Written by Walter Hannemann, Product Manager | 07 February 2020
Modern maritime companies have access to more data than ever, coming from multiple sources and existing in a variety of formats. All this data needs to be safeguarded.
In today’s maritime industry, data is an asset. Breakthroughs within sensors and IoT systems, as well as the increase in available bandwidth, are enabling the real-time transfer of vast amounts of data from ship to shore, and vice versa.
Along with the “Big Data” phenomenon, challenges have emerged. Historically, shipowners’ and operators’ major concerns were safety, asset integrity, and environmental protection. Nowadays, data is both a value driver and another area for concern.
In this three-part blog article, we’ll discuss the importance of securing confidentiality, integrity and availability of your vessel data. What do you need to do to ensure it remains unchanged, protected and trustworthy in transit from ship to shore?
On that point, let’s start by looking at what the CIA triad is, and why your vessel data security management must adequately address it to be considered comprehensive and complete.
The CIA triad of confidentiality, integrity and availability is a security model designed to assess organisations for cyber risk and to guide policies and procedures for data security within them.
Confidentiality means that data, objects and resources are protected from unauthorised viewing and other access. Only those who need access to information, or those that the information is intended for, should have access.
Protecting confidentiality alone does not constitute data security; you need to make sure that all three components of the CIA triad are addressed.
Integrity is the assurance that the data is accurate, consistent and trustworthy over its lifecycle. and that it hasn’t been tampered with in any way. Maintaining data integrity helps improve recoverability and searchability, traceability (to origin), and connectivity. In addition, there should be a means of testing the integrity of the data.
For shipping, data integrity plays an essential role in the accuracy and efficiency of a vessel’s normal operation as well as business processes.
Systems, applications, and data are of little value to your organisation and your customers if they are not accessible when authorised users need them.
Availability means that networks, systems, and applications are up and running. It ensures that authorised users have timely, reliable access to the systems and the resources they need when they need them.
For data to support analytics-driven business decisions and deliver operational value across the logistics chain, you need to be able to rely on its availability and believe in its accuracy.
Compromised data and sensors – due to breaches and other security incidents – cannot be trusted, and could cause dangerous situations for human safety and safety of the vessel, and/or an environmental threat. For this reason, maintaining data confidentiality, integrity and availability is a core focus of maritime cybersecurity.
Confidentiality refers to the measures you must take to guarantee that the data – particularly sensitive data – is not being exposed to the wrong people, i.e. personnel who are not authorised to have access to the data.
Let’s look at some tried-and-true practices for maintaining data confidentiality across your fleet.
In a business environment such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors pose a risk, as they often have both intimate knowledge of your ships’ operations and full access to systems.
To protect access to confidential data and systems, you need a robust passphrase policy. Yes, passphrase. Modern best practices have departed from old beliefs like forcing password changes and random complexity. Passwords should be replaced by passphrases, because:
When you transfer data from uncontrolled systems to controlled systems, malware may be introduced. Removable media can be used to bypass layers of defences and attack systems that are otherwise not connected to the internet.
Obsolete equipment can contain data that is commercially sensitive or confidential.
When you dispose of such equipment, make sure you properly destroy the data held in them, so that it cannot be retrieved.
This is also valid when a ship is sold or transferred to another owner or manager. Some data must be handed over; some data should not. Make sure all data is identified and categorised beforehand to make the transfer easier.
Walter Hannemann started his career in a computer factory product development laboratory in 1983, while taking his education in Electronics and Information Systems. Since then, his jobs have involved software architecture and development, infrastructure design and overall IT management, in both large enterprises and startups. With a passion for “making things work”, shipping applications and all digital things onboard ships became his interest after joining Maersk in 2008. Managing IT in large companies like Maersk Tankers and Torm has given him insider’s knowledge in the shipping industry and enticed his entrepreneurship to help moving the industry into the digital future. Based in Copenhagen as Product Manager for Dualog, Walter enjoys finding solutions for big (and small) problems while keeping the overview and a forward-looking approach, with deep dives in technical subjects when necessary – or possible.