IACS: Recommendations for remote access to onboard IT systems

IACS issued a guidance report on Remote Update/Access aiming to establish recommendations for control over remote access to onboard Information Technology (IT) and Operation Technology (OT) systems. Additionally, where remote maintenance is used, clear procedures and protective measures, which include mechanisms for validating updates prior to their deployment and simply reverting to earlier revisions in the case of corruption, should be adopted.

Read in this series

Remote Access

-Ship to shore interface

For computer based systems on board that could be critical for the safety of navigation, power and cargo management, the transmissions of data which can be critical to the safety of the ship should be protected against unauthorized access.

The system integrator, producers and service providers should have an updated cyber security company policy, which includes training and governance procedures for accessible IT and OT onboard systems.

RelatedNews

USCG: FAQ to address cyber risks

Inmarsat’s solution to protect ship networks against cyber attacks

OT should have the necessary capabilities to mitigate against the risks of remote access / update. The equipment should have the capability to terminate a connection from the on board terminal and immediately revert to the known and uncorrupted state. Additionally, the Company should implement appropriate procedures for managing remote access / update.

Systems should have characteristic necessary to prevent interruptions to remote access sessions interfering with the integrity and availability of OT or the data OT uses. The shipowner should include in contracts with system integrator, producers and service providers clauses to requiring evidence of their internal governance for cyber network security.

-Configuration of network devices such as firewalls, routers and switches

Networks, that provide suppliers with remote access to allow upload of system upgrades or perform remote servicing of navigation and other OT system software on onboard, should be controlled (i.e. designed to prevent any security risks from connected devices by use of firewalls, routers and switches (reference IEC 61162-460)). Shoreside external access points of such connections should be secured to prevent unauthorised access.

-Policy and procedures

The shipowner should establish policies and procedures for control of remote access to onboard IT and OT systems. Clear guidelines should identify who has permission to access, when they can access, and what they can access. Any procedures for remote access should include close co-ordination with the ship’s master and other key senior ship personnel.

Additionally, any remote access should be initiated and confirmed by a responsible person onboard, and it should be possible at all times to terminate the remote connection by the responsible personnel onboard.

The procedures for activities on board should include steps to:

Document allowed methods of remote access to the information system;
Establish usage restrictions and implementation guidance for each allowed remote access method;
Monitor for unauthorized remote access to the information system;
Authorize remote access to the information system prior to connection; and
Enforce requirements for remote connections to the information system.

Remote maintenance

The Owner should implement the following safeguards for remote maintenance:

A permit to work system, like the one in use for hot work on board.
The connection for remote maintenance should always be initiated by the local IT or OT system. This can be accomplished by having the target systems call the remote maintenance location or by using an automatic call-back function.
All activities during remote maintenance should be monitored by in-house trained and designated IT or OT personnel. It should be possible at all times to cancel remote maintenance locally.
The external maintenance personnel should authenticate when beginning the maintenance session. Passwords should not be transmitted in unencrypted form. If systems cannot provide encryption, tunneling traffic through an encrypting virtual private network (VPN) should be adopted.
To the extent possible, remote access credentials should be personal, not shared (e.g. by a vendor’s technical support team). If this is not possible, one-time passwords should be used and reset after the session ended.
Procedures should be in place to ensure the remote maintenance process is ended safely, once completed.
Remote maintenance shall be logged. Logging information should at least contain the start and end time, persons involved during the remote maintenance and content of the maintenance.

Validating Updates

The following consideration should be included in the procedure for validating updates:

Remote update should only be carried out by authorised personnel;
Update signatures ensure the integrity and authenticity of the update;
Update data transfer protection (encryption or cyclic redundancy check – CRC) to prevent exposure of software image;
Update data decryption or CRC;
Malware scanning;
Update data validation ensures update integrity;
Post-update verification ensures that the system is performing appropriately.

Software and update versions should also be stored and log which records the: