Cyber Management Course (Ma) – Module 8
Relationship between ship and shore/agents/owners – Relationship with vendors
Companies should evaluate and include the physical security and cyber risk management processes of service providers in supplier agreements and contracts. Processes evaluated during supplier vetting and included in contract requirements may include:
- security management including management of sub-suppliers
- manufacturing/operational security
- software engineering and architecture
- asset and cyber incident management
- personnel security
- data and information protection.
Evaluation of service providers beyond the first tier may be challenging especially for companies with a large number of tier one suppliers. Third party providers that are collecting and managing supplier risk management data may be an option to consider.
Lack of physical and/or cyber security at a supplier within their products or infrastructure may result in a breach of corporate IT systems or corruption of ship OT/IT systems.
Companies should evaluate the cyber risk management processes for both new and existing contracts. It is good practice for the company to define their own minimum set of requirements to manage supply chain or 3rd party risks. A set of cyber risk requirements that reflect the company’s expectations should be clear and unambiguous to vendors. This may also help procurement practices when dealing with multiple vendors.
Cyber Management Course (Ma) – Module 8
Relationship between ship and shore/agents/owners – Working Together
The importance of this relationship has placed the agent4 as a named stakeholder, interfacing continuously and simultaneously with shipowners, operators, terminals, port services vendors, and port state control authorities through the exchange of sensitive, financial, and port coordination information. The relationship goes beyond that of a vendor. It can take different forms and especially in the tramp trade, shipowners require a local representative (an independent ship agent) to serve as an extension of the company.
Coordination of the ship’s call of port is a highly complex task being simultaneously global and local. It covers updates from agents, coordinating information with all port vendors, port state control, handling ship and crew requirements, and electronic communication between the ship, port and authorities ashore. As one example, which touches cyber risk management: Often agents are required to build IT systems, which upload information real-time into owner’s management information system.
Quality standards for agents are important because like all other businesses, agents are also targeted by cyber criminals. Cyber-enabled crime, such as electronic wire fraud and false ship appointments, and cyber threats such as ransomware and hacking, call for mutual cyber strategies and relationships between owners and agents to mitigate such cyber risks.
Cyber Management Course (Ma) – Module 8
Relationship between ship and shore/agents/owners – Introduction
The Document of Compliance holder is ultimately responsible for ensuring the management of cyber risks on board. If the ship is under third party management, then the ship manager is advised to reach an agreement with the ship owner. Particular emphasis should be placed by both parties on the split of responsibilities, alignment of pragmatic expectations, agreement on specific instructions to the manager and possible participation in purchasing decisions as well as budgetary requirements. Apart from ISM requirements, such an agreement should take into consideration additional applicable legislation like the EU General Data Protection Regulation (GDPR) or specific cyber regulations in other coastal states. Managers and owners should consider using these guidelines as a base for an open discussion on how best to implement an efficient cyber risk management regime.
Agreements on cyber risk management should be formal and written.
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – Access for visitors
Visitors such as authorities, technicians, agents, port and terminal officials, and owner representatives should be restricted with regard to computer access whilst on board. Unauthorised access to sensitive OT network computers should be prohibited. If access to a network by a visitor is required and allowed, then it should be restricted in terms of user privileges. Access to certain networks for maintenance reasons should be approved and co-ordinated following appropriate procedures as outlined by the company/ship operator.
If a visitor requires computer and printer access, an independent computer, which is air-gapped from all controlled networks, should be used. To avoid unauthorised access, removable media blockers should be used on all other physically accessible computers and network ports.
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – Access for visitors
When the lead author for this course (Mark Broster, Managing Director to the eMarimeGroup) was 18, he had his Nova GSI stolen near where he lived in Liverpool.
It was 1994 so please don’t judge the car….
He said to the Police Officer “It is not possible, I just had a Cat 1 immobiliser and state of the art alarm fitted last week!”
The Policeman said “When you had it fitted, did you tell them your address?”
He said “of course, it was in the paper work (mate)”
The Policeman said “Son…. there is a chance, they took your car”
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – External access
These systems can be “third-party systems”, whereby the contractor monitors and maintains the systems from a remote access. These systems could include both two-way data flow and upload-only. Systems and work stations with remote control, access or configuration functions could, for example, be:
- bridge and engine room computers and work stations on the ship’s administrative network
- cargo such as containers with reefer temperature control systems or specialised cargo that are tracked remotely
- stability decision support systems
- hull stress monitoring systems
- navigational systems including Electronic Navigation Chart (ENC) Voyage Data Recorder (VDR), dynamic positioning (DP)
- cargo handling and stowage, engine, and cargo management and load planning systems
- safety and security networks, such as CCTV (closed circuit television)
- specialised systems such as drilling operations, blow out preventers, subsea installation systems,
- Emergency Shut Down (ESD) for gas tankers, submarine cable installation and repair.
The extent and nature of connectivity of equipment should be known by the shipowner or operator and considered as an important part of the risk assessment.
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – External access
Visits to ships by third parties requiring a connection to one or more computers on board can also result in connecting the ship to shore. It is common for technicians, vendors, port officials, marine terminal representatives, agents, pilots, and other technicians to board the ship and plug in devices, such as laptops and tablets. Some technicians may require the use of removable media to update computers, download data and/or perform other tasks. It has also been known for customs officials and port state control officers to board a ship and request the use of a computer to “print official documents” after having inserted an unknown removable media.
Sometimes there is no control as to who has access to the onboard systems, eg during drydocking, layups or when taking over a new or existing ship. In such cases, it is difficult to know if malicious software has been left in the onboard systems. It is recommended that sensitive data is removed from the ship and reinstalled on returning to the ship. Where possible, systems should be scanned for malware prior to use. OT systems should be tested to check that they are functioning correctly. Some IT and OT systems are remotely accessible and may operate with a continuous internet connection for remote monitoring, data collection, maintenance functions, safety and security.
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – Acceptable Management risk
The following should be addressed:
- identify systems that are important to operation, safety and environmental protection
- assign the persons responsible for setting cyber policies, procedures and enforce monitoring
- determine where secure remote access should use multiple defence layers and where protection of networks should be disconnected from the internet
- identification of needs for training of personnel.
Cyber Management Course (Ma) – Module 7
Management to-do Risk assessment and external assessments – Acceptable Management risk
The following questions may be used as a basis for a risk assessment when addressing cyber risks onboard ships:
- What assets are at risk?
- What is the potential impact of a cyber incident?
- Who has the final responsibility for the cyber risk management?
- Are the OT systems and their working environment protected from the internet?
- Is there remote access to the OT systems, and if so how is it monitored and protected?
- Are the IT systems protected and is remote access being monitored and managed?
- What cyber risk management best practices are being used?
- What is the training level of the personnel operating the IT and OT systems?
Based on the answers, the company should delegate authority and allocate the budget needed to carry out a full risk assessment and develop solutions that are best suited for the company and the operation of their ships.