In its latest issue of Phish and Ships, Be Cyber Aware at Sea discusses the Shadow IT term explaining what it is and highlights that attackers look specifically for Shadow IT knowing that is a vulnerable part of an organization’s network.
Shadow IT: As a term it is given to IT devices or services which are being used without the approval of, and often even without the knowledge of, your IT department.
It has a variety of forms, including cloud storage services like Dropbox and Box, internet connected items like coffee machines and IP cameras, or unapproved wi-fi routers or extenders plugged into your corporate network to allow those near it to ‘access the internet’.
This kind of services are most of the times not protected by the organization’s security and privacy controls. This means that a company’s data may not be backed, and the data may be stored in a data centre in a foreign country.
Similarly, it is stated that physical devices may not be monitored for security threats or patched correctly exposing the organization to several risks.
Consequently, it is reported that attackers look specifically for Shadow IT so they can use this ‘chink in the armor’ to attack the company.
In the shipping industry, a vessel may have some processes and technologies that aren’t made from the company; This can become an entry point for malicious software to access the network. Suppliers have easy access – validate suppliers to ensure they are ‘Cyber Secure’ (compliant with Information Security Management standards like ISO27001 or NIST).
Dealing with Shadow IT:
Unsecured USB ports are the equivalent of an open cat-flap in a locked front door.
It is recommended to secure any USB port on the vessel, either through hardware controls or software limitations. If the port has to be accessed for system patching, it is advised to use a dedicated USB for this specific activity and keep it secured when not in use.
Some manufacturers produce an encrypted USB drive that requires a PIN typed into the drive itself before a computer will recognize it.
Organizations need to start considering what additional challenges will come with the changing landscape of marine technology.
Concluding, more things have to be done to ensure that staff, crew and contractors are aware of the safety and security implications of connecting personal or internet enabled devices to ship or platform networks or accessing cloud-based services while offshore.
