Secure@Sea: by Corey D. Ranslem
Cyber security issues are a dominant part of world headlines on an hourly basis. Attacks continue in almost every industry and location of the world with an internet connection. Initially, I was surprised by the lack of network infrastructure security I saw, but I am no longer surprised – I expect it whenever we look at a vessel or facility’s network.
Throughout the past year in this column we’ve discussed various aspects of cyber security, threats and vulnerabilities. Nearly everyone in the large-yacht industry knows of someone who has been the victim of a breach, attack, incident or issue.
Through my company’s operations, we are involved in some aspect of cyber security daily. We are constantly assessing different types of threats, attack vectors and protection mechanisms, along with the design of networks and their security components. The demands of networks continue to grow as more IoT (Internet of Things) and OoT (Ocean of Things) devices become connected. Risks to networks become more exaggerated through the technological demands and the rapid growth of these devices.
There is a clear obligation on the part of the network owner/provider, whether shipboard or shoreside, to provide basic network security for their users. However, it is disturbing to see the lack of security on supposedly secure networks.
We’ve had the opportunity to interact with several networks, both on board ships and at various shoreside maritime facilities. Throughout our work on various networks, we’ve been a part of vulnerability and penetration testing. When it comes to security, most networks are significantly lacking, and many don’t provide the basic security protections for the end user.
For example, there was a network we were on at a facility while we were working on a problem for a yacht client. Through this marina’s network, we were able to see almost all the other vessels that were using that network, which opens those vessels up to a direct attack.
This type of vulnerability along with network security failures are unfortunately common – whether it is a public network, marina network or even the network on board a vessel. There are hundreds of large yachts whose critical information, like their global IP addresses and onboard systems, are compromised and out on the open internet. This information can be used to penetrate a vessel’s network, launch an attack and cause major issues.
There are potential legal liabilities for the owners and operators of networks if basic security protections are not undertaken. Currently existing legislation, in some form or another, addresses a data breach and who is held responsible for that data breach. This legal liability can include the owners and operators of the network infrastructure if that is identified as the point of failure.
Businesses that own and operate networks for client use need to make sure they have network security designed into that network. If I own a restaurant that serves bad food and people get sick, I am responsible. Similarly, if I provide a service to a client and the failure of that services causes harm to that client, I am liable for that failure – especially if I don’t follow standard industry best practices to try to prevent that failure. That does include the basic network infrastructure security.
So how do you protect your network with some of the basic security best practices? First, make sure your network is designed with security as part of the network infrastructure. It does make it more difficult to complete some tasks, but in the end, it will save you time and money.
You have enough to worry about as a captain or crew member, so find a trusted outside partner who can work with you on designing your network(s) with security in mind.
That partner should also be able to monitor your network to look for vulnerabilities and issues in real time. Network design is Step 1, monitoring the network for threats and vulnerabilities is Step 2, and mitigation is Step 3.
In summary, a yacht, marina or yard is not exempt from liability. You must do everything in your power to provide a secure environment to your users (including guests, crew and employees).
Corey Ranslem, CEO at International Maritime Security Associates (www.imsa.global), has more than 24 years of combined Coast Guard and maritime industry experience. Comments are welcome below.