Business Sectors
Contents
Register to read more articles.
How to harden maritime IT and OT
Staff training, network mapping and simulations are part of a layered approach to cyber security, attendees learned from experts during Riviera Maritime Media’s How to harden maritime IT and OT to withstand cyber attacks webinar
This event, sponsored by Varuna Marine Services, was held 30 March 2022 during Riviera’s Cyber & Vessel Security Webinar Week.
Wärtsilä Voyage head of cyber-security technology Paivi Brunou said ships have a plethora of digital data and information that must be kept secure. With the advent of highly digitalised shipping, remote operations and autonomous navigation, “cyber security is becoming critical to the emerging technological improvements in maritime environments.”
These technological improvements will need resilient systems with high cyber security. But on ships, there are numerous information and operational technologies (IT and OT) supplied from various vendors.
“It can be complex,” Ms Brunou said, as there are a lot of interactions between systems and an ecosystem of third parties supporting them.
All those in the ecosystem need to conduct risk assessments and ensure hardware and systems are secure. Shipowners can “use expertise in their partner network to collaborate” on cyber security.
“We can benefit from collaboration, from benchmarking with partners of what has happened in past, what has worked and what could be done better,” said Ms Brunou. “Vendors have responsibilities” to shipping companies to ensure they are cyber secure.
Stakeholders in the ecosystem can collaborate to improve the cyber resilience of OT and IT. Companies need to implement controls for information security management for corporate infrastructure, systems and networks and “ensure business continuity is the focus point in audits and simulations,” said Ms Brunou.
She said companies should consider risk-management programmes from third parties to address cyber risks in their supply chains and “provide role-based training”.
When IoT, cloud and data-driven business are introduced, companies must push for cyber-security approvals and certifications and continue updating the threat catalogue with technical risk assesments.
“Networks need to be continuously monitored and secured,” said Ms Brunou. “We are in a constant flux. It is important to train crew to recognise when something is wrong.”
Training is part of a layered approach to cyber security. So is “being mentally ready for system updates,” constantly reviewing risks and vulnerabilities, and having fall-backs and redundancy.
Constant system and software updates and patches, dynamic risk assessments and an awareness of changing threats are needed, as are simulations of cyber issues, where those within the ecosystem can practice dealing with and recovering from cyber incidents.
Varuna Marine Services director Sanjeev Wewerinke-Singh advised shipping companies to build network maps to identify vulnerabilities and areas for improving security.
Some of the cyber issues that could affect OT include a “failure of a system due to software crashes or bugs”, inoperability due to a cyber incident and “loss of, or manipulation of, external sensor data that is critical for ship operations,” he explained.
“Crew interaction with phishing attempts could lead to the loss of sensitive data and the introduction of malware to shipboard systems.”
Some of the challenges in implementing cyber security on ships include the use of legacy IT and OT systems that are no longer supported on ships that can be 15-20 years’ old. “These could still rely on obsolete operating systems,” said Mr Wewerinke-Singh, as his team has identified some shipboard OT working on Microsoft Windows 7 operating systems and older.
Another challenge is the multiple stakeholders operating and chartering a ship, “potentially resulting in a lack of accountability for the IT and OT system infrastructure and ships’ network.”
Others are the availability of poorly patched or not updated computer-controlled critical equipment, greater use of automation systems, lack of risk-management culture and increasing integration of OT and IT from multiple vendors on vessels. In addition, ships are becoming more vulnerable to cyber threats as more smart technologies and IoT is used on board.
“This necessitates robust approaches to cyber-risk management,” said Mr Wewerinke-Singh.
He said cyber-risk management will be company and ship specific. “They should be guided by the requirements of relevant national, international and flag-state regulations and guidelines.”
Cyber security also needs to include network mapping to detect vulnerabilities between subsystems and equipment from various vendors, incorporating route analysis of any incident, continuous network scanning and watching for errors and potential threats.
Companies must “know how network end points are protected and get better network visibility” said Mr Wewerinke-Singh. Checking connections and separations and ensuring software is constantly patched or updated is also crucial.
Network maps will “mirror traffic in the environment and tell managers what is going on, if there are violation of policies, and what programs are open.”
This is through a dashboard with live diagrams of the network, alerts, red cards for severe incidents and logs of devices in use.
“It is more important to engage risk than run away,” said Mr Wewerinke-Singh. “We should measure risk and prepare for it, and constantly update this through network mapping.”
Webinar poll results
Many communication service suppliers promote cyber-security solutions – are you comfortable putting your cyber security in the hands of those selling data services?
Yes, we are comfortable with service suppliers promoting cyber-security solutions: 30%
No, we are not taking up cyber-security services with those selling data services: 70%
Do you have a network map for your on board and onshore environments? Does it show all end points and network segregation?
Yes, we have a network map on board and shoreside that shows all end points and network segregation: 37%
We have a network map on board, but not shoreside: 15%
We have a network map shoreside, but not on board: 15%
We don’t have a network map shoreside or on board: 19%
No idea: 14%
Do you think getting a DOC audit done from a classification society is enough of an indicator that your cyber-security posture will work in the face of a real cyber threat against your office and vessel IT/OT infrastructure?
Yes, a DOC audit from a classification society is the assurance we need that we are cyber secure or cyber ready: 7%
A DOC audit from a classification society is an indication, but not a concrete assurance, that we are cyber secure or cyber ready: 56%
We do not see a DOC audit from a classification society as an indication that we are cyber secure or cyber ready: 37%
Do you regularly undertake cyber-security drills/simulation sessions with your key partners and suppliers?
Yes, we regularly practice cyber-security drills/simulation sessions with our key partners and suppliers: 4%
We irregularly practice cyber-security drills/simulation sessions with our key partners and suppliers: 25%
We do not practice cyber-security drills/simulation sessions with our key partners and suppliers: 71%
In your organisation, do you have cyber-security incident response plans?
Yes: 70%
No: 13%
Don’t know: 17%
In your organisation, have you set up dedicated teams to cover both OT and IT cyber security?
Yes: 50%
No: 29%
Not sure: 21%
Source: Riviera Maritime Media
On the panel of Riviera’s How to harden maritime IT and OT to withstand cyber attacks webinar were (left to right): Varuna Marine Services director Sanjeev Wewerinke-Singh and Wärtsilä Voyage head of cyber-security technology Paivi Brunou
Related to this Story
AI, digital twins help design cyber-secure, green SOVs
Events
LNG Shipping & Terminals Conference 2025
21 Oct 2025
LONDON
Vessel Optimisation Webinar Week
23 Oct 2025BST - ONLINE
Marine Coatings Webinar Week
27 Oct 2025GMT - ONLINE
© 2024 Riviera Maritime Media Ltd.
