There is plenty on the internet about creating strong passwords. A common view is that passwords should be created and stored in a password manager application.

Passwords managers are simple, free for personal use and store passwords safely. Instead of the user having to remember multiple complex passwords, which usually leads to re-use, the password manager handles it all. Unique, truly complex passwords are created!

.

*Images:  There are many available on the market.  However, it could simply be a log onboard, centrally managed in a secure location, with a list of when they need changing and what they have been changed to.

When we talk about Cyber Security, we are ultimately talking about technology infrastructure, applications, data, and human interaction. But these are no longer limited to the “wired” net. It has now overcome this and works with almost all IP-based communications.

IP: Internet Protocol

    

We have established that the cyber industry is bigger than perhaps expected. Your Vessel is vulnerable and potentially the next target… assuming you have not been targeted already.

---

Incident: Worm* attack on maritime IT and OT

The company asked Cyber Security professionals to conduct forensic analysis and remediation. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days.

---

*Worms infect computer systems by exploiting software vulnerabilities. Worms are most commonly found attached to emails. This could be a link to a malicious website, an instant download, or a file/folder attached to the email. Once the worm has been activated, it will silently start to infect your computer systems. Worms can be transmitted like a disease with devices such as USB.

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code.

It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level.

Important definitions:

1. Definition of Cyber Security – “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack”
2. Definition of Cyber – “Relating to or characteristic of the culture of computers, information technology, and virtual reality.”
3. Definition of Cyber Attack – “An attempt by hackers to damage or destroy a computer network or system. “
4. Definition of Cyber Terror – “An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.”
5. Definition of Cyber Crime – “Conducted by individuals working alone, or in organised groups, intent on extracting money, data or causing disruption, Cyber Crime can take many forms, including the acquisition of credit/debit card data and intellectual property, and impairing the operations of a website or service”.
6. Definition of Cyber War – “A nation-state conducting sabotage and espionage against another nation in order to cause disruption or to extract data. This could involve the use of Advanced Persistent Threats (APTs)”.
7. Definition of Cyberspace – the notional environment in which communication over computer networks occurs.

Organisations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure, and very high-profile institutions. It is unlikely that most organisations will face the threat of cyber war or cyber terror.

The white hat.  You might engage an ethical hacker or penetration tester to evaluate the security of your vessels. That’s the best way to be certain of your security.

Pen Test Partners LLP is a very well respected provider of this, who have spent significant time in the Maritime Industry understanding how modern vessels work.  There are many other providers, but it may be worth considering them: info@pentestpartners.com

Sometimes, white hats will find security flaws in your systems. They will want to disclose these to you privately in an effort to help you out. Operators often struggle to deal with this altruism and unintentionally annoy the researcher. This sometimes leads to critical vulnerabilities in your systems being splattered across the public internet. This isn’t the outcome that anyone wanted and can easily be avoided:

Set up an email address for researchers to contact you on, typically security@, e.g. security@maersk.com