Professional Documents
Culture Documents
Shipboard Cyber Security and Response Manual
Shipboard Cyber Security and Response Manual
Table of Contents
Cyber response procedures 3
IT and security event reporting 3
OT and critical system cyber event reporting 5
Reporting PAL and IT hardware problems 7
Virus, malware or ransomware infection on PC 9
Email failure 10
Satellite communication failure 11
OT and critical system failure 12
Cyber security procedures 13
Risk assessment - IT systems 13
Risk assessment - OT systems 15
Access Control to Company Computers 17
USB and RJ45 access control procedure 20
Anti-virus protection 21
Connecting external media to ship computer 23
Software and Patch Management 24
System Back-up 26
Hardware Management 27
Visitor Dedicated Computer 29
Loading and stability computers 30
ECDIS virus precaution 31
System Handover 32
Other Computer systems 33
Cyber Security Drill 34
Shipboard cyber security - introduction 35
Cyber Security Policy 38
Cyber threats 39
Cyber risk assessment and management 42
Cyber security responsibilities and key contacts 45
Cyber Breach symptoms 47
1
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
2
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
3
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Complete
¢¢ d ¢¢
4
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
5
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Complete
¢¢ d ¢¢
6
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
7
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
8
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
9
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Email failure
Note: This applies when email communication
totally fails due to any reason.
1) Report by phone or Sat C to:
a) Email provider
b) Company IT
c) Technical Superintendent
2) Use Inmarsat C as an alternative system for text
communication
3) Use phone for urgent communication
4) Follow instructions from email provider or
Company IT
Complete
¢¢ d ¢¢
10
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
11
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
12
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
welfare systems
– Communication systems
13
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
14
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
systems
l Propulsion and machinery
management systems
l Passenger facing public networks
15
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
e) USB ports
4) Complete checklist and send back to office
Note: Technical superintendent verifies OT
checklist reply, identifies OT systems with
higher risk, evaluate, assess and determine
mitigation measures with assistance of
SMC IT. Update OT checklist. TSI confirms
checklist and informs vessel
5) Perform assessment of OT systems in PAL LPSQ,
attach updated OT checklist as reference
6) Complete assessment with review by office
7) Review the RA at least once every year with
assistance from office
Complete
¢¢ d ¢¢
16
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
a) Master:
- Receives administrator level account
details from Company IT
- Logs in with the password
- Applies the necessary changes as
instructed by Company IT
- Logs out
- Logs in again with the normal
credentials
- Keeps administration credentials in the
Master’s safe
17
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
a) Master:
- Receive account list with credentials
from Company IT
- Provide credentials to sea staff as
applicable
- Brief users on password security and
confidentiality
3) Access for visitors and non-BSM staff:
Caution: Do not allow visitors to use any of the
ship computers or IT systems without permission
from the Master. The Master confirms with the
Technical Superintendent that the attending IT
engineer is legitimate.
18
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
19
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
20
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Anti-virus protection
Note: The Company provides anti-virus software.
Only use the software supplied by the
Company. Anti-virus updates (e.g. Port -
IT) are sent weekly by email. Some VSAT
ships receive update over the internet
(e.g. AMP). Ships with limited internet
access receive the updates via a DVD.
Warning!
21
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
22
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
23
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
24
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
25
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
System back-up
Caution: Master keeps recovery CD / DVD in
their office.
26
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Hardware management
Note: BSM supplies all computer systems to
ships. This includes hardware and all
necessary software.
1) Discuss computer hardware installation with
office:
a) Consider necessary resources:
- Crew
- Time
- Additional material such as cabling
- Port stay duration
b) Agree on locations for:
- Captain’s office
- Chief Engineer’s office
- Ship / Cargo office
- Engine Control Room
- Bridge / radio room for communication
computer
2) Assist attending technician with the installation
3) Ensure you receive system operation training
from attending technician
4) Ensure all systems are fully tested and work
correctly before technician disembarks
5) Maintain an inventory of IT hardware installed
on board, including software installed on the
computers
27
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
28
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
29
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
30
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
31
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
System handover
Note: This is part of the Master Handover
procedure whenever a change of
command takes place.
1) Outgoing Master provides a full list of accounts
and passwords to incoming Master:
a) Master, email, PAL, all user computers
b) Email system
c) PAL/PMS system
d) iCafe dashboard
e) Administration accounts on any equipment
2) Outgoing Master briefs incoming Master about
operation of IT systems:
a) PAL suite
b) Owner supplied PMS if different from PAL
c) Email
d) Computer equipment
e) Software
f) Network
g) Internet access
h) WiFi access
3) Record handover on form SMM 23
Complete
¢¢ d ¢¢
32
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
33
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
34
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
35
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
37
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
38
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Cyber threats
It must be understood that cyber risk and threats
can come from external as well as internal sources.
Cyberattacks can generally categorized into 2 types
– untargeted and targeted. Untargeted attacks treat
a company or a ship’s systems and data as one of
many potential targets. Whereas targeted attacks
aim at a company or a ship’s systems and data as
the intended target.
Untargeted attacks generally use tools and
techniques available in Internet. It may include:
Malware
Malicious software which is designed to access or
damage a computer without the knowledge of the
owner. There are various types of malware including
trojans, ransomware, spyware, viruses, and worms.
Ransomware encrypts data on systems until a
ransom has been paid. Malware may also exploit
known deficiencies and problems in
outdated/unpatched business software. The term
“exploit” usually refers to the use of a software or
code, which is designed to take advantage of and
manipulate a problem in another computer
software or hardware. This problem can, for
example, be a code bug, system vulnerability,
improper design, hardware malfunction and/or
error in protocol implementation. These
vulnerabilities may be exploited remotely or
triggered locally. Locally, a piece of malicious code
may often be executed by the user, sometimes via
39
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
links distributed in email attachments or through
malicious websites.
Phishing
Sending emails to a large number of potential
targets asking for particular pieces of sensitive or
confidential information. Such an email may also
request that a person visits a fake website using a
hyperlink included in the email.
Water holing
Establishing a fake website or compromising a
genuine website to exploit visitors.
Scanning
Attacking large portions of the internet at random.
Targeted attacks
Use of sophisticated tools and techniques
specifically created for targeting a company or ship.
It may include:
Social engineering
A non-technical technique used by potential cyber
attackers to manipulate insider individuals into
breaking security procedures, normally, but not
exclusively, through interaction via social media.
Brute force
An attack trying many passwords with the hope of
eventually guessing correctly. The attacker
systematically checks all possible passwords until
the correct one is found.
Denial of service (DoS)
40
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Prevents legitimate and authorised users from
accessing information, usually by flooding a network
with data. A distributed denial of service (DDoS)
attack takes control of multiple computers and/or
servers to implement a DoS attack.
Spear-phishing
Like phishing but the individuals are targeted with
personal emails, often containing malicious software
or links that automatically download malicious
software.
Subverting the supply chain
Attacking a company or ship by compromising
equipment, software or supporting services being
delivered to the company or ship.
41
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
43
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
44
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Email to Email to
45
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
46
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
47
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Phishing
A compromised computer may be used by a hacker
to send phishing email to company employees or
other related companies. Be alert when receiving
phishing emails since it may indicate that vessel or
office computer is breached.
Unfamiliar programs running in Task Manager
One of the ways to detect a security breach is to
open the Windows Task Manager and detect
suspicious processes that are running in the
background. These processes will often have cryptic
names. The programs usually utilize the CPU and
other resources more than any other program.
Many times, the computer performance gets very
sluggish even when user is not using any program.
Other signs of potential cyber breach or attack may
include:
• an unresponsive or slow to respond system
• unexpected password changes or
authorised users being locked out of a
system
• unexpected errors in programs, including
failure to run correctly or programs running
unexpectedly
• unexpected or sudden changes in available
disk space or memory
• emails being returned unexpectedly
48
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
49
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
50
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
52
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
IT system accountability
Ship staff:
• Are directly responsible and accountable for
any Company provided IT system and the
information stored within the equipment.
• Must report damage, loss or theft of any
Company-issued computers, laptops, mobile
devices or IT equipment immediately to the
Master who will inform the Company.
• Are responsible for the cost of replacement
if their negligence results in any theft, loss
or damage.
• Must not remove any Company supplied IT
equipment (including removable media)
from the ship without approval from the
Company or Master.
• Scheduled to leave a ship must return all
Company-issued IT equipment and
removable media before departure.
53
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
55
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
56
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Email Communication
Email network
Designate a communications computer and install
the ship communications software. Use this
computer solely for email communications. Do not
use it for any other activities. Ship staff are strictly
prohibited from installing, re-installing, or
uninstalling software on the communications
computer without prior approval from the
Company.
Company IT creates an administrator account for
the communication system and gives the credentials
to the Master. This administrator account connects
to the primary business mailbox of the ship. The
Master can decide to share this information with
designated staff. Company IT provides credentials
57
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
for additional business email accounts to the
required users.
All emails are automatically scanned for viruses,
malware spam at the email server level, before
delivery to the ship. Such service includes removing
of defined attachment files (e.g. , bat, ).
Email privacy
All emails and related contents (including personal
emails if any) created, received, traversed,
processed and maintained by the ship email system
are the Company’s property. The Company reserves
the right to monitor or review anything stored,
created, or received in the Company's email system
without prior notification.
Email best practice
Follow guidelines when using ship email system.
Print this table and keep it next to the
communication computer.
DO DO NOT
DO DO NOT
obscene, derogatory,
discriminatory, threatening,
harassing or otherwise
offensive.
Send emails only to those Send sensitive or confidential
required. information, unless it is
authorised by the Company to
do so.
Check the distribution list Commit the Company to a
carefully before you click Send. third party for example through
Is it the list you really purchase or sales contracts,
intended? job offers or price quotations,
unless the user is explicitly
authorized by Company to do
so
Distinguish between “To” and Send emails in ways that
“Cc” and use them could be interpreted as
purposefully. Use “To” for representing or making official
persons who need to act, use public statements on behalf of
“Cc” to persons for information the Company, unless it is
only. Avoid using “Bcc”. explicitly authorized by the
Company
Write in a factual style cannot Send an email that can be
be misinterpreted. E-mail is taken out of context or that
one-directional and the contains confidential, internal
recipient cannot "hear" your information. Email is easily
intonation. You cannot see his forwarded and copied, once it
or her facial expressions as leaves your account an email
they read your message. can take on a "life of its own."
Write in a concise way and to Send or exchange materials in
the point. violation of copyright laws.
Structure the email using short “Reply All” to messages as
paragraphs and separate ideas most people do not need to
with bullets. have a copy of every reply, to
every iteration of the same
message.
59
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
DO DO NOT
60
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
62
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
63
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
66
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Social engineering, phishing and security guidelines
Social engineering refers to psychological
manipulation of people into performing actions or
divulging confidential information. It is a kind of
confidence trick (con) to gather information, commit
fraud or access systems. It is different from a
traditional con in that it is often one of many steps
in a more complex fraud scheme.
Phishing is a common tool used for social
engineering. Phishing uses email or malicious
websites to solicit sensitive information by posing as
a trustworthy sender. For example, an attacker may
send an email that seems to come from a reputable
or trustworthy source, such as credit a card or
financial institution, a charity, or even from the
Company. It may request personal or bank account
information, often suggesting that there is a
problem.
67
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
68
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
69
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
70
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Physical security
Place critical IT equipment such as servers, firewall,
switches and communication equipment, in an area
with restricted physical access. This will reduce the
risk of unauthorised access by ship staff or visitors.
Put critical IT equipment in an enclosed cabinet (e.g.
rack- mount type), located in a room with a door
lock, if available.
Connect the following to suitable uninterrupted
power supply (UPS):
• PAL server
• Ship communication and email server
• Communication management device
(e.g.Shipsat,Infinity)
• Loading computer (only class approved
desktops)
The UPS protects equipment from intermittent
power fluctuation on board. The Company advises
the UPS specification.
Computers, especially critical IT equipment, must be
secured to reduce the risk of damage due to
vibration or ship rolling. Route power and network
cable through suitable conduits to prevent physical
damage or interference.
Make clear, identifiable markings on cabling and IT
equipment. This supports efficient tracing and
identification of equipment and cable connections
71
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
72
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Use of computers by third parties
Advise any visitors such as external contractors or
family members of the IT and cyber security
procedures and guidelines.
Strictly control use of ship's computers, IT systems
or other IT services. Only allow third parties to use
the IT systems in the presence of ship staff. If
visitors do not agree, do not allow them to use the
computer systems.
73
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Wi-Fi access
A Wi-Fi (wireless) network is available on some
ships, mostly for crew Internet access purpose. Wi-Fi
access points are installed at suitable locations (e.g.
near accommodation cabins). Wi-Fi is installed with
industry security and encryption standard e.g.
WPA2. The Master keeps the Wi-Fi access code and
provides it to ship staff only.
Ship staff can connect their personal devices to Wi-
Fi (wireless) network for crew Internet access. Ship
staff must use Wi Fi connection only in the areas
specified by the Master or the Company.
74
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
PAL System
The Company controls access to PAL based on rank.
Access is revised according to business needs.
A secure login account is created on the PAL server,
used by the PMSO or Company IT, for remote
support and maintenance of the ship PAL system.
The ship PAL server is protected with Raid 1
mirrored hard disk to reduce risk of system
disruption due to hard disk failure.
The Company sets up automatic daily back-ups of
the ship PAL database and related system files. The
back-up copy is stored on the local PAL server as
well as on an external storage. A copy of PAL
program and update releases is included in the
back-up.
Shipboard PAL back-up is depicted in the below
figures.
75
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
76
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
77
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
78
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Bridge Systems
The increasing use of digital, network navigation
systems, with interfaces to shoreside networks for
update and provision of services, make such systems
vulnerable to cyber-attacks. Bridge systems that are
not connected to other networks may be vulnerable
as well, since removable media are often used to
update such systems from other controlled or
uncontrolled networks
ECDIS
80
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
81
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
82
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Propulsion and machinery management and power
control systems
The use of digital systems to monitor and control
onboard machinery, propulsion and steering
equipment make such systems vulnerable to cyber-
attacks. The vulnerability of these systems can
increase when they are used in conjunction with
remote condition-based monitoring and / or are
integrated with navigation and communications
equipment on ships using integrated bridge systems.
Propulsion and machinery management and power
control systems form a separate independent
network not connected to the IT network nor the
internet. Therefore, the main vulnerabilities come
from use of USB stick. System updates done by USB
Sticks which can lead to accidental or intentional
infection with malware or virus. A virus or malware
which is not affecting the protected IT System can
harm the not protected computer when transferred
unintentionally by an USB stick. A thorough
management and control of the used USB stick is
highly important to reduce the risk of infection.
83
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
OT interconnected network
84
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Complete
¢¢ d ¢¢
85
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
IT Systems
86
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
87
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
89
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Data plans
The Company supplies the ship with a data plan for
satellite communication e.g. Inmarsat FBB, VSAT.
The plan defines a monthly data allowance (e.g.
250MB, 4GB, 8GB, unlimited) for the ship.
The Master will receive an email alert from the
communication service provider if the ship is close
to or exceeding the monthly allowance.
90
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
PC supply
The Company will prepare the shipboard computers
before on-board installation as follows:
• Install the required Company approved and
licensed software
• Make necessary configuration and setup
• Ensure the configuration / setup details and
password information of the computer is
secure
• Send relevant setup and password
information of the computer to the Master
• Inform relevant service vendor (e.g.
communication vendor) about hardware,
software and configuration details if
required
91
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
Crew Internet access
On some ships, the Company provides crew
personal Internet access through the ship network
(usually WIfi) depending on the ship’s budget and
Owner’s requirements. This access must not
interfere with the work of the ship staff or the
Company’s ability to perform and meet its business
and operation obligations.
Access can be chargeable or free-to-use, depending
on owner requirement.
92
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
94
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Shipboard Cyber Security and BSM
95
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved