You have just hired a managed security service provider (MSSP) – perhaps a managed endpoint detection and response (EDR). Or you’re building your own security operations centre (SOC). The main scope is the enterprise and office systems.
You’re wondering whether you can just extend it to cover the fleet and vessel systems.
Seems like a sensible thought. After all, how different can enterprise and fleet environments be?
Let’s explore the differences…
“You can’t protect what you don’t know”
A common mantra that implies you can’t protect cyber assets without an accurate and detailed asset inventory. Dale Peterson wrote a blog about this.
Here’s a more useful twist:
“It’s hard to protect what you don’t understand”
Fleet infrastructure doesn’t only look different. It sounds different. It runs differently. It is designed to overcome technical and operational challenges not observed in enterprise systems.
Crew behaviour can seem unusual. Life onboard a vessel fluctuates from being extremely busy to days of mind-numbing boredom. The crew prioritise getting a job done, by whatever means necessary. Then they get bored and seek sources of entertainment. They are generally not familiar with operating and managing anything other than fleet infrastructure.
This makes recognizing malicious activity tricky and not necessarily obvious. Remote connections, scanning activity, privileged access, non-standard software and unknown assets are all indicators seen in a cyber attack. These are equally activities we see crew performing, often legitimately (at least in their view).
These nuances of vessel operations give rise to the need for:
- a different type of data collection
- a different type of analysis
- specialist technical knowledge of marine environments
- understanding of the operational environment and constraints onboard
Effective security operations needs a common language between the crew and the SOC
Over 75% of incidents require response actions that involve the crew.
These findings were covered in a report we developed with HFW and Thetius – “Shifting tides, rising ransoms and critical decisions”.
This means SOC analysts need to communicate and work effectively with the crew. Using language they understand. Providing the right level of detail to help the crew understand why something is a risk, what could happen and how they help remediate it.
Side by side, here are 5 key areas of difference between enterprise and fleet SOCs.
|
Areas of difference |
Enterprise SOC | Fleet SOC |
| Objectives |
Generally prioritises confidentiality, integrity and authentication. The focus tends to be on:
|
Prioritises availability. Everything else tends to be secondary. Failover and redundant systems are difficult to implement and expensive to manage. The SOC’s priority is to minimise voyage and port turnaround delays and ensure crew safety. |
| Underlying systems monitored |
More standardisation and control over the infrastructure:
|
Legacy and bespoke systems are pervasive:
|
| Operational context |
Easier to implement tight controls without constraining operations. Black- and white-listing approaches are workable. Anomalous deviations from black and white lists are valid suspicious behaviour worth investigating. |
Flexibility is key to ensure crew and vessel visitors can get their jobs done within turnaround window. Vessel operations are 24x7x365. Visitors getting access to the network is common. This changes the way anomaly detection needs to work. |
| Security log sources |
Useful logs are plentiful and easy to collect
|
Meaningful logs are rare
|
| Investigation and response options | Centralised SIEM approach works
|
Decentralised approach unavoidable
|
Given the differences, a dedicated fleet SOC works best.
Failing this, is there a way to extend the enterprise SOC to effectively cover fleet systems and operations?
Tweaking the enterprise SOC to better cover the fleet
- Where possible, dedicate specific individuals to specialise on fleet systems and operations within the SOC.
- SOC analysts should familiarise themselves with vessel systems and applications, what they are used for and how they are designed to behave.
- SOC analysts should understand the different policies and procedures used within fleet operations, why they are different and why they cannot be harmonised with policies for enterprise.
- Define a different set of risk and criticality matrices based on fleet operations. Remember what is risky to onshore systems may not be the same for the fleet.
- Redefine incident workflows to include the crew.
- Develop a training programme that ensures crew readiness to remediate cyber risks and respond to incidents.
CyberOwl provides a managed fleet SOC. Find out how we have designed and run our SOC to maximise effectiveness for maritime fleet operations.
__________________________________________
Perhaps putting in place a SOC is not your main focus area. See other actions you can take to improve your vessel cyber risk management:
- Gain access to the benchmarking data – read “Don’t spend another dollar on cybersecurity until you benchmark”.
- Change crew behaviour to be more secure – read “Training isn’t working. Human error remains high”.
- Learn what it will take to get your vessel UR E26 compliant – register interest for “I’m not planning newbuilds. Why should I care about UR E26?”
Click here to register your interest for upcoming topics to help you improve the cyber resilience of your shipboard systems.
