Whilst it can be time consuming to implement, network segmentation brings many benefits.

Users access can be managed on a ‘need to know’ basis: Why would a deckhand need access to a billing system?

Layers of defence are built: an attack breaches one layer, but the remaining layers remain in place.

Incidents are easier to respond to: if someone accidentally opens an email containing malware, VLAN access can quickly be removed, isolating the incident from the rest of the network.

Segmenting your network is one of the first steps towards making it secure

Image from www.logimatic.com

It is an excellent example of how you can achieve a fully integrated vessel, but still segment compartments and look to add additional security for each section.

A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all aspects of the response.

Above Images and Below example from Borwell Secure Software Experts (www.borwell.com)

You or one of your colleagues notice strange emails that suggest passwords have been reset for Google, Ebay, LinkedIn and several other websites including banks too.  You then realise that these are for accounts related to your business.  Talking to colleagues, you eventually work out that these password resets are not from internal staff.  Someone has compromised an email account and has used it to force password changes to online services. Someone now has access to your business services and data.  A cyber attack is taking place.

What if this happened in your business today, or tonight?  If you had an IT security breach, how would you react?  How would you feel as the business owner?  What would you do?

When an incident has been confirmed like the scenario above, is the business able to put into effect a robust set of measures?

1. Initial assessment. To help ensure an appropriate response, the response team should find out:

 how the incident occurred

which IT and/or OT systems were affected and how

the extent to which the commercial and/or operational data is affected

to what extent any threat to IT and OT remains.

2. Recover systems and data. Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored, so far as is possible, to an operational condition by removing threats from the system and restoring software.

3. Investigate the incident. To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate. The information from an investigation will play a significant role in preventing a potential recurrence. Investigations into cyber incidents are covered in section 7.3.

4. Prevent a re-occurrence. Considering the outcome of the investigation mentioned above, actions to address any inadequacies in technical and/or procedural protection measures should be considered, in accordance with the company procedures for implementation of corrective action.

When a cyber incident is complex, for example if IT and/or OT systems cannot be returned to normal operation, it may be necessary to initiate the recovery plan alongside onboard contingency plans.

When this is the case, the response team should be able to provide advice to the ship on:

whether IT or OT systems should be shut down or kept running to protect data

whether certain ship communication links with the shore should be shut down

the appropriate use of any advanced tools provided in pre-installed security software

the extent to which the incident has compromised IT or OT systems beyond the capabilities of existing recovery plans.

It is important for relevant personnel to execute regular cyber security exercises in order to help keep the response capability effective. Cyber security exercises could, where appropriate, be inspired by real-life events and can be simulations of large-scale incidents that escalate to become cyber crises. This offers an opportunity to analyse advanced technical cyber security incidents, but also to help address business continuity and crisis management.