Procedural Protection Measures

Procedural controls are focused on how personnel use the onboard systems. Plans and procedures that contain sensitive information should be kept confidential and handled according to company policies. Examples for procedural actions can be:

6.5.1 Training and awareness

Training and awareness is the key supporting element to an effective approach to cyber safety and security as described in these guidelines and summarised in 2.3.

The internal cyber threat is considerable and should not be underestimated. Personnel have a key role in protecting IT and OT systems but can also be careless, for example by using removable media to transfer data between systems without taking precautions against the transfer of malware. Training and awareness should be tailored to the appropriate levels for:

 onboard personnel including the master, officers and crew;

 shoreside personnel, who support the management and operation of the ship.

The guidelines assume that other major stakeholders in the supply chain, such as charterers, classification societies and service providers, will carry out their own best-practice cyber security protection and training. It is advised that owners and operators ascertain the status of cyber security preparedness of their third-party providers as part of their sourcing procedures for such services.

An awareness programme should be in place for all onboard personnel, covering at least the following:

 risks related to emails and how to behave in a safe manner (examples are phishing attacks where the user clicks on a link to a malicious site);

 risks related to internet usage, including social media, chat forums and cloud -based file storage where data movement is less controlled and monitored;

CHAPTER 6 DEVELOP PROTECTION AND DETECTION MEASURES 6.5 Procedural Protection Measures

 risks related to the use of own devices (these devices may be missing security patches and controls, such as anti-virus, and may transfer the risk to the environment to which they are connected);

 risks related to installing and maintaining software on company hardware using infected hardware (removable media) or software (infected package);

 risks related to poor software and data security practices where no anti-virus checks or authenticity verifications are performed;

 safeguarding user information, passwords and digital certificates;

 cyber risks in relation to the physical presence of non-company personnel, eg, where third-party technicians are left to work on equipment without supervision;

 detecting suspicious activity or devices and how to report if a possible cyber incident is in progress (examples of this are strange connections that are not normally seen or someone plugging in an unknown device on the ship network);

 awareness of the consequences or impact of cyber incidents to the safety and o perations of the ship;

 understanding how to implement preventative maintenance routines such as anti -virus and anti-malware, patching, backups, and incident-response planning and testing;

 procedures for protection against risks from service providers' removable media before connecting to the ship's systems.

In addition, personnel need to be made aware that the presence of anti-malware software does not remove the requirement for robust security procedures, for example controlling the use of all removable media.

Further, applicable personnel should know the signs when a computer has been compromised. This may include the following:

 an unresponsive or slow to respond system;

 unexpected password changes or authorised users being locked out of a system;

 unexpected errors in programs, including failure to run correctly or programs running unexpectedly;

 unexpected or sudden changes in available disk space or memory;

 emails being returned unexpectedly;

 unexpected network connectivity difficulties;

 frequent system crashes;

 abnormal hard drive or processor activity;

CHAPTER 6 DEVELOP PROTECTION AND DETECTION MEASURES 6.5 Procedural Protection Measures

 unexpected changes to browser, software or user settings, including permissions.

And, nominated personnel should be able to understand reports from IDS systems, if used. This list is not comprehensive and is intended to raise awareness of potential signs, which should be treated as possible cyber incidents.

6.5.2 Access for visitors

Visitors such as authorities, technicians, agents, port officials, and owner representatives should be restricted with regard to computer access whilst on board. Unauthorised access to sensitive OT network computers should be prohibited through clearly marked physical barriers. If access to a network by a visitor is required and allowed, then it should be restricted in terms of user privileges. Access to certain networks for maintenance reasons should be approved and co-ordinated following appropriate procedures as outlined by the company/ship operator.

If a visitor requires computer and printer access, an independent computer, which is air-gapped from all controlled networks, should be used. To avoid unauthorised access, removable media blockers should be used on all other physically accessible computers and network ports.

6.5.3 Upgrades and software maintenance

Hardware or software that is no longer supported by its producer or software developer will not receive updates to address potential vulnerabilities. For this reason, the use of hardware and software, which is no longer supported, should be carefully evaluated by the company as part of the cyber risk assessment.

Relevant hardware and software installations on board should be updated to maintain a sufficient security level.

Procedures for timely updating of software may need to be put in place taking into account the ship type, speed of internet connectivity, sea time, etc. Software includes computer operating systems, which should also be kept up to date.

Additionally, a number of routers, switches and firewalls, and various OT devices will be running their own firmware, which may require regular updates and so should be addressed in the procedural requirements.

Effective maintenance of software depends on the identification, planning and execution of measures necessary to support maintenance activities throughout the full software lifecycle. An industry standard¹⁵ to ensure safe and secure software maintenance has been developed. It specifies requirements for all stakeholders involved in software maintenance of shipboard equipment and associated integrated systems. The standard covers on board, on shore and remote software maintenance.

6.5.4 Anti-virus and anti-malware tool updates

In order for scanning software tools to detect and deal with malware, they need to be updated. Procedural requirements should be established to ensure updates are distributed to ships on a timely basis and that all relevant computers on board are updated.

All remote access occurrences should be recorded for review in case of a disruption to an IT or OT system. Systems, which require remote access, should be clearly defined, monitored and reviewed periodically.

6.5.6 Use of administrator privileges

Access to information should only be allowed to relevant authorised personnel.

Administrator privileges allow full access to system configuration settings and all data. Users logging into systems with administrator privileges may enable existing vulnerabilities to be more easily exploited. Administrator privileges should only be given to appropriately trained personnel who have a need, as part of their role in the company or on board, to

15 See: Industry standard on software maintenance of shipboard equipment by BIMCO and CIRM (Comité International Radio-Maritime).

CHAPTER 6 DEVELOP PROTECTION AND DETECTION MEASURES 6.5 Procedural Protection Measures

log into systems using these privileges. In any case, use of administrator privileges should always be limited to functions requiring such access.

User privileges should be removed when the people concerned are no longer on board. User accounts should not be passed on from one user to the next using generic usernames. Similar rules should be applied to any onshore personnel with remote access to systems on ships when they change role and no longer need access.

In a business environment, such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors are a risk because they often have both intimate knowledge of a ship's operations and often full access to systems.

To protect access to confidential data and safety critical systems, a robust password policy should be developed¹⁶. Passwords should be strong and changed periodically. The company policy should address the fact that over-complicated passwords, which must be changed too frequently, are at risk of being written on a piece of paper and kept near the computer.

6.5.7 Physical and removable media controls

Transferring data from uncontrolled systems to controlled systems represents a major risk of introducing malware.

Removable media can be used to bypass layers of defences and can be used to attack systems that are otherwise not connected to the internet. A clear policy for the use of such media devices is essential; it must ensure that media devices are not normally used to transfer information between un-controlled and controlled systems.

There are, however, situations where it is unavoidable to use these media devices, for example during software maintenance. In such cases, there should be a procedure in place to require checking of removable media for malware and/or validating legitimate software by digital signatures and watermarks.

Policies and procedures relating to the use of removable media should include a requirement to scan any removable media device in a computer that is not connected to the ship's controlled networks. If it is not possible to scan the removable media on board, eg the laptop of a maintenance technician, then the scan could be done prior to boarding with the result and timing duly documented. Companies should consider notifying ports and terminals about the requirement to scan removable media prior to permitting the uploading of files onto a ship's system. This scanning should be carried out when transferring the following file types:

(a) cargo files and loading plans eg container ship BAPLIE files;

(b) national, customs, and port authority forms;

(c) bunkering and lubrication oil forms;

(d) ship's stores and provisions lists;

(e) engineering maintenance files.

This list represents examples and should not be seen as exhaustive.

6.5.8 Equipment disposal, including data destruction

Obsolete equipment can contain data which is commercially sensitive or confidential. The company should have a procedure in place to ensure that the data held in obsolete equipment is properly destroyed prior to disposing of the equipment, ensuring that vital information cannot be retrieved.

6.5.9 Obtaining support from ashore and contingency plans

Ships should have access to technical support in the event of a cyber attack. Details of this support and associated procedures should be available on board. Please refer to Chapter 6 of these guidelines for more information about contingency planning.

16 More information can be found in NIST publication SP 800-63-3 Digital Identity Guidelines.

CHAPTER 7 ESTABLISH CONTINGENCY PLANS