Cyber Risk Mitigation: “How” not “What”
With the release of the seventh edition of the SIRE Vessel Inspection Questionnaire (VIQ7) in September 2018, tanker owners and managers are scrambling to review their cyber security best practice and bring their policies and procedures up-to-date.
It seems to be the case that any industry stakeholder with some degree of self-esteem has identified the necessity to publish their own Cyber Security Guidelines. While most of these documents surely are very helpful, they tend to focus on the “What” rather than the “How.”
It has been the flavor of the day by the cyber security industry to play the scare card regarding the risk of hacking a vessel via satellite; however, most of us understand that human error provides for the greatest, most immediate risk to both onshore and at sea operations.
Of course, vessel operators must sort out their satcom terminals and make sure they are not PUBLIC on the internet. The latest terminal software should be installed, and the password changed to something STRONG and not just left at factory settings or set to 1234.
But, of all security measures to focus on, USB hygiene is critical! It’s not as exciting as stories of ships being taken over by satellite-enabled hackers, but it is a real and present threat to ship and shore. As it accounts for more than 80 percent of the cyber security breaches registered, it is fair to say there is an industry-wide failing here.
Operators and managers need to implement simple and practical procedures to mitigate the greatest risk, which is malware carried on board on USB drives and spread on the ship’s network. So, “how” is it best to address this threat.
Sensitive areas like the wheel house, cargo, and engine control room can be declared as security areas. Any kind of media storage device, including private mobile phones, should be banned from these areas. Where possible unprotected USB ports on devices should be disabled or blocked. Only an approved protected connection between an external storage device and this critical equipment can sufficiently reduce risk of infection.
For regular data exchange requirements, like the weekly update of electronic charts and publications, a safe and controlled ship-shore communication gateway is recommended. If dedicated IEC61162-460 approved firewall devices (providing the highest degree of protection), are not available, then any data transfer by network is still better than just copying data from the communication to the navigation network with a USB drive. If such arrangements are not feasible e.g. not supported by a particular Make/Model of ECDIS or Chart Radar then a dedicated USB stick must be allocated for a data transfer and it should be used solely for this purpose.
Anybody on board, whether it is crew, agents, visitors, or service engineers must be briefed accordingly upon boarding the vessel and should sign a corresponding acknowledgment declaration. Should, for example, a service engineer need to use a USB drive to install a software update on the ECDIS, an explicit authorization by the master or his deputies should be required and noted as part of the software maintenance discipline.
The implementation of cyber risk mitigation measures can only be successful achieved with awareness and comprehension, so crew training is essential. “Be cyber aware at Sea” is a wonderful campaign but can only complement the procedures and processes implemented and enforced on board. It is also essential that enforcement is fully supported by the management. Typically, junior officers are reluctant to challenge a pilot or an agent should they not comply, as they don’t feel they have the appropriate “standing” if this develops into a conflict.
There is no magic bullet when it comes to cyber security. Like all good things at sea, cyber security comes from good procedures and processes, discipline, training, keeping watch, and communication. Managing sector-wide risk would be easier if companies talked about breeches early, and it is crucial that equipment suppliers talk to their clients about areas of risk.
So, if you aren’t talking to your equipment suppliers about cyber risk, take the initiative and ask them for evidence that their systems are secure, and adapt the corresponding risk assessment accordingly. We at ChartWorld help our clients to update their ECDIS Cyber Security Procedure as part of our eQuip service.
Oliver Schwarz is Business Development Director at ChartWorld.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.