The shipping industry is moving more and more business-critical processes and data to digital platforms and cloud systems, increasing the need for robust identity and access management (IAM). Creating, tracking and managing personal and digital identities is vital for a smooth shipping operation.

On a cargo ship at sea, a couple of years ago: The main application server is infected by ransomware, completely disrupting the IT infrastructure. Every critical file on the server is encrypted, destroying sensitive data and applications needed for administrative operations.

The story above is not some made-up scenario but a real-world incident, reported by BIMCO. The root cause of the infection turned out to be a poor password policy that allowed attackers to brute force remote management services.

Identity and access management is critical

Identity and access management in the complex maritime setting is a challenge that needs attention. The ever-shifting crew, the abundance of equipment with thousands of onboard sensors and the many players involved in running a shipping operation pose challenges for identity and access management.

With its continued adoption of cloud applications, the maritime sector is struggling with visibility of user access and activity. At the same time, compromised user credentials often serve as an entry point into an organisation’s network and its information assets, both onshore and offshore.

In a business environment such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and contractors pose a cyber risk, as they often have both intimate knowledge of a ship’s operations and full access to systems. Third-party technicians are typically left to work on equipment without supervision.

These security challenges have made identity and access management systems gain prominence. In today’s digitally connected world, Identity and access management is a critical component of any shipping company’s cybersecurity plan.

IAM basics

Identity and access management in enterprise IT is about defining and managing the roles and access privileges of individual network users and the circumstances in which users are granted (or denied) those privileges.

Organisations use identity and access management to safeguard their information assets against the rising threats and vulnerabilities related to digitalisation.

As the right individual is granted access to the appropriate resources at the right time, while unauthorised individuals are kept away from sensitive resources (user information, passwords and digital certificates), IAM safeguards critical shipboard assets and improves data security.

Why is IAM important for your shipping organisation?

Your fleet crews are dispersed all over the world oceans, doing their jobs in distributed IT environments far away from your company headquarters. This atomised work model – with crews working remotely, across regions, time zones, and disparate devices – represents a whole host of IT security challenges.

Privileged access abuse is a growing attack vector, where cybercriminals are increasingly attempting to access sensitive systems and data.

The goal of identity and access management is to improve productivity and security while lowering costs associated with managing users and their identities, attributes, and credentials.

When implemented correctly and safely, identity and access management help to improve efficiency by giving your employees access to systems and platforms faster. What’s more, it lowers operational IT costs. There will be fewer calls made to support for resetting passwords and similar time-consuming tasks, allowing your IT staff to get more meaningful and strategically valuable work done.

Maritime identity and access management best practices

Let’s look at some key procedural protection measures for ships, as recommended by BIMCO’s Guidelines on Cyber Security Onboard Ships.

1. Access for visitors

• Visitors such as authorities, technicians, agents, port and terminal officials, and owner representatives should be restricted with regard to computer access whilst on board.
• Unauthorised access to sensitive OT network computers should be prohibited. If access to a network by a visitor is required and allowed, then it should be restricted in terms of user privileges. Access to certain networks for maintenance reasons should be approved and coordinated following appropriate procedures as outlined by the company/ship operator.
• If a visitor requires computer and printer access, an independent computer, which is air-gapped from all controlled networks, should be used. To avoid unauthorised access, removable media blockers should be used on all other physically accessible computers and network ports.

2. Remote access

• Policy and procedures should be established for control over remote access to onboard IT and OT systems. Clear guidelines should determine who has permission to access, when they can access, and what they can access.
• Any procedures for remote access should include close coordination with the ship’s master and other key senior ship personnel.
• All remote access occurrences should be recorded for review in case of a disruption to an IT or OT system. Systems, which require remote access, should be clearly defined, monitored and reviewed periodically.

3. Use of administrator privileges

• Administrator privileges should only be given to appropriately trained personnel, who as part of their role in the company or onboard need to log onto systems using these privileges. In any case, the use of administrator privileges should always be limited to functions requiring such access.
• User privileges should be removed when the people concerned are no longer onboard. User accounts should not be passed on from one user to the next using generic usernames. Similar rules should be applied to any onshore personnel, who have remote access to systems on ships when they change their role and no longer need access.

Conclusion

Modern-day cyber criminals are ramping up their efforts to break into systems using compromised user and access credentials. The maritime sector is no exception.

Administrator privileges allow full access to system configuration settings and all data. Users logging onto vessel systems with administrator privileges may enable existing vulnerabilities to be more easily exploited.

Therefore, proper identity and access management is a crucial part of your cybersecurity strategy.