What I’m about to say may be initially perceived as being unhelpful to the maritime industry, probably won’t win me many friends and could possibly alienate some… but it needs to be said anyway, mainly because this line will be taken against you at some point, whether it’s fair or not.
Do we as an industry really have to accept that Operational Technology (OT) providers aren’t technically capable enough to occasionally apply security patches, or work closely with a next generation anti malware vendor to develop a product that adds a layer of security without causing the lights to go out? Do you think that the MOD/DOD would accept the same answer from Defence Contractors?
Imagine there is a cyber security breach and there is a court case to decide if the vessel was seaworthy, safe and compliant with all regulatory requirements, and the barrister questions the ship’s IT / AV / engineering / management staff.
How do you envisage the conversation going?
Just picture this…
There are IT systems that are not very important, they are secured really well and are up to date. Then there are OT systems that are absolutely critical and yet they are deliberately never patched or updated, passwords never changed or anti virus software used on them, even though it is known that they have serious vulnerabilities.
Third parties are trusted to look after the OT systems with no standards in place, no auditing or security checks of the third party, even though in their contract they have a ‘best efforts’ clause at best and zero liability for actual loss.
The security controls onboard are regularly chosen through familiarity or recommendation from an ISP, not from a security expert based on the level of threat protection and risk reduction they provide. The result is that the security controls in place are not designed or capable of protecting against the methods a motivated attacker would use
I put it to you: the vessel was not operated under appropriate security control, and that is this fact alone that caused the security breach.”
What would you say?
Bearing in mind the following are unlikely to be taken seriously:
- It’s fine, this is how all vessels are run.
- It’s fine, the OT systems are completely segregated (apart from when they are not).
- It’s not our fault, the vendors won’t let us secure anything.
- It’s fine, vessels are only attacked with ransomware.
- The threats are all onboard and we trust everyone and everything that is onboard.
What do you think the response from a court would be? Do you think it would be “oh well, that’s OK then”?
The truth is that it’s not OK to run critical systems with inferior security than you are using at home.
Yes, of course, system availability must be preserved at all costs, but guess what, if it’s insecure it’s easy for an attacker to break and cause outages. So securing critical systems actually improves stability and reliability.
If a vendor, class society or management contract enforces that systems with known vulnerabilities must remain in operation, it shouldn’t be seen as a catch-all get out clause to say “we cannot secure it because it’s OT”.
You need to understand what the threat is and then implement additional layers of controls to protect the ‘insecure’ OT systems. If there are valid restrictions on what changes can be made to specific OT devices themselves, there will be other options available to protect the network and access layers to add greater protection.
Often third parties ARE able to certify and support updated and certified versions but there is a disconnect where the ownership and risk justification of making any changes isn’t formalised.
A medium sized vessel has the protection requirements similar to that of a medium sized business, buying basic security controls that would be suited to home users or small business environments is unlikely to be considered as adequate control.
The market is conflicted right now, with most not wanting to upset the status quo and change what has ‘always worked’. Some consultants are pitching the ‘every vessel is going to get hacked and sink’ message and that everything must change, with others going along a tick box auditing exercise and downplaying risks with fear of annoying the OT owners.
You own the risk. There are mature products, services and guidance out there to help you manage the security threats of OT and IT systems, internal resources and external third party providers.
Quantitative risk assessment is key to defining which level of protective controls are worth investing in. Play the ‘what would a court think game’, think of a scenario and play out what the perception and liabilities would likely be, that’s usually a good starting point.
As trusted experts in cyber security, Infosec Partners have a proven track record in helping maritime and shipping organisations secure their OT and connected environments. You can read more here about how we provide cyber security consultancy and managed security services.
SPEAK TO US ABOUT SECURING YOUR MARTIME CONNECTED NETWORKS
Please leave a few contact details and one of our trusted cyber security consultants will get back to you.
Or call us to speak with someone immediately: +44 (0)203 892 4812