LRQA Nettitude Blog

By Graham Sutherland, Senior Vulnerability Researcher

The traditional online attack surface for ships is changing. Gone are the years where vessels were put to sea for months at a time with little or no contact made with the shore, with letters awaiting them at their next arrival port and unpredictable journey times and locations.

Even with the advent of satellite phones, GPS tracking and computer-based navigation, a typical ship will still have a much more limited online presence compared to shore-based organisations. However, this is changing rapidly. As the availability and reliability of internet connections aboard ships improves, it is natural that organisations will seek to leverage this connectivity for the purposes of remote monitoring and diagnostics.

Below, we take a look at the new and enhanced risks posed by remote access communication on board ships and how we can approach a safer way of operating to protect the ship, its assets and the people on board.

The explosive growth in communications services over the last two decades has dramatically changed the way that businesses operate in all sectors, improving efficiency and providing new opportunities. In the maritime sector, we can see this from the original adoption of VHF a hundred years ago for ship communication through to more recent safety technologies such as AIS and satellite communication. However, the limited bandwidth and high cost of these technologies has historically limited the sector’s ability to leverage them in many of the ways seen in other industries.

Notably, when adding new technologies or capabilities to existing systems, it’s important to consider any additional risk that may be presented; this can be both from vulnerabilities in the underlying technologies themselves, or from the way in which they can interact with or expose other capabilities. Where risks are identified, mitigations should be put in place to reduce them to an acceptable level. Below we explore some of the ways in which this can be done, and some examples of widely used maritime technologies.

We are pleased to announce the addition of Mike Hubbard, our new Security and Network Solutions (SNS) Account Manager, within the Security and Network Solutions team. This new team delivers network consultancy, enterprise network solutions and network security solutions. Throughout the forthcoming months, Mike will be working closely with our clients to assess the effectiveness of their current environments and advise on any appropriate action to ensure their business infrastructure and network solutions are as safe and effective as possible. Below is a further insight into how Mike will be working within this new team.

By Ben Densham, CTO at Nettitude

By 2021, Forbes estimates that there will be $6 trillion in damages caused by cyberattacks, a figure that exceeds the cost of all natural disasters in an entire year. However, cyberattacks and the impact they can have on organisations are now becoming much better understood, and more businesses are putting protocols and cybersecurity strategies in place to become proactive rather than reactive to cyber threats.

Creating a cybersecurity strategy involves working out what ‘good’ looks like for your business in terms of maintaining digital security, keeping cyber threats at bay and having a plan of action in place for the possibility of a breach. Your cybersecurity strategy should be a clear vision that’s well-articulated, has board-level engagement and is relevant to your industry. Whilst many businesses have a cybersecurity policy, this is no longer enough. It’s crucial to have a full strategy in place which instigates cultural change within your business ecosystem and isn’t just reactive to threats but proactively ensures your business is doing everything possible to protect itself from cyberattacks.

Here are 5 steps to consider when creating your effective cybersecurity strategy: 

.

We are pleased to announce the addition of Sarah Beresford, our new Security and Network Solutions Account Manager, within the Security and Network Solutions team. This new team delivers network consultancy, enterprise network solutions and network security solutions. Throughout the forthcoming months, Sarah will be working closely with our clients to assess the effectiveness of their current environments and advise on any appropriate action to ensure their business infrastructure is as safe as possible. Below is a further insight into how Sarah will be working within this new team.

By Joel Snape, Senior Security Researcher at Nettitude

Across most branches of industry, it is common to find security companies doing pro-active vulnerability research on equipment used in that industry and publishing details of the issue found after liaising with the vendor to ensure they are fixed. For example, in the wake of several large-scale internet attacks in 2016, researchers focused their attention on IoT devices with many reports surfacing of issues with devices such as CCTV cameras, home routers and network-connected storage devices.

In the maritime space, however, much less research has been publicly shared, predominantly because of the comparative cost and lack of accessibility of standard maritime equipment, although research has been carried out for several years, and some of the results have been publicly presented. Nettitude have pulled together highlights of the most relevant research in the public domain from a few key systems and highlighted the impact these vulnerabilities have within the marine and offshore sector, full details of which can be found in this report. So, what did the researchers find? Is the equipment currently used secure?

ISO27701:2019, a new international standard concerned with the management of personal data, has been published. ISO27701 is a Privacy Information Management System (PIMS), and provides an extension to the better known ISO27001:2013 Information Security Management System (ISMS).

In this blog, we’ll take a brief look at the new standard, how it differs from ISO27001:2013, and how it can benefit your organisation.

What is a zero day attack exploit?

Imagine setting sail with your bow doors still open. Or operating with an engine that leaked 50% of its fuel intake. Or if we let the bridge continue to operate with all the windows smashed.

In today's cyber-obsessed world, you only have to scroll the web pages of your favourite online news agency to see that with a new day comes new reports of cyber attacks. From ransomware to phishing scams and state-sponsored attacks, it is clear that cybercrime is an increasing threat to all businesses and online users.

The world loves assessments. Be it the endless Top 10 lists on Facebook, from the Forbes 500 to the FT 1000 and more. Smaller assessments include a person’s annual physical, car inspections, report cards from school, and more. In the world of information security, a risk assessment is an invaluable method for an organisation to determine its information security posture. There is a lot at stake when an organisation performs a cybersecurity risk assessment, so it’s imperative that it be done right.

Want to learn how to do it right? Keep reading.