This week, we have a guest blog post from Arnt Ove Nedrebø in NTT Security.
A ship is no longer an isolated island. It’s connected to the outside world through satellites and networks, providing an improved environment and experience for both employees and passengers. What it also provides, however, is a new attack target for experienced hackers.
There are new threats with potentially big consequences. Today, shipping companies and vendors of on-board systems often want the status, in real-time, of all kinds of systems from motors and rudders through to propellers and ballasts. This requires the operating systems controlling them to be integrated with the IT systems so that land-based management has an overview of the condition of the ships. It provides greater predictability in many of the shipping companies' processes, but at the same time removes the waterproof bulkheads. That's why we need to ask if the ships and especially newbuilds are safe enough.
The consequence is, among other things, that hackers can find ways to enter the Operational Technology (OT) systems on a ship via the IT systems. A penetration test program can reveal whether there are connections between the IT and OT systems that have not been taken into account, which would allow unauthorized persons to enter important systems for a ship's operation. When IT systems are integrated with the operating systems, the consequences of a hacker attack are potentially high.
So, as more and more companies integrate their IT systems with on-board operating and production systems, the more exposed they will become to potential hacker attacks.
Here are four steps shipping companies should take to reduce their risk of successful attacks:
- Perform security tests using professional penetration testers who understand the maritime industry. This is called marine ethical hacking. A cybersecurity expert works and thinks as a malicious hacker would, uncovering which security gaps you have in your networks and operating systems.
- Monitor the networks related to IT and OT. This can be done using sensors that passively "listen" to the network traffic and look for deviations. These are reported via a Security Operations Center (SOC) using technology that minimizes the footprint on bandwidth in on-board satellite networks that are already charged.
- Ensure the handling of any alerts around the clock. If the monitoring detects anomalies and/or incident candidates, analysts will verify the incident as malicious and determine how the incident should be handled in an efficient way.
- Incident management. If the alert is of a serious nature, take action to prevent a successful data attack. Make sure you have access to expertise that can handle the challenges immediately before developing into a crisis that can harm the crew, the vessel, the cargo, the environment and reputation.
Finally, a word on compliance. Security for integrated IT and OT systems on ships is still a relatively new field so there is little legal requirement. However, there are some standards – such as the International Maritime Operation (IMO) Resolution MSC.428(98), Network and Information Systems Regulation (NIS), Maritime Transportation Security Act (MTSA) and SIRE Vessel Inspection Questionnaire (VIQ7) – that provide guidelines, and many purchasers require ships and shipping companies to operate in accordance with these standards.
So, by following these four steps, you are also well on your way to compliance. What’s more, by having a system for monitoring and reporting incidents on ships, you get an overview of all resources and any events in the ship’s IT and OT zones – making it well secured and fit for the future.