A Changing World for Maritime Cyber Security: Why Vessel Penetration Testing is a Vital Practice

Maritime cybersecurity is finally getting the attention that it deserves – and we couldn’t be happier. As members of the industry face the challenges of operating in a digital world, we begin to see the rise of different guidelines and recommendations for how to protect your on-board data. Here at Epsco-Ra, we are all for increased security measures and new industry standards, but it can be difficult for ship managers and owners to navigate the new rules of operating in a digital landscape. 

vessel penetration test

What Are The Rules?

Certain recommendations such as those from the IMO or the formal standards set forth in the ISO 27001 provide a framework for how to improve onboard security, but not all ship managers have chosen to comply. This has led to a broad spectrum of vessel security, ranging from ISO 27001 compliance to a more laissez faire attitude where managers simply hope for the best and pay for the consequences of a poorly secured system should they fall victim to an attack. With such a wide range of security practices and no official standard to adhere to, the maritime industry is faced with the question of how to measure the effectiveness of these control systems? What is considered “good” security? How do you know what steps are necessary for improvement?

How is ‘Good Security’ Established?

The best way to establish a security baseline and develop a plan for improvement is through a penetration test. In a traditional IT environment, the process is well-established and easily translated across industries. Comprised of reconnaissance, social engineering (phishing), employee impersonation, and on-site attempts at subverting access control, traditional penetration tests, though comprehensive, are time and resource intensive, and are therefore not practical for the maritime industry. 

So what is the maritime industry supposed to do? There is an obvious need for a penetration test type service, but the traditional penetration test is simply impractical for vessel or even fleet applications. 

Introducing a Revolutionary Method of Vessel Penetration Testing

Working with Ra Security Systems, we designed a remote penetration test system with the maritime industry in mind. Named the RASP,™ this Remote Attack Simulation PenTest compares your security controls with a standard that we developed, based on the basic set of controls that are found on virtually every modern vessel. This standard includes a firewall, anti-virus/endpoint software, endpoint configuration, and known vulnerabilities on networked devices. An example of an optimal configuration would include an outbound rule policy on the firewall, clear text and encrypted protocols for an inline anti-virus, up-to-date anti-virus software, a ‘hardened’ endpoint configuration, and an internal network with no critical or immediately exploitable vulnerabilities. This represents the maximum protection value for a set of controls and means that you are getting the most value (and protection) for your money. 

Addressing Deficiencies

Unfortunately, many RASP™ tests do not come back with a maximum protection value, meaning that a great deal of vessels are not optimally protected from a cyber-incident. When this happens, the protection value is lower and there is a greater improvement potential between the vessel’s current security posture and the optimal posture to remain protected from attack. Closing this gap is the best way to ensure that you are getting the best value for your money when it comes to cybersecurity measures. 

Understanding Your Results

Nothing is worse than facing a confusing report with numbers and jargon that you simply don’t understand, and we kept that in mind when designing the report format for the RASP™. Designed to provide an ongoing set of checks and balances for vessel cybersecurity, we knew that the RASP™ report needed to offer a quantifiable score that would be able to accurately reflect changes in the vessel’s security posture. We opted for a 0 (poor) – 100 (optimal) weighted scoring system that provides an aggregate score of the five control areas tested. This gives ship managers a clear picture of where vulnerabilities lie within each control area, as well as how vulnerable their system is overall. With this information, ship managers and owners can allocate resources to the areas most vulnerable to compromise, ensuring that they receive the best protective benefit for their investment. 

Who Should Get Tested? 

While we would love to recommend that you test every vessel in your fleet on an annual basis, we recognize that this is not practical for most ship owners. The next best option is to test multiple samples of every configuration within your fleet, which will provide a mostly complete picture of the protective benefit of each configuration. If that is not feasible we suggest you test random samples of your fleet to get a representative view of the protective benefit of your systems. It is recommended that you conduct a RASP™ annually, so this is a good opportunity to rotate which vessels are tested within each configuration.

Are You Ready to RASP™?

The RASP™ is the ultimate standard in remote vessel penetration testing because it is non-intrusive, cost-effective, and can be completed in as little as one business day. This means that regardless of whether the vessel is at port or at sea, you can have access to vital information about your security posture in a matter of days – not weeks or months like a traditional vessel penetration test. Click here to learn more and schedule your RASP™ today.