 34 percent of respondents had experienced a cyber attack in the previous 12 months. https://fairplay.ihs.com/safety-regulation/article/4291946/shipowner-cyber-risks-on-the-rise-survey-shows
Minimal Cybersecurity Safeguards
Despite growing cybersecurity risks, many maritime organizations lack even rudimentary safeguards. OT equipment remains vulnerable to staff and vendor personnel who plug Transient Cyber Assets into onboard systems. Antivirus software and operating systems are not updated or updated inappropriately—indeed, in some OT systems they cannot be updated. Networks can be poorly understood, undocumented and managed ineffectively. Fleet broadband systems may be protected by firewalls using default configurations that have never been updated. Administrator rights may not be segmented. Maritime organizations can benefit from additional training for administrators and end users in good cybersecurity practices, such as changing default usernames, using strong passwords, and changing passwords frequently.
When maritime organizations do incorporate cybersecurity, they may rely on OT and IT system vendors who manage the cybersecurity of their own products in a siloed manner. Because no one entity owns cybersecurity on ships, organizations have no single pane of glass solution to manage cybersecurity across the organization. The resulting challenges in identifying cybersecurity vulnerabilities and incidents leave maritime organizations open to cyber attacks and their consequences.
Cyberthreats at Sea and Their Consequences
Just a few of the threats that impact the maritime industry include SATCOM hacking and navigational system spoofing.
- SATCOM Hacking – Satellite communications systems are prone to cyber attacks that make the devices and machinery to which these systems are connected into potential targets for hackers.
- Navigational system spoofing – Ship navigational systems receive data via radio frequency transmission at sea. Hackers can potentially manipulate or distort signals to send a vessel off course without the system detecting the change, potentially causing a collision or allowing hackers to hijack the vessel’s GPS. For example, in June of 2017, GPS signals for about 20 ships in the Black Sea were manipulated, saying the ships were located 20 miles inland, even though the navigation equipment seemed to function correctly.
Consequences of these attacks include financial losses, safety issues, bad publicity, and compliance risks:
- Financial losses – Container shipping company Maersk had computer issues triggered by a Petya-like cyber attack that cost it $300 million in revenue.
- Safety issues – A cybersecurity incident that corrupts chart data held in electronic navigational charting systems (e.g. ECDIS) or misdirects GPS signals can cripple vessels, affecting the safety of onboard personnel, ships, and cargo.
- Bad publicity – Cybersecurity incidents can result in media reports that can harm a maritime company’s reputation.
- IMO Compliance risks – The International Maritime Organization (IMO) is giving maritime organizations until January 1, 2021 to incorporate cyber risk management into ship safety. Owners risk having their ships detained if they have not included cybersecurity in the ISM Code safety management on ships by that date.
Maritime-Specific Cybersecurity Challenges
While many cybersecurity solutions are on the market today, maritime organizations need solutions that can meet the unique issues that arise from legacy OT systems and operations at sea. These challenges span technology, staffing, and cybersecurity operating procedures.
Maritime organizations can be overwhelmed with the task of implementing cybersecurity processes and technologies across their fleet and remote and shore side management locations. In many cases, these companies have a vast array of legacy OT systems deployed, much of which was not designed with cybersecurity in mind at all. To make matters worse, every ship can have different OT system configurations and architectures, making it difficult to get a handle on the network infrastructure and topologies aboard ship that need to be secured.
Maritime organizations should select and integrate appropriate technologies (e.g. antivirus, firewalls, intrusion detection/prevention systems, endpoint security and more) to provide comprehensive cybersecurity protections for these OT systems. But because digital OT technologies lag other industries, many vendors exist in each category, making it difficult to choose the best. Companies may even need to utilize different cybersecurity vendors for ships based on their geographical location, different locations, making it even more difficult to leverage cybersecurity technology expertise across the global enterprise.
Even when organizations use shore side solutions to remotely monitor ships, these operations aren’t standardized. For example, some organizations might use satellite technologies for remote access to support incident response and recovery while others may rely on more manual procedures and legacy communication technologies.
While staffing shortages exist throughout the cybersecurity industry, these issues are compounded at sea. Cybersecurity talent is concentrated in certain geographic regions. Yet ships travel to remote ports of call, making it difficult to find talent. Each OT solution on board is highly specialized, and each ship employs many OT systems, making it costly to assemble an onboard team with the requisite expertise. Vessels are often staffed with employees from various nationalities, which can make it difficult to provide consistent training because of differing languages and cultural influences. Frequent crew changes also create significant challenges. And even when organizations do have cybersecurity experts onboard, they may combine their cybersecurity roles with other duties, leaving little time to monitor threats or remediate cybersecurity breaches.
Maritime organizations may not have or follow standard cybersecurity operating procedures across their operations. Different ships based in different ports must comply with different local requirements and regulations. Because operating procedures are typically the responsibility of the captain of each ship, different ships from the same line may follow different procedures. Inconsistent cybersecurity procedures also make it difficult to know whether each vessel is secure and fully prepared to deal with cybersecurity incidents and impede the organization’s ability to mitigate cyber security risks.
What Maritime Companies Should Look for in a Cybersecurity Solution
The complexity and lack of standardization in maritime OT environments mean that a one-size-fits-all approach to managing cybersecurity risks will not address the demands of maritime organizations. Instead, these organizations need a roadmap that incorporates risk intelligence, technology, personnel, processes, and cybersecurity operations services (such as continuous monitoring, auditing and continuous improvement) into a comprehensive and sustainable solution that addresses their unique requirements.
Identify Risks, Threats, and Gaps in Controls
The first step in the roadmap is to determine the organization’s current state with regards to cybersecurity by identifying existing risks, threats, controls and gaps in risk mitigation. This analysis includes:
- Mapping all critical OT assets – Organizations need to identify all OT/IT systems, access, data, capabilities, and connectivity that could pose risks to the ship’s operations and safety if disrupted.
- Cybersecurity Risk Assessment – Organizations should assess the cybersecurity risk on each critical OT system for developing appropriate protections for those systems.
- Determining threats – Organizations should determine threats and methodologies most likely to be used by internal or external attackers or from inadvertent mistakes.
- Assessing vulnerabilities – Organizations should assess all critical systems for vulnerabilities through threat modeling, attack simulation, and penetration tests.
- Assessing risks from third parties – Technicians, vendors, port officials, marine terminal representatives, agents, pilots, and other technicians may board a ship and plug in devices such as laptops and tablets. Some technicians may use removable media to update computers, download data and perform other tasks. Customers, officials and port state control officers may also board a ship and request use of a computer. Third-party systems can offer remote control, access or configuration functions. Shipowners need to assess and document the extent and connectivity of this third-party equipment.
- Evaluating existing cybersecurity controls – Organizations need to assess the robustness of existing cybersecurity controls, including technology and onboard operational procedures, to handle the current level of threat.
- Prioritizing risks that must be remediated – not all risks are equally important. Organizations should determine which are critical systems that have a higher risk, and thus a greater impact, and need to be remediated first.
Organizations should use these assessments as the basis for a mitigation strategy centered around risks with the greatest adverse impact to operations.
Gain the Proper Cybersecurity Expertise
Monitoring OT operations and responding to cybersecurity incidents requires that a maritime company have the right cybersecurity personnel assigned to key roles. These may include:
- A cybersecurity officer who assembles, organizes and manages the team and ensures it meets its goals.
- An OT system owner or engineer to assign authority to interrupt operations in the event of an incident and act as a liaison to the cybersecurity officer, executive management and external parties.
- A chief OT engineer to coordinate the delegation of authority and assign resources to an incident.
- Subject matter experts with in-depth knowledge of the control system architecture, vulnerabilities, exploits, as well as incident prevention and recovery.
If the maritime company itself does not have all these experts onboard each vessel or in a remote monitoring center, they should be able to turn to outside consultants to augment their staff. The outside organization should provide resources that the maritime company can leverage and provide different experts as cybersecurity requirements mature.
Processes and Procedures
To protect the availability, integrity and confidentiality of their critical OT systems, maritime organizations need to establish standard procedures and processes that align with industry best practices and comply with applicable regulations. Among the best practices that maritime organizations might adhere to are:
- International Maritime Organization (IMO) referenced best practices.
- The U.S. Coast Guards’ draft Navigation and Vessel Inspection Circular 05-17, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA). These guidelines offer a cyber risk framework for the maritime industry based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
- International ISO/IEC 27000 series information security standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
But while processes for mitigating cybersecurity risks should be guided by best practices, they should also be ship specific. For example, vessels using older technologies will require different cybersecurity processes than newer vessels that have incorporated additional automation and interconnectivity.
Examples of processes that should be developed include those for safely operating ships and for responding to cybersecurity incidents. Instructions and procedures to ensure the safe operation of ships and protection of the environment must comply with relevant international and flag state legislation. These instructions and procedures should consider risk arising from the use of IT and OT onboard as appropriate considering applicable codes, guidelines and recommended standards. Standardized processes that should be developed to support these objectives include:
- Identifying, categorizing and tracking assets
- Identifying and prioritizing vulnerabilities/risks
- Training staff on cybersecurity best practices
- Performing configuration management/change management to stay up to date on configurations, so organizations can respond to any incidents appropriately based on the assets they have
- Determining how the identified vulnerabilities should be remediated
- Quantifying the risks associated with third parties and how to treat third parties based on risks
Cyber Incident Response and Incident Handling (IR/IH) plans should include pre-determined action plans, tabletop exercises, and IR/IH resources that are pre-staged to minimize the damage of a cybersecurity attack to maritime and port operations. Such a plan will include standardized procedures for:
- Managing an incident
- Identifying and classifying an actual incident
- Containing the incident by limiting its scope and magnitude
- Investigating the incident to determine what happened to the system, device, or network interface
- Eliminating the issue
- Returning the OT device to normal operation
- Following up to ensure the incident doesn’t happen again
As maritime organizations incorporate more automated OT systems, they need to increase their cybersecurity technology investment. Cybersecurity best practices demand a defense-in-depth or layered defense strategy that defends a system against possible attacks by using several independent methods. Organizations need to identify the specific technology controls that address their risk management priorities. These technologies include firewalls to protect and segment network, intrusion detection/prevention solutions, software white listing, user access controls, endpoint controls, GRC tools and IT/OT/endpoint and end-to-end monitoring and threat detection tools To simplify the process of monitoring the data and alerts coming from these cybersecurity solutions, organizations need a platform that can take data from point cybersecurity solutions and provide a comprehensive assessment and analysis of what those tools are saying. This platform should provide dashboards, analytics and reports to provide a consolidated view of assets, vulnerabilities, and system health and continually monitor a variety of threats.
Consulting services can also input data from manually documented penetration tests and put the findings into the system.
Ongoing Monitoring and Analysis with a Security Operations Center
Because many maritime organizations are understaffed when it comes to onboard cybersecurity personnel, they can benefit from solutions that offload cybersecurity-related activities. Maritime organizations should consider an onshore security operations center (SOC) service that centralizes cybersecurity solutions for the enterprise and fleet assets. Such a service reduces personnel requirements and costs and improves efficiency by slashing the need for cybersecurity resources aboard each vessel. Centralized onshore resources serve multiple vessels simultaneously. A SOC can also provide specialized cybersecurity personnel to take over select activities, so the organization can focus its resources elsewhere. Available cybersecurity services can include monitoring, performing incident response and remediation, and even applying custom weights to rank threats so enterprises can focus monitoring and remediation efforts on the riskiest systems and vendors. The service should accommodate each organization’s choice of monitoring approaches. Some organizations may prefer batch mode, which monitors systems on the vessels and uploads the data at the next port of call. Others may want a service that provides satellite connections for ongoing monitoring of critical alerts.
Improve Your Cybersecurity Game
Maritime organizations are flocking to connected OT solutions to benefit from remote monitoring, better visibility, and lower costs. But as they do, they open themselves up to new cybersecurity risks. Risks that standard cybersecurity solutions are unable to effectively mitigate due to the unique demands of the maritime industry.
Nonetheless, effective and sustainable technologies are available for maritime organizations. Look for a comprehensive solution that helps identify risks, threats, and gaps in controls, helps with selection and implementation of the right cybersecurity technologies, augments your internal cybersecurity staff, drives the development of standard operating processes across the enterprise, and provides tactical incident monitoring and response as needed. With such an end-to-end solution, maritime organizations can have the best of both worlds: the operational and cost efficiencies of OT solutions with the peace of mind that comes from having effective cybersecurity.