Tips for becoming more resistant to hacking

– Everyone should prepare for something to happen. But that doesn’t mean everyone has to invest in the most expensive and best. Many are overwhelmed by all that should have been done. It’s much easier to start with small steps, says Drægni. Here are his tips:

1. Use the right framework

The IMO standard doesn’t set any direct guidelines on the exact framework companies should use – but NIST and ISO are mentioned. They are large and comprehensive frameworks that can quickly come across as unmanageable. Used correctly and adapted to the company, however, they can provide a good basis for managing IT and cyber risks. Other relevant frameworks are BIMCO And IEC62443. Alternatively, a combination of these can be used to accommodate both IT and OT dimensions.

2. Run a benchmark

A good place to start is to benchmark yourself against one of the frameworks above. Such a repository can choose to focus on organizational, human and/or technical factors. A combination is desirable, but again it depends on the company’s size, context, ambitions and available resources. A benchmark is something that can and should be adapted, and rather can be iterated over time to ensure that we don’t go too far at a time.

3. Create a plan of technical measures

An example is blocking USB ports, better segmentation, and updating software. A preventative measure is to test for resistance. Then, it is a question of carrying out the tests in the most realistic way possible.

4. Train all employees!

Training and awareness of employees and crews. Plan, implement and evaluate various forms of exercises.

5. Make an emergency plan – and put it into practice!

Establishment of frameworks, roles and responsibilities. Who is responsible for cybersecurity in your company and on your ships? This is particularly important to consider in cases where the vessel and crew are not from the same company, or other cases where subcontractors are used. Ensure the updating of emergency plans and role cards. Perform exercises. If it’s been over a year since the last time, now is the time. Practice the specific scenarios you arrived at in the risk assessments. A template for the first meeting is also required. This is how you ensure proper preparation in your business.

6. Have control over subcontractors and digital value chains

Several ships are starting to become more or less a floating digital platform with multiple system vendor dependencies. To what extent do you check that these have the required level of security? More and more security incidents occur when a vendor is compromised or when third-party systems open vulnerabilities over which you have no control if you don’t have good vendor management.

7. Prepare for supervision

Ensure that you can document compliance with the requirements you have defined and that the actions taken are risk-based. It may be a good idea to prepare a document in advance describing what you are doing, why you are doing it and what measures have been implemented. It can also be a good idea to keep in mind when it comes to sales processes and customer dialogue. Also have a clearly defined continuous improvement process and perform at least annual internal checks and audits. With well-established processes, it becomes easier to make changes and adapt to new customer and regulatory requirements.