Cyber security guidance for small fleet operators

Introduction

Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt operations and compromise critical systems. This post is a guide to help small fleet owners and employees protect their systems and data, and build a stronger defence against cyberattacks.

TL;DR

• Cybersecurity for small fleet operations. It’s about protecting systems and data from attacks.
• Attackers use phishing, malware, ransomware, and scams like BEC to gain access to systems and cause disruption.
• Most attacks start with weak passwords or phishing emails, making employees the first line of defence.
• While IT systems (laptops, email) are often the target, compromised IT can expose critical OT systems like navigation or control systems.
• Steps like using strong passwords, enabling MFA, spotting phishing, and reporting incidents quickly can significantly reduce risk.
• It isn’t just about tools- awareness, quick action, and smarter processes to keep your business safe.

Cyber security is about protecting the systems we use and the data we store from theft, damage, or unauthorised access. As an employee, you play a vital role in keeping your business’s systems and data safe from attack.

What does a cyber-attack look like and what can you do?

A cyber-attack can be carried out by criminals, activists, terrorists, nation states, or simply someone making mischief. They may be motivated by financial gain, getting hold of sensitive data, or just disrupting to your business.

Four common of cyber-attacks are:

• Malware attack – malicious software is installed on your machines. This software can be used as part of a “bot net” to attack other organisations, use your processor power to “mine” for cryptocurrencies, or simply destroy data.
• Ransomware attack – a specific type of malware attack where the attackers will aim to cause disruption by preventing access to data or systems. They request that you pay a ransom to regain access.
• Phishing attack – attackers will use scam emails, text messages or phone calls to trick their victims. Their aim is to obtain passwords for systems or coerce you into downloading malware.
• Business Email Compromise (BEC) – a targeted phishing attack where senior management or finance staff are tricked into transferring funds or revealing sensitive information.

Many attacks have multiple stages, with the attacker initially trying to gain a foothold on your systems, either by using phishing or a with password they have found. This could be for anyone in the business, from one of the owners down to a temporary member of staff.

Although you are a maritime business, the risks and threats you face are similar small to medium businesses.

There are four steps you can take to protect yourself and your business from cyber-attack:

1. Defending yourself against phishing
2. Creating strong passwords and storing them securely
3. Securing your devices from attacks
4. Reporting incidents quickly

Information Technology and Operational Technology

Devices (laptops, tablets, and phones) and business services (Microsoft Office, Salesforce, etc.) are termed Information Technology (IT) systems. The control systems, bridge systems, navigation systems and anything that can have direct impact on passenger and crew safety are termed Operational Technology (OT) systems.

Most attacks against OT systems will originate from an IT system. This awareness training aims to improve the security of IT systems to that OT systems are not exposed to risk.

Currently, the OT systems in the fleet that present cyber risk are:

• Chart Plotters and AIS receivers
• CCTV
• Cellular Wi-Fi

Persons Responsible for cyber security

The cyber security officer (CySO) for the fleet is responsible for all security aspects of OT systems onboard the vessels, reviewing and updating the cyber security policy, and ensuring the policy is followed by other personnel. If you suspect the business is under cyber-attack, the CySO should be contacted.

Defend yourself against phishing

Phishing is where you receive an email, message, text or phone call that appears genuine, but it’s actually malicious.

Phishing attempts might try to trick you into revealing sensitive information, may contain a link to a malicious website that asks you for the password for another site, or may ask you to download malware. Some phishing attempts are random, others are more targeted.

Major email providers automatically filter out some phishing attacks, but criminals find ways to bypass these filters.

Phishing attacks will ask you to carry out an action. That could be resetting your password, downloading an update for some software, or transferring funds from a bank account.

The advice you will hear a lot is to look out for signs like poor spelling and grammar. While these are a good place to start, they can’t be used to spot all phishing emails. Here are three things to look out for:

1. Urgency. Using tight deadlines to create a sense of urgency that distracts you from the rest of the message and pressures you into acting quickly.
2. Authority. Using the authority of the sender, such as by pretending to be a senior manager, trusted colleague or existing supplier, to convince you that the message comes from a trustworthy source.
3. Imitation. Exploiting ‘normal’ business communications, processes and daily habits to trick you into reacting to a message.

If in doubt, check it out: ask a colleague, call the person who is asking you to do something, or report the email to the fleet CySO.

Often, phishing emails will make use of domain names that are designed to look genuine but are not. Spotting these is difficult – if you are in doubt, do not click the link.

If you do make a mistake and carry out the actions in a phishing email, make sure you report the incident immediately.

Create strong passwords and store them securely

It is important that you create strong passwords that are hard to guess, use different passwords for different systems, and add extra layers of security to make it harder to access accounts.

If you need to create and remember a strong password, use a combination of lowercase, uppercase, numbers and symbols. Passwords that are 12 characters or longer are considered secure, but they must be hard to guess. A good way of doing this is to pick three random words, add some numbers and a symbol. Make sure the words and date can’t be determined from your social media – make them as random and unrelated as possible. For example, Ferretgreenviolin3572(

It is important that you do not use the same password for different systems. The password you use to login to your email account should not be the same as the one used to login to your online bank. Many of the passwords that you will use will be for websites.

Most browsers have password managers that generate and store secure passwords for you. The passwords they generate are long, random strings of characters that should be impossible for others to guess. Alternatively, dedicated passwords managers are available that store passwords securely.

Your online accounts can be made harder to access by enabling something called Multi-Factor Authentication (MFA). When logging in, you need to enter an additional code. This code can be sent to you by email or SMS, or generated using a dedicated application on your phone. Where possible, you should turn on MFA to make it harder for a criminal to login to your accounts.

Secure your devices from attack

The apps and software you use will have flaws in their systems. Hackers can exploit some of these flaws which can lead to your systems being compromised.

You can help protect yourself by carrying out the following actions:

1. Keep your software up to date – when flaws are found, vendors will normally fix them and send the fix out as a patch or as part of an update. Hackers rely on you to ignore those update notifications so they can get in before the update is made – so don’t give them the chance.
2. Be careful what you download: only download apps from official app stores and avoid using unknown or third-party applications
3. Secure your devices with a screen lock – on your phone, tablets and laptops, you should set a password, PIN, or biometric lock to prevent someone using the device if it is unattended, lost or stolen.
4. On laptops running Windows or MacOS, Endpoint Detection and Response (EDR or “anti-virus”) software can be used to make it more difficult for malware to run and limit the impact of an attack.

Report incidents quickly

How do you spot that an incident is occurring? Here are some signs to watch out for:

• Unresponsive or slow systems.
• Unexpected changes to passwords.
• Accounts being locked out.
• Network connectivity problems.
• Frequent errors or crashes of software or operating systems.
• Unexpected changes to settings or configuration.
• High resource consumption e.g. processor, memory, network or disk space.

Cyber-attacks can be difficult to spot, and you can’t be expected to identify them 100% of the time. Don’t hesitate to ask for further guidance or support when something feels suspicious, unexpected or unusual.

Always report. Never assume that someone else will report the issue. It is better that several people report the issue than none.

Don’t be afraid: even if you think you caused an incident, always report it. Cyber incidents can be difficult to spot, and mistakes do happen – letting someone know will help to limit the damage.

If you suspect that the business is undergoing a cyber-attack or you have made a mistake, it is vital that you report the incident quickly to resolve the problem and reduce the potential harm caused. Contact the fleet CySO immediately.

Security that doesn’t work for people, doesn’t work. Don’t be afraid to flag policies or processes that make your jobs difficult. This is how a culture emerges where well considered and appropriate security makes for a successful organisation.

Additional tips

Personal use

Phones, tablets and laptops provided by the business should be mainly used for business purposes. Equally, personal devices should not be used for business purposes outside of allowing staff to be contacted by phone. Isolating personal devices from business systems reduces the risk that a compromised personal device or account can impact the business.

Appropriate use of business networks

A Wi-Fi network is available on the vessel which can be used to access the Internet. This is primarily for business purposes. If used for personal devices, be mindful that any activities you carry out and sites you visit will be associated with the business.

Removeable media (USB mass storage devices or memory sticks)

Sometimes, OT systems require the use of removable media such as a USB memory stick to transfer data or software updates to them. Currently, no systems in use at <> require the use of removable media. There should be no need for anyone to use removable media – no devices should be plugged into any business system at any time.

If removable storage is used with any OT system, a dedicated device should be used. It should not be used for general use or for IT purposes.

Conclusion

It’s clear that there’s no silver bullet, but attending to everything here in a joined-up fashion will put you in a good place.

For more in-depth, compliance, security advice and guidance read some of our other related maritime security blog posts:

• IACS UR E26 and E27 guidance
• Pen testing cruise ships
• Maritime lawyers assemble!
• What goes into testing a ship?