Modern maritime companies have access to more data than ever, coming from multiple sources and existing in a variety of formats. All this data needs to be safeguarded.
Written by Walter Hannemann, Product Manager
In today’s maritime industry, data is an asset. Breakthroughs within sensors and IoT systems, as well as the increase in available bandwidth, are enabling the real-time transfer of vast amounts of data from ship to shore, and vice versa.
Along with the “Big Data” phenomenon, challenges have emerged. Historically, shipowners’ and operators’ major concerns were safety, asset integrity, and environmental protection. Nowadays, data is both a value driver and another area for concern.
In this three-part blog article, we’ll discuss the importance of securing confidentiality, integrity and availability of your vessel data. What do you need to do to ensure it remains unchanged, protected and trustworthy in transit from ship to shore?
On that point, let’s start by looking at what the CIA triad is, and why your vessel data security management must adequately address it to be considered comprehensive and complete.
The CIA triad, easily explained
The CIA triad of confidentiality, integrity and availability is a security model designed to assess organisations for cyber risk and to guide policies and procedures for data security within them.
Confidentiality means that data, objects and resources are protected from unauthorised viewing and other access. Only those who need access to information, or those that the information is intended for, should have access.
Protecting confidentiality alone does not constitute data security; you need to make sure that all three components of the CIA triad are addressed.
Integrity is the assurance that the data is accurate, consistent and trustworthy over its lifecycle. and that it hasn’t been tampered with in any way. Maintaining data integrity helps improve recoverability and searchability, traceability (to origin), and connectivity. In addition, there should be a means of testing the integrity of the data.
For shipping, data integrity plays an essential role in the accuracy and efficiency of a vessel’s normal operation as well as business processes.
Systems, applications, and data are of little value to your organisation and your customers if they are not accessible when authorised users need them.
Availability means that networks, systems, and applications are up and running. It ensures that authorised users have timely, reliable access to the systems and the resources they need when they need them.
Compromised data is useless
For data to support analytics-driven business decisions and deliver operational value across the logistics chain, you need to be able to rely on its availability and believe in its accuracy.
Compromised data and sensors – due to breaches and other security incidents – cannot be trusted, and could cause dangerous situations for human safety and safety of the vessel, and/or an environmental threat. For this reason, maintaining data confidentiality, integrity and availability is a core focus of maritime cybersecurity.
Here’s how to ensure confidentiality of your vessel data
Confidentiality refers to the measures you must take to guarantee that the data – particularly sensitive data – is not being exposed to the wrong people, i.e. personnel who are not authorised to have access to the data.
Let’s look at some tried-and-true practices for maintaining data confidentiality across your fleet.
Control the use of administrator privileges
- Give administrator privileges only to appropriately trained personnel, who as part of their role in the company or on board, need to log onto systems using these privileges.
- Remove user privileges when the people concerned are no longer on board.
- Do not pass on user accounts from one user to the next using generic usernames.
- Apply similar rules to any onshore personnel, who have remote access to systems on ships, when they change role and no longer need access.
Use passphrases instead of passwords
In a business environment such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors pose a risk, as they often have both intimate knowledge of your ships’ operations and full access to systems.
To protect access to confidential data and systems, you need a robust passphrase policy. Yes, passphrase. Modern best practices have departed from old beliefs like forcing password changes and random complexity. Passwords should be replaced by passphrases, because:
- Length is better than complexity.
- Passphrases are easy to remember (and don’t need to be written on a piece of paper).
- Passwords are easy for hackers and algorithms to crack.
- Long passphrases are virtually unbreakable by brute force attacks.
- Passphrases are flexible and can be created/adapted to different applications.
- Example: ‘the brown fox logs on to system X’ and ‘the brown fox log on to app Y’, and so on.
Control physical and removable media
When you transfer data from uncontrolled systems to controlled systems, malware may be introduced. Removable media can be used to bypass layers of defences and attack systems that are otherwise not connected to the internet.
- Establish a clear policy for the use of removable media devices.
- Avoid using such media devices to transfer information between uncontrolled and controlled systems.
- When using removable media devices is unavoidable, have a procedure in place to check these media for malware and/or validate legitimate software by digital signatures and watermarks.
- Scan any removable media device in a computer that is not connected to the ship’s controlled networks.
Destroy data held in discarded equipment
Obsolete equipment can contain data that is commercially sensitive or confidential.
When you dispose of such equipment, make sure you properly destroy the data held in them, so that it cannot be retrieved.
This is also valid when a ship is sold or transferred to another owner or manager. Some data must be handed over; some data should not. Make sure all data is identified and categorised beforehand to make the transfer easier.