This week the world saw the sudden spread of a new ransomware variant, called by some ‘Petya’ and by others ‘NotPetya’. It affected maritime owners and operators, forcing them to shutter operations to control the corruption in their systems.

The automation systems on our ships and offshore assets today are often single-purpose components. These automation systems bring features and functions that multiply human effort, but sometimes at the cost of vulnerabilities to specific errors, failure modes or intrusions. Automation systems can be information technology (IT), operational technology (OT) or the converged IT-OT cyber-physical systems, which are becoming more common in control system implementations.

This ransomware event – no matter the name – illustrates what can happen to systems when technology use outruns system understanding. There are several major efforts required to keep systems safe and increase the likelihood that they perform as expected for our enterprises. These are bare minimum requirements for today’s security.

Architecture is required for company or organizational processes. It’s important to know systems and their interfaces, to understand the interoperability requirements among systems and to appreciate where protective features should be incorporated in architecture.

Incident response and recovery capabilities, based on system understanding and positive system control, are required to stimulate and manage response to malfunctions, errors or intrusions. Asset inventory and systems performance monitoring is critical to detect abnormalities and respond appropriately.

Software management of change program addresses hardware systems, the software running on them and how that software is managed through configuration, testing, patching, maintenance and lifecycle. The management of change program is that conscious effort required to track the software versions, their test results, their master copies (for recovery) and their upkeep through the system life.

These three factors all provide inputs to the organizational work expected for risk assessment. As recently reinforced by the International Maritime Organization (IMO) in the report of their Maritime Security Committee (MSC) 98, cybersecurity risk will be required as a part of conventional risk management conducted for maritime assets.

That risk assessment process will include cyber-enabled systems and the potential hazards and impacts of certain conditions. Imagine if ransomware hit the ship control console (helm) when the ship is maneuvering through the port’s ship channel. Imagine if malware infected the computers connected to the automated devices controlling a drilling platform’s blowout preventer functions, deep down on the seafloor. Suddenly there is a new sense of apprehension for potential risks to people, systems, the ship or platform, and to the environment, all emerging from our automated systems.

Source: ABS