7 Min Read
Your Vessel Exposed: 10 Potential Surprises to Expect from Your Maritime Cyber Risk Management Assessment
Written by Mission Secure
Cyber-related risk and threats to your vessel network are mounting, and so are the maritime industry cybersecurity compliance requirements. Between the upcoming International Maritime Organization’s (IMO) Resolution MSC.428(98) and other programs like the Tanker Management and Self Assessment (TMSA), you’ll need to get a handle on your vessel OT network before you can even commence.
Getting Started with Effective Maritime Cyber Risk Management
Cyber risk assessments can help jumpstart your efforts to create a cybersecurity strategy and establish an initial baseline of cybersecurity requirements and internal standards for your vessel networks. But be prepared; these assessments can expose issues of which you may or may not be aware. We’ve conducted lots of onboard maritime vessel cyber risk assessments, both point-in-time walkthroughs with pen testing and others that are continuous in nature.
In this blog, we’ll discuss why a cyber risk assessment for your vessel network might be right for you, provide you examples of the types of surprises we typically find that might come out of your assessment, and give you guidance on how to avoid these surprises in the future.
Why is a Cyber Risk Assessment Important?
The dangers facing connected vessels are so significant that in July 2020, the United States National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending that immediate actions be taken to reduce exposure across operational technologies and control systems.
With the growing number of cyber threats to maritime vessel networks and industrial control systems in recent months, you have to assume that your organization is susceptible to attack. The dangers facing connected vessels are so significant that in July 2020, the United States National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued an alert recommending that immediate actions be taken to reduce exposure across operational technologies and control systems.
Learn about current threats to maritime security, maritime security challenges, and protective security measures in our Comprehensive Guide to Maritime Cybersecurity.
The NSA/CISA alert recommends creating an accurate OT network map to detail “as-operated” assets so that you can understand the cyber risk of those assets and protect your network by removing any unwanted assets and eliminating unnecessary or unauthorized connectivity. The alert also recommends establishing an OT resilience plan, an incident response plan, and implementing a continuous and vigilant system monitoring program.
But before you can even start to work on those recommendations, you need the information on what is in your vessel OT network. Performing a cybersecurity risk assessment will help you gather the information you need to properly evaluate your vessel’s network cybersecurity framework and security controls, and help you develop your overall cybersecurity risk strategy.
Need help getting your maritime cyber risk assessment started?
Mission Secure can provide an onsite cybersecurity assessment and design service, along with remote red teaming / penetration testing, onsite red teaming, and industrial standards benchmarking (IMO 2021) and scoring. Click here to get started.
10 Potential Surprises to Expect from Your Cyber Risk Assessment
Every vessel OT network is different, and the findings from cyber risk assessments will vary. Here are 10 of those potential findings that might pop up:
1. Outdated or Unused Equipment Connected to Your Vessel OT Networks
Any outdated or unused equipment connected to your vessel OT network can be an attractive entry point for hackers, especially if they haven’t been updated with the latest security updates. Hackers who make it into your network through these unnecessary systems can take advantage to target your critical equipment and communication systems.
Validate network equipment to ensure all devices are in use and required for your vessel operations. Any outdated or unused equipment should have any previous configuration information removed, disconnected from the network, and physically removed from the vessel if possible.
2. Poor or Non-Existent IT/OT Network Segmentation
...with proper network segmentation between your IT and OT networks and within your OT network, you can significantly reduce a hacker’s access to the rest of your critical vessel controls should they gain access.
Gone are the days when you could completely air gap your vessel systems. With networks more connected than ever and more digitalized maritime operations, the ability to protect your vessel network can pose some unique challenges. But with proper network segmentation between your IT and OT networks and within your OT network, you can significantly reduce a hacker’s access to the rest of your critical vessel controls should they gain access.
You need to make sure your network is segmented and that your crew’s personal laptops and devices do not have access to your critical network systems. If a device on your vessel is compromised, a segmented network will reduce the chances of any malware or other malicious traffic traveling laterally to other critical systems.
3. Unauthorized Network Access
The issue of unauthorized network access isn’t limited to just users. Systems on your vessel network can attempt to connect to other devices, and if they’re not authorized to do so, they can potentially access malicious servers and systems. The impact of unauthorized access has widespread implications and can lead to data loss and potential compromise of critical communication and navigation systems.
Your network needs to have the appropriate network access controls and protections in place so that only authorized crew members, devices, and third parties have access. You should conduct continuous network monitoring of your vessel systems to determine if unauthorized devices are detected. Any managed switches should be configured with MAC address filtering to keep rogue devices from gaining network access.
4. Insecure Third-Party Connections
Your vessel networks will more than likely have third-party vendors connecting to them to service systems and provide services. The maintenance that your third-party vendors provide can pose issues if you are not able to control their access and track all of the changes and updates being made. Without proper access controls, detailed standards, and control of these connections, you could be subjecting your vessel network to potential compromise.
You need to be able to control access to your vessel network from outside traffic. You can protect your vessel network with a protective layer between your third-party vendor connections using a firewall or whitelisting. Your third-party vendors also need to provide you documentation showing that the systems they provide for you are secure with the latest updates.
5. Vulnerable Peripherals and Wireless Access Points
They seem to be dismissed as unlikely entry points for hackers, but devices such as printers, wireless keyboards, and mice can be easy targets for a moderately sophisticated hacker. Access via peripherals can also be used to penetrate your wireless access points. And if your wireless access points aren’t configured correctly or do not have the right level of encryption, hackers will be able to penetrate your vessel network easily and affect critical systems.
You should confirm that if your printer’s wireless capabilities are needed on board. If wireless is required, you should use strong passwords, and limits should be imposed on the number of concurrent connections and incorrect password attempts before lockout. For any of your other peripherals and access points, make sure they are running the latest software versions and that passwords are being updated regularly.
6. Outdated Operating Systems
High costs and a lack of resources are some of the reasons why organizations drag their feet when it comes to upgrading their operating systems. Failing to update your operating systems can lead to significant problems if malware penetrates your vessel network. Many malware families tend to exploit known vulnerabilities found in outdated operating systems and software (e.g., NotPetya leveraged EternalBlue, which uses a vulnerability in a Windows protocol). Vessel systems using older versions of operating systems (e.g., Microsoft Windows 7) that are no longer supported are more susceptible to compromise.
Your operating systems should be updated to supported versions and make sure that you establish a patch management process to stay on top of any potential vulnerabilities. If these systems cannot be upgraded promptly, you should apply any emergency patches that might be available from the vendor and segment the systems from the vessel OT network as a compensating control to isolate potential vulnerabilities.
7. Unpatched Systems and/or Programs
You may have supported versions of operating systems and applications, but if you do not apply any patches on a regular basis, your vessel network will be susceptible to attack. Continuous vulnerability management is one of the Center for Internet Security (CIS) Controls that outlines the need to continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. Maritime organizations need an effective patch management strategy and process to protect all of their systems and programs against known vulnerabilities.
Your patch management strategy and process should include all system hardware and applications so that you do not have to be burdened with ad hoc quick fixes. You will need to consider the schedule of your maintenance cycles and address any potential impact on vessel operations. If you are unable to deploy critical patches, you will need to explore alternative compensating controls that will let you implement a “virtual patch” to protect and segment the vulnerable systems and applications until you can patch appropriately.
8. Lack of Encryption and Two-Factor Authentication
As the number of wireless access points on your vessel grows, it’s easy to lose track of how they are connected and what is connecting to them. There are times when they are set up incorrectly, potentially transmitting network and email traffic unencrypted and leaving them vulnerable to interception and unauthorized monitoring.
Access to your wireless access points should be limited to authorized devices and secured with strong encryption. If possible, switch to certificate-based authentication and isolate your guest or crew networks from critical vessel networks. Enable two-factor authentication for critical applications (e.g., Microsoft Remote Desktop), protect your data with disk encryption, and make sure encryption is enabled across your communication systems.
9. Poor Password Practices
Organizations, just like individuals, struggle with a high number of passwords and keeping them straight. According to a February 2020 Ponemon Institute research report, 54% of individuals reuse passwords across their personal accounts and 51% share passwords with colleagues to access business accounts. The lack of password management in the maritime industry is exasperated by the fact that many vessel systems are utilized by multiple crew members who share passwords.
You can alleviate your password issues by deploying a password management system for your critical computers and devices on your OT network. You can require changing default passwords to strong ones, limit the number of incorrect password attempts before lockout, add multi-factor authentication, where possible, and change passwords (including any that are shared) on a regular basis.
10. Lack of Content Filtering
The Internet is inherently not a safe place. Without a solution that filters malware-infected web sites or blocks malicious traffic, your vessel network might be vulnerable to malware and phishing scams that can lead to network compromise and loss of critical data, as well as injury or loss of life, asset damage, or environmental impact.
A content filtering solution can help keep your crew from accessing sites that host inappropriate content and help prevent them from accessing insecure web sites that may contain malware and those that hinder productivity (e.g., Facebook, etc.) and consume considerable network bandwidth. You can blacklist banned web sites and malicious Internet traffic or whitelist allowed traffic and block everything else by default.
Avoid Surprises from Your Cyber Risk Assessment
Mission Secure can help you navigate your vessel OT network with a comprehensive cyber risk assessment. We can use your live OT network traffic to detect and analyze issues and threat vectors, evaluate your “as-is” architecture to identify security gaps, develop a unified IT/OT network drawing for your vessels and provide a cyber risk scorecard for each asset. Every cyber risk assessment will be unique, but once you know what cybersecurity issues you need to address on your vessel network, you’ll be better prepared to mitigate any outstanding items that can lead to a cyberattack.
Originally published September 8, 2020, updated December 14, 2020.