The maritime sector is facing a significant increase in cyber threats. During September-October 2023, every three days on average there was a cyberattack targeting a maritime company!
It’s not just the frequency of the attacks, also the severity can be critical – for example the Port of Nagoya in Japan that had to shut down operations for more than three days after a ransomware attack.
In addition, new critical vulnerabilities were published in major hardware and software commonly used by shipping companies: just in the last month we saw new critical vulnerabilities in major brands of firewalls, routers, internet browsers (practically all of them), operating systems and virtual machine infrastructure.
In this environment, it’s no longer feasible to settle for a “firewall and antivirus” approach. However, managing maritime cyber risks is not simple, and there are many unique challenges that are not always answered by traditional cyber solutions:
- As the industry undergoes a digital transformation, most ships employ both new (digital) and legacy systems together, making it complex to manage all the assets on board one ship, not to mention managing a fleet of dozens and even hundreds of ships.
- The unique protocols, processes and behavior of maritime IT and OT make it hard to create a unified view of assets, vulnerabilities, and risks – across a vessel and across an entire fleet. As a result, mapping and then monitoring all assets and networks is a lengthy process and rarely done continuously, in real-time.#
- Most cyber solutions only protect part of the landscape so the IT manager or CISO needs to rely on multiple cyber solutions.
- New maritime cyber regulations and requirements provide frameworks for establishing processes and for cyber resilience. This is a very important step for maritime safety, but the processes create additional work for the IT and security teams.
Best Practices for Maritime Cyber Resilience
Traditionally, the perimeter approach was common for cyber security: firewalls to make sure no one unauthorized can enter the system, and antivirus so malware is not downloaded from the internet. However, the digital landscape, especially aboard vessels, makes this no longer sufficient as many attacks bypass firewalls and anti-viruses using various exploits – from equipment and application exploits to “social engineering”.
Contemporary cyber best practices focus on managing cyber risks, prioritizing alerts and designing internal resilience to minimize damage in case of a breach.
We can’t cover all aspects here, but we would like to focus on few measures that shipping companies can take to improve their cyber risk management:
#1 Start by creating a clear view of all your IT and OT assets on board all your vessels. Mapping your landscape and identifying all your assets ensures you won’t be “sailing blind” in your risk analysis. This is best done with an automated solution that can map and constantly monitor changes in your asset landscape.
Remember, cyberattacks usually come from the weakest link.
#2 After mapping your assets, you need to identify vulnerabilities. This should be a combination of known vulnerabilities and testing for unknown ones (even if they result from misconfiguration and not inherent in the device/application). Vulnerabilities can be found in applications, devices, operating systems, networks and network management, communication systems etc. Each vulnerability also needs to be assessed for severity, in order to assess the risk it poses.
For example, known cyber vulnerabilities are cataloged with a severity score of 0 to 10, where 9.0-10.0 is considered a critical vulnerability and 7.0-8.9 would be a high severity vulnerability.
#3 Cyber resilience best practices are about managing vulnerabilities, because that’s the attack vector, and resolving vulnerabilities will usually involve third parties. Many of the IT and OT assets are purchased for several vessels in parallel; Therefore, it’s much more effective to manage cross-fleet vulnerabilities rather than individual vessels and assets.
#4 Once you map your assets and vulnerabilities, you can start prioritizing handling of the various vulnerabilities. A typical shipping company may identify hundreds and even thousands of vulnerabilities, so prioritization by severity is critical to make efficient use of your resources.
#5 The best way to identify unknown vulnerabilities is to constantly monitor asset and communications behavior in real-time. Devices that transmit an unusual amount of information or communicate with networks they are not supposed to communicate with could indicate a breach.
One example was a ship where we installed our system and identified a vulnerable legacy OT asset that was connected to the internet intermittently, making it very hard to detect with periodical checks. Cydome monitored it in real-time and alerted the company about the unusual behavior.
#6 Even with the best defense systems, breaches can happen, so prepare to minimize the damage. The first measure is to segregate your networks so that a breach in one network or one group will not affect systems and devices connected to the other network. In addition, establish cyber response processes – you will need to do that anyway to comply with recent maritime regulation and requirements.