Editor’s note: October is nationally recognized as National Cybersecurity Awareness Month. Throughout the month, Maritime Commons will feature a series of posts detailing cyber risk management in the maritime domain, focusing on governance, resiliency and defending critical infrastructure.

Last week’s blog continued the dialogue on cyber security awareness with a focused discussion on cyber security resiliency. This week, the focus is on methods to defend your infrastructure.

Cyber attacks on critical infrastructure are a growing concern for many organizations across the globe.  The Marine Transportation System is no different and has been a target of attacks, with recent network breaches, data thefts, and denial-of-service attacks. Exploited vulnerabilities can vary from the basic, such as the lack of passwords or use of default-only passwords, to configuration issues and software flaws.

From a physical security standpoint, vulnerabilities in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks, which control industrial processes, are especially concerning. These ICS and SCADA systems or control systems usually have some level of defense, but attackers are always looking for ways to get inside, such as through an entry gate that is left open, unsecure wireless technologies, or a vulnerable communications channel. While control system networks are often physically separated from other corporate IT networks, this is not always the case. Although some companies operate their control and corporate networks on different internal Local Area Network (LANs) or “airgap” their control and corporate networks from one another, sometimes control and corporate networks share the same LANs or encrypt their control system traffic across a shared infrastructure. Usually, control and corporate system networks require some level of interconnectivity in order to obtain operational input from and/or export data.

To achieve the level of protection and resilience needed for critical control system networks, security needs to mature from a piecemeal collection of technologies to effective cyber security governance. This includes the ability to detect abnormal behavior and prevent attacks while providing the organization with meaningful forensics to investigate breaches when they occur. Examples of mitigation strategies are as follows:

• Prevent unauthorized entry to remote access ports used by vendors for maintenance, unless being actively used.
• Ensure system users do not click on unknown or suspicious URL links in an email.
• Minimize the use of unsecure laptops or removable media while inside ICS and SCADA networks unless fully tested and approved by technical staff.
• Document, verify, and test configuration changes, ensuring there are no mistakes with the security configuration of connected devices.
• Use application control with “Whitelisting” techniques and strategies.
• Use firewall, intrusion prevention, and anti-virus technologies to protect all critical systems.

Cyber threats focusing on ICS and SCADA systems have increased in recent years and this is a trend that is unlikely to change in the near future. Malicious actors are getting smarter and becoming more capable and willing to exploit the known vulnerabilities of critical infrastructure.  It is essential that strategies and systems are implemented to defend the network and the services they control. These efforts will not only protect the organization that rely on them but also protect the entire Marine Transportation System at large. Please visit the DHS Office of Cyber Security and Communications for helpful Cyber Awareness Month resources for critical infrastructure stakeholders.

Specifically:

• The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS); Fact Sheet and FAQ
• DHS Cyber Incident Reporting; A unified message for reporting to the federal government.
• DHS Role in Cyber Incident Reporting

Next week, we will discuss the shipboard application of the topics covered during previous Cyber Security Awareness Month blogs. Drawing additional guidance from the International Maritime Organization’s MSC.1/Circ.1526 Interim Guidelines On Maritime Cyber Risk Management, the discussion will focus on how to implement basic cyber risk management practices onboard ships.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.