OT security is intrinsically constrained by complexity. This keeps the work interesting. Every customer environment we see is unique, and each engagement is a chance to learn more about how we can help organizations create a single, actionable source of OT truth.
The details are where it gets interesting—and a recent maritime use case illustrates this to an Nth degree.
The client manages a fleet of support vessels working routes across large parts of the Pacific. After long periods at sea, the ships return to port for maintenance and resupply. It’s standard stuff for civilian and military maritime organizations. But for OT professionals, it’s a special set of challenges and intricacies—which is why the use case was so compelling.
The intricate, interconnected nature of ship operations means a wide range of vendors and models across all systems. Add to that a nearly infinite number of versions of software and firmware across devices, RTUs, firewalls, PLCs, and everything else. OT must account for all of this, not only as a baseline, but as systems change over time.
Additionally, they organize systems logically: propulsion, power management, alarm & monitoring, deck machinery, communication, navigation, and environmental. This is a functional, inside-out view of maritime systems that are being managed as both parts and a whole. It’s up to OT professionals to find ways to objectively map risk at both levels.
Complexity creates conflict when it comes to owning, operating, and securing systems across the ship. Maritime teams tend to run lean for obvious reasons, requiring ship staff to wear multiple hats and sometimes balance competing priorities. Any responsibility for security, OT or otherwise, is typically spread across existing staff.
And, at the organizational level, trying to modernize OT security brings some of these conflicts into view. Who is responsible for securing systems versus infrastructure? How are decisions about information security made, and how are incidents handled? OT staff must find a way to achieve consistent visibility and control across all boundaries.
Most importantly, we realized that complexity created multiple operating environments that nest. A single complex system like comms operates in its own environment, with its own infrastructure and SLA. These combine to create the environment bound by the ship itself, and it all must be managed by OT professionals.
But even bigger than the ship itself is the operating environment:
Many critical systems go idle while others come online. Connectivity is suddenly much freer and easier thanks to shipside WAN connectivity. As maintenance and support takes place, a whole new set of physical and digital ‘users’ must be managed securely, with obvious impact on permissions and other information security basics.
Again, OT security teams must quickly switch to managing the system set of assets, configurations, and connections, but with a completely different risk profile.
Every threat faced by enterprise IT organizations has a special implication for everybody who relies on ship systems to stay safe and on task, and operators are catching up, especially as regulators and insurers get more focused. People are finally admitting what many of known for a long time: the risk is real, and time is short. That single source of OT truth is more urgent than ever.
The first step toward a robust OT cybersecurity program is to have a conversation about ownership over the security operations at your vessel(s). With multiple organizations running a vessel, it is hard to pin down who owns security. Accountability for risk management should be at the top of the organization, with the C-suite / Board of Directors / Port Commissioners / Owner / etc., being responsible for program effectiveness across people, processes, and technology. Decide on the leadership model that works best for your organization and decide who are the cybersecurity owners and stakeholders.
Once you have cybersecurity owners and stakeholders set in place, you need to determine your risk. Map out the critical systems that impact operations on your vessel. Knowing where the strengths and weaknesses of these systems exist will enable educated risk management strategies. There are just a few systems to take into consideration for your maritime cyber risk assessment:
Next, it is time to gain visibility into your assets. Make it possible to illuminate the environment from end to end, and at depth by layering and aggregating data collection methods. While every single method (manual entry, passive network monitoring, configuration analysis, and active discovery) is useful, none are sufficient on their own. But aggregating them inside a single platform gives OT teams that fundamental visibility that makes everything else possible.
Enable organizations to ingest and normalize as much data as necessary to make that illumination possible, aggregating as many layers and links as required to build the context required for decision making. For this client, it meant normalizing physical and digital access records, manually tracked maintenance records that lived on clipboards, and an extensive list of data elements of various shapes and sizes.
Deliver a consistent, outside-in objective view on risk across the ship and all the operating environment discussed above. Organizations must develop a common language and math for quantifying and communicating risk. Much like with asset management, it starts with building a rigorous baseline. That sets everything else up, change management to proactive vulnerability assessments.
Awareness of the need for OT cybersecurity in maritime has grown significantly, but there is still much left to do. If you are ready to begin implementing meaningful cybersecurity controls within your OT/ICS environment, the whitepaper below dives deeper into operational technology considerations for maritime stakeholders.