Shipboard Cyber Security and Response Manual

Shipboard Cyber Security and BSM
Table of Contents
Cyber response procedures 3
IT and security event reporting 3
OT and critical system cyber event reporting 5
Reporting PAL and IT hardware problems 7
Virus, malware or ransomware infection on PC 9
Email failure 10
Satellite communication failure 11
OT and critical system failure 12
Cyber security procedures 13
Risk assessment - IT systems 13
Risk assessment - OT systems 15
Access Control to Company Computers 17
USB and RJ45 access control procedure 20
Anti-virus protection 21
Connecting external media to ship computer 23
Software and Patch Management 24
System Back-up 26
Hardware Management 27
Visitor Dedicated Computer 29
Loading and stability computers 30
ECDIS virus precaution 31
System Handover 32
Other Computer systems 33
Cyber Security Drill 34
Shipboard cyber security - introduction 35
Cyber Security Policy 38
Cyber threats 39
Cyber risk assessment and management 42
Cyber security responsibilities and key contacts 45
Cyber Breach symptoms 47
1
Doc No:235/ Rev No:38/Effective Date:22-01-2021/ Approved by Director LPSQ
BSM © all rights reserved
Cyber Security Measures and User Guidelines 50

Acceptable use of systems and confidentiality 50
IT system accountability 53
Anti-virus security crew responsibilities 54
Password security crew responsibilities 56
Email communication 57
Network and Internet Security 61
Responsible use of Internet and social media 63
Social engineering, phishing and security guidelines 67
Use of personal device 70
Physical security 71
Use of computers by third parties 73
WiFi access 74
PAL system security 75
OT systems protection measures 78
Bridge Systems 79
Cargo management systems 82
Propulsion and machinery management and power contro 83
OT interconnected network 84
IT systems 86
Hardware and software 87
Data plans 90
PC supply 91
Crew internet access 92
Ship leaving management 95
2
Cyber response procedures

IT and security event reporting
Caution: Report cyber security events, actual or
suspected, to the Company immediately.
1) Cyber security events include:

a) Software malfunction
b) Hardware malfunction
c) Email / Communication failure
d) Phishing attacks
e) Virus attacks
f) Data breaches
g) Security breaches
2) Report the following to company IT and the TSI:
a) System issues
b) Security events
3) For IT and security issue, use the email address:
zoho-cvs@bs-shipmanagement.com
Note: Call the office by phone for urgent cases.
4) For PAL system support, refer Reporting PAL

problem procedure
5) Provide as much information and details as
possible
6) Include screen shots if possible
3
7) Follow the guidance from IT support

Note: For ship communication issues the Master
may contact the communication vendor
directly. Include Company IT and the TSI in
the email communication.
Caution: Do not disclose security events to

external parties or other parties unless it is
authorised by the Company. Do not attempt to
test or prove any suspected security weakness
unless it is authorised by the Company IT.
Complete
¢¢ d ¢¢
4
OT and critical system cyber

event reporting
Caution: Report cyber security events, actual or
suspected, to the Company immediately.
Note: This applies to cyber event related to

shipboard OT or critical systems. Refer to
the Shipboard Cyber Security Introduction
section and OT (operational technology)
definition.
1) Cyber security events include:
a) Unauthorised access to network
infrastructure
b) Unauthorized or inappropriate use of
administrator privileges
c) Suspicious network activity
d) Unauthorised access to critical systems
e) Unauthorised use of removable media
f) Unauthorised connection of personal
devices
g) Failure to comply with software
maintenance procedures
h) Failure to apply malware and network
protection updates
i) Loss or disruption to the availability of
critical systems
5
j) Loss or disruption to the availability of data

required by critical systems
2) Report to the Technical / Marine superintendent
and IT
Caution: Do not disclose security events to

external parties or other parties unless it is
authorised by the Company. Do not attempt to
test or prove any suspected security weakness
unless it is authorised by the Company.
Complete
¢¢ d ¢¢
6
Reporting PAL and IT hardware

problems
Note: PAL uses the Zoho ticketing system to
manage all problems raised onboard and
in the office.
1) Report IT hardware and access issues to zoho-
cvs@bs-shipmanagement.com:
a) Include a full description of the problem
b) Add any screenshots or photographs to
support the description
c) Reply to any related emails with the Zoho
ticket ID in the email subject
d) Get a notification that the ticket has been
closed
2) Report PAL software issues using the Contact
Support button (pink headset icon) in PAL:
Note: Send any PAL improvement suggestions to
your local office.
a) Describe the issue in the text box:
- What function is not working?
- What is it stopping you from doing?
- Have you seen the same problem in the
past or somewhere else?
- Are you getting an error message?
- What does the error message say?
7
b) Use the ‘Include screenshot’ function to

highlight an area on the page
c) Review your PAL Support content
d) Click submit
e) Get a notification that the ticket is
submitted
f) Reply to any related emails with the Zoho
ticket ID in the email subject
Note: This way all communications are
connected to the ticket.
Caution: Do not reply to the notification that the

ticket has been closed as this will reopen the
ticket.
g) Get a notification that the ticket has been

closed
Complete
¢¢ d ¢¢
8
Virus, malware or ransomware

infection on PC
Note: This applies when detecting or suspecting
virus, malware or ransomware infection of
a PC.
1) Disconnect computer from network
2) Report to Company IT and Technical
superintendent
3) Run malware removal software under
instruction from Company IT
4) Run a full malware scan on all computers on
board
5) Report result to Company IT
6) Follow instructions form Company IT
Complete
¢¢ d ¢¢
9
Email failure
Note: This applies when email communication
totally fails due to any reason.
1) Report by phone or Sat C to:
a) Email provider
b) Company IT
c) Technical Superintendent
2) Use Inmarsat C as an alternative system for text
communication
3) Use phone for urgent communication
4) Follow instructions from email provider or
Company IT
Complete
¢¢ d ¢¢
10
Satellite communication failure

Note: This applies when satellite communication
breaks down in either data or voice
network.
1) Report to:
a) Communication provider
b) Company IT
c) Technical / Marine Superintendent
2) Use alternative communication network
accessible on board
a) FBB or Iridium backup for VSAT
Note: Seek communication vendor assistance if
automatic failover does not happen.
b) GSM / LTE or Wifi terrestrial network in near
shore voyage
3) Restore services by following the instructions
from the communication provider
Complete
¢¢ d ¢¢
11
OT and critical system failure

Note: Refer Shipboard Cyber Security
Introduction section and OT (operational
technology) definition
Note: If a cyber incident result in the loss or

malfunctioning of OT systems, it will be
essential that effective actions are taken
to ensure the immediate safety of the
crew, ship and protection of the marine
environment. Response to a OT system
failure due to a cyber issue is no different
than due to a technical breakdown
Caution: Contingency plans for loss or

malfunction of critical systems due to cyber
incidents must be treated same as any other
reasons. These, including suitable use of backup
systems or alternative modes of operation, are
addressed by appropriate operational and
emergency procedures included in the safety
management system.
1) Refer to operating or emergency response

procedure of respective system
Complete
¢¢ d ¢¢
12
Cyber security procedures

Risk assessment - IT systems
Note: This assessment applies to following
shipboard systems:
– IT, administrative and crew
welfare systems
– Communication systems
1) Perform assessment in LPSQ PAL RAM, with

main steps:
a) Identify the systems, assets or areas for
assessment
b) Identify the hazard related to cyber security
Note: For cyber security, hazard refers to a
combination of cyber threat and
vulnerability with a potential leading to an
adverse event and its resulting harm
c) Identify the hazard type or area
d) Identify the consequence if the hazard
occurs
e) Estimate the initial severity rating for each
hazard
f) Estimate the initial likelihood of occurrence
of adverse event
g) Assign initial risk rating by multiplying
severity and likelihood
13
h) Identify protection controls or mitigating

measures to reduce risk
Note: Protection controls or measures can be
managerial, procedural or technical. A
combination of controls or measures can
be applied for protection
i) Estimate the new likelihood of occurrence
after applying protection controls and
measures
j) Assign residual risk rating by multiplying
initial severity and new likelihood
k) Complete assessment with review by office
l) Review the RA at least once every year with
assistance from office
Complete
¢¢ d ¢¢
14
Risk assessment - OT systems

Note: This assessment applies to following
shipboard systems:
l Bridge systems
l Cargo handling and management
systems
l Propulsion and machinery
management and power control

systems;
l Access control systems
l Passenger servicing and
management systems
l Passenger facing public networks
Note: Refer and complete Shipboard OT cyber

security checklist (Form IT03) for systems
identification and initial risk screening and
assessment
1) Identify systems for each of the above main
systems
2) Identify and list sub systems, equipment or
components – maker and type, model etc
3) Identify if there is connection to:
a) Internet
b) IT network
c) Wi-fi network
d) Remote access from shore
15
e) USB ports
4) Complete checklist and send back to office
Note: Technical superintendent verifies OT
checklist reply, identifies OT systems with
higher risk, evaluate, assess and determine
mitigation measures with assistance of
SMC IT. Update OT checklist. TSI confirms
checklist and informs vessel
5) Perform assessment of OT systems in PAL LPSQ,
attach updated OT checklist as reference
6) Complete assessment with review by office
7) Review the RA at least once every year with
assistance from office
Complete
¢¢ d ¢¢
16
Access control to ship

computers
Caution: The Master is responsible for the
safekeeping and management of the accounts
and credential lists. Masters must not disclose
the information to any unauthorised persons, be
it crew or external parties.
1) Access for the on-board Administrator:

Warning!
The Master is the main on-board administrator

and must not share the administrator
credentials with anybody else. Never log-in as
an administrator unless requested by the
Company. The Company only provides the
credentials to the Master if required.
a) Master:
- Receives administrator level account
details from Company IT
- Logs in with the password
- Applies the necessary changes as
instructed by Company IT
- Logs out
- Logs in again with the normal
credentials
- Keeps administration credentials in the
Master’s safe
17
2) Access for ship staff:

Note: Log-out of the computer when not in use
a) Master:
- Receive account list with credentials
from Company IT
- Provide credentials to sea staff as
applicable
- Brief users on password security and
confidentiality
3) Access for visitors and non-BSM staff:
Caution: Do not allow visitors to use any of the
ship computers or IT systems without permission
from the Master. The Master confirms with the
Technical Superintendent that the attending IT
engineer is legitimate.
a) Accompany any engineer when IT, network

or communication installation or service
work is performed on ship
Note: When printing reports for 3rd parties from
USB devices, use a designated visitor
computer that is not connected to the ship
network, if such is approved by owner and
available onboard
b) Accompany any visitor when using the ship’s
PC for business related purposes
18
c) Follow Connecting External Media to Ship

Computer procedure for connecting any
media to the computer
Note: Family members and passengers can use
the purchased internet access PIN for
personal communication
Complete
¢¢ d ¢¢
19
USB and RJ45 access control

Note: Company supplies locks to block access to
unused USB or RJ45 ports on shipboard
PCs or equipment. Master keeps the lock
key
1) Install lock on unused USB or RJ45 ports
2) Unlock port temporarily when there is need for
business use
Complete
¢¢ d ¢¢
20
Anti-virus protection
Note: The Company provides anti-virus software.
Only use the software supplied by the
Company. Anti-virus updates (e.g. Port -
IT) are sent weekly by email. Some VSAT
ships receive update over the internet
(e.g. AMP). Ships with limited internet
access receive the updates via a DVD.
Warning!
Do not uninstall, turn off or disable the anti-

virus software.
1) Ensure the software is:

a) Always running and continuously scanning
the computer
b) Auto-scanning external device or media (e.g.
USB) when inserted
2) Master checks weekly that anti-virus updates
are up-to-date:
a) Ships with “Port-IT” check via the dashboard
b) Ships without “Port-IT” check on individual
computers
Caution: The Master must advise Company IT
immediately if a computer is unprotected or
does not get the latest anti-virus updates.
21
3) Manually install anti-virus update on computers

that are not connected to the network
Complete
¢¢ d ¢¢
22
Connecting external media to

ship computer
Caution: Do not connect any personal or non-
business related removable media to the ship’s
computers. This includes smartphones and
tablets.Do not charge USB devices on any ship
computer.
1) Verify the antivirus software is running

2) Check that antivirus is up to date
3) Disconnect the network cable from the
computer used for reading the external media
4) Insert the external media in the computer
5) Scan the external media for viruses
6) Verify that media is virus-free
7) Reconnect the network cable
Note: Once the external media is confirmed
virus-free it can be connected to other
ship computers without following the
above procedure.
Complete
¢¢ d ¢¢
23
Software and patch management

Warning!
Only install Company authorised software and

patches on Company computer systems. Never
install and use any software without Company
approval.
Note: The Company provides all necessary

software and patches to ships. These can
be installed remotely by the Company or
locally by the Master.
1) Remote installation of software and patches by
the Company or authorised vendor:
a) Company IT or the vendor will provide
guidance on the installation
b) Provide access to the system
c) Assist IT or vendor as necessary
Note: For computer installed with Desktop
Central, software (e.g. Windows, Office)
updates and patches will be deployed
regularly from office, no crew assistance is
needed
2) Local installation of software and patches:
a) Read and understand all instructions before
installation
b) Install the software or patch as instructed
24
c) Verify and test the installation

d) Confirm installation to the office
3) Check quarterly that all installed software is
operational:
a) Advise the Company of any problems
Complete
¢¢ d ¢¢
25
System back-up
Caution: Master keeps recovery CD / DVD in
their office.
1) Back-up the following at least weekly onto DVD,

external or network hard drive:
a) Email database files
b) Ship generated files (such as Word, Excel,
PDF and pictures)
c) Any other files considered important
2) Individual PC backup:
a) Master and Chief Engineer arrange back-
up’s as per Company IT advice
b) Keep back-up in a secure place
3) Network central backup:
a) Ensure the daily automatic back-up to a
central network storage is active
Note: Company IT provides remote support and
advice on restoring files from back-up and
computer system recovery. A ship can use
Inmarsat C texting as a back-up
communication system in case of email
system failure.
Complete
¢¢ d ¢¢
26
Hardware management
Note: BSM supplies all computer systems to
ships. This includes hardware and all
necessary software.
1) Discuss computer hardware installation with
office:
a) Consider necessary resources:
- Crew
- Time
- Additional material such as cabling
- Port stay duration
b) Agree on locations for:
- Captain’s office
- Chief Engineer’s office
- Ship / Cargo office
- Engine Control Room
- Bridge / radio room for communication
computer
2) Assist attending technician with the installation
3) Ensure you receive system operation training
from attending technician
4) Ensure all systems are fully tested and work
correctly before technician disembarks
5) Maintain an inventory of IT hardware installed
on board, including software installed on the
computers
27
Note: The Company provides a software tool for

efficient gathering of computer equipment
details and inventory information.
6) Send a quarterly inventory update to Company
IT
Note: Inventory will be sent automatically to
office on ship PC installed with Desktop
Central.
Complete
¢¢ d ¢¢
28
Visitor Dedicated Computer

Note: This applies only to ship where Owner
agrees to supply a computer dedicated for
visitor use. This helps to reduce the cyber
risk created by access of shipboard
computers by external visitor. Visitor
refers to inspector, agent, supplier etc.
Caution: Do not use this computer for operation

or any other purpose. This is reserved for visitor
use only
1) Install the supplied computer in a suitable

location e.g. ship office
2) Keep it standalone and do not connect to ship
network
3) Connect to the supplied dedicated printer
4) Restrict visitor to use this computer only
Caution: Prohibit visitor from accessing or using
other shipboard computers unless approved by
the Company or master
5) Restart the computer once all visitors leave ship

Note: The computer returns to original clean
state after re-starting, all user files are
deleted
Complete
¢¢ d ¢¢
29
Loading and stability computers

Caution: Install loading and stability software on
dedicated computers. Do not use these
computers for any other purpose. Only connect
them to the gauging system.
1) Run the program once per month through a

standard condition in the ship’s Trim and
Stability Booklet / Hydrostatic Curves table
2) Verify that the computer output matches the
standard conditions
3) Report any deviations to the Marine
Superintendent
Complete
¢¢ d ¢¢
30
ECDIS virus precaution

1) Refer ECDIS Manual Appendix – Precautions
against virus
Complete
¢¢ d ¢¢
31
System handover
Note: This is part of the Master Handover
procedure whenever a change of
command takes place.
1) Outgoing Master provides a full list of accounts
and passwords to incoming Master:
a) Master, email, PAL, all user computers
b) Email system
c) PAL/PMS system
d) iCafe dashboard
e) Administration accounts on any equipment
2) Outgoing Master briefs incoming Master about
operation of IT systems:
a) PAL suite
b) Owner supplied PMS if different from PAL
c) Email
d) Computer equipment
e) Software
f) Network
g) Internet access
h) WiFi access
3) Record handover on form SMM 23
Complete
¢¢ d ¢¢
32
Other computer systems

1) Use the above procedures to safeguard any
other computer systems on board, such as:
a) ECDIS
b) GMDSS
c) AIS
d) VDR
e) Automation
f) Positioning systems
g) Cargo management systems
Complete
¢¢ d ¢¢
33
Cyber Security Drill

Note: Conduct table-top cyber security drill
involving ship and SMC office.
Complete
¢¢ d ¢¢
34
Shipboard cyber security - Introduction

Ships are increasingly using systems that rely on
digitization, integration, and automation. While
these technologies and systems provide significant
efficiency gains for ship operation, they also present
cyber risk, especially when these onboard systems
are networked together, and more frequently
connected to the internet.
This brings the greater risk of unauthorised access or
malicious attacks to ships’ systems and networks.
Risks may also occur from personnel accessing
systems on board, for example by introducing
malware via removable media. These risks may
result from vulnerabilities arising from inadequate
operation, integration, maintenance and design of
cyber-related systems, as well as lapses in cyber
discipline, and from intentional or unintentional
cyber threats.
The safety, environmental, operational and
commercial consequences of not being prepared for
a cyber incident can be significant. Therefore, cyber
security must be taken seriously by all sea staff.
On ship vulnerable systems can include, but are not
limited to:
• Bridge systems
• Cargo handling and management systems
• Propulsion and machinery management and
power control systems;
35
• Access control systems

• Passenger servicing and management
systems
• Passenger facing public networks
• IT, administrative and crew welfare systems
• Communication systems
IT and OT
Both information technology (IT) and operational
technology (OT) systems are used onboard ships.
Information technology systems focus on the use of
data as information. Operational technology
systems focus on the use of data to control or
monitor physical processes. IT systems manage data
and OT systems control the physical world. IT covers
the spectrum of technologies for information
processing, including software, hardware and
communication technologies. OT is hardware and
software that directly monitors/controls physical
devices and processes.
Examples of IT systems used onboard include email
system, file server, communication systems, internet
access, PCs, shipboard networks (fixed or Wifi) and
equipment, PAL. OT systems include, but not limited
to ECDIS, GPS, AIS, loading computer, cargo control
or engine control computer.
Both IT and OT are subject to cyber risk and must be
suitably protected.
Traditionally OT and IT have been separated, but
36
with the internet, OT and IT are coming closer as

historically stand-alone systems are becoming
integrated. Disruption of the operation of OT
systems can impose significant risk to the safety of
onboard personnel, cargo, damage to the marine
environment, and impede the ship’s operation.
37
Cyber Security Policy

The purpose of cyber security is to protect
information and systems of the Company from all
cyber threats, internal or external, deliberate or
unintentional, for supporting business operation,
mitigating business risk, and maximising return on
investments and business opportunities.
The Company develops and implements appropriate
cyber security management systems and controls
including policies, procedures, organisation,
manpower, software and hardware systems, with
the aim to ensure confidentiality and integrity of
information, to maintain availability of information
and systems of the business, and to support safe
and secure shipboard operations.
The Company implements cyber security and risk
management systems in line with and
complementary to the Company’s established Safety
Management System and Security Management
System.
For details referIT and Cyber Security Policy in
ISO/ISM Manual in QDMS.
38
Cyber threats
It must be understood that cyber risk and threats
can come from external as well as internal sources.
Cyberattacks can generally categorized into 2 types
– untargeted and targeted. Untargeted attacks treat
a company or a ship’s systems and data as one of
many potential targets. Whereas targeted attacks
aim at a company or a ship’s systems and data as
the intended target.
Untargeted attacks generally use tools and
techniques available in Internet. It may include:
Malware
Malicious software which is designed to access or
damage a computer without the knowledge of the
owner. There are various types of malware including
trojans, ransomware, spyware, viruses, and worms.
Ransomware encrypts data on systems until a
ransom has been paid. Malware may also exploit
known deficiencies and problems in
outdated/unpatched business software. The term
“exploit” usually refers to the use of a software or
code, which is designed to take advantage of and
manipulate a problem in another computer
software or hardware. This problem can, for
example, be a code bug, system vulnerability,
improper design, hardware malfunction and/or
error in protocol implementation. These
vulnerabilities may be exploited remotely or
triggered locally. Locally, a piece of malicious code
may often be executed by the user, sometimes via
39
links distributed in email attachments or through
malicious websites.
Phishing
Sending emails to a large number of potential
targets asking for particular pieces of sensitive or
confidential information. Such an email may also
request that a person visits a fake website using a
hyperlink included in the email.
Water holing
Establishing a fake website or compromising a
genuine website to exploit visitors.
Scanning
Attacking large portions of the internet at random.
Targeted attacks
Use of sophisticated tools and techniques
specifically created for targeting a company or ship.
It may include:
Social engineering
A non-technical technique used by potential cyber
attackers to manipulate insider individuals into
breaking security procedures, normally, but not
exclusively, through interaction via social media.
Brute force
An attack trying many passwords with the hope of
eventually guessing correctly. The attacker
systematically checks all possible passwords until
the correct one is found.
Denial of service (DoS)
40
Prevents legitimate and authorised users from
accessing information, usually by flooding a network
with data. A distributed denial of service (DDoS)
attack takes control of multiple computers and/or
servers to implement a DoS attack.
Spear-phishing
Like phishing but the individuals are targeted with
personal emails, often containing malicious software
or links that automatically download malicious
software.
Subverting the supply chain
Attacking a company or ship by compromising
equipment, software or supporting services being
delivered to the company or ship.
41
Cyber risk assessment and management

The Company follows a risk management approach
for the implementation of cybersecurity on board.
Assist the Company with the creation of the
cybersecurity risk assessment tailored to the ship.
Review this risk assessment every twelve months at
a minimum or update with any main changes as
they occur. Perform assessment with the assistance
of Company IT and Technical superintendent
whenever suitable.
Follow the same risk assessment procedure
contained in Safety Management Manual in
identifying vulnerable systems, cyber threats
(hazards), consequences, likelihood and mitigation
measures.
Shipboard IT systems
Refer Risk assessment - IT systems procedure for

following shipboard systems
• IT, administrative and crew welfare systems
• Communication systems
Shipboard OT systems
Refer Risk assessment - OT systems procedure for

following shipboard systems
• Bridge systems
• Cargo handling and management systems
• Propulsion and machinery management and
power control systems;
42
• Access control systems

• Passenger servicing and management
systems
• Passenger facing public networks
Based on information received from vessels on
system identification and initial risk screening. Office
IT and superintendents perform further assessment
as appropriate. Traditionally many shipboard OT
systems are air-gapped, closed, separate and not
connected to other networks. The cyber risk is low.
Further investigation and assessment is needed for
OT systems with connection to:
• Internet
• IT or business network
• Wi-fi network
• Remote access from shore by the vendor or
Company
• USB access
Office IT and superintendent take steps to:
• Identify and review the needs of connection
and interface between different systems
and networks
• Map data flows between systems, networks
both onboard and ashore
• Identify vulnerabilities
• Assess risk
43
• Evaluate and determine suitable risk

treatment and protection measures
Refer OT Protection Measures section for cyber
security protection of shipboard OT systems.
44
Cyber security responsibilities and key contacts

It is everyone’s responsibility to help safeguard
cyber security on vessel to ensure safe, secure and
efficient operation.
• On vessel ship staff must follow the security
and response procedures, measures and
guidelines contained in this manual
• On vessel Master is responsible for
- Compliance with shipboard cyber
security measures<br />
- Awareness of cyber security
measures<br />
- Reporting cyber security incidents
• At shore SMC IT is responsible for providing
necessary support and advice to vessels for
IT and communication related cyber security
issues
• At shore SMC Technical or Marine
Superintendent is responsible for providing
necessary support and advice to vessels for
OT related cyber security issues, depending
on the affected systems. SMC IT provides
necessary assistance and advices
For any suspicious or identified cyber issue or attack
contact
IT related systems OT related systems
Email to Email to
45
IT related systems OT related systems
l SMC Technical l SMC Technical

Superintendent Superintendent and
l SMC IT Marine
Superintendent
l Zoho-cvs@bs-
shipmanagement.com l SMC IT
Call IT superintendent for Call Technical superintendent

urgent matters for urgent matters
Caution: In case of imminent danger for the

safety and security of the vessel contact the
office Emergency Numbers.
46
Cyber breach symptoms

Cyberattacks seldom occur with an alert or an alarm
and when it happens the damage is done. However,
cyber threats can be contained if their symptoms
are detected beforehand. Below are some common
signs or symptoms of possible cyberattack. Stay
alert about these symptoms and inform office if
there is any doubt.
Unexpected Popups
The computer is compromised when windows
popup on their own and without the user clicking
anything on the screen. This indicates that the
computer may be a part of a botnet and the
remotely-based cybercriminal is clicking the internet
links on the computer to open other sites. A
compromised computer is also known to have
sudden crashes.
Mysterious Computer Behaviour
Strange behaviour of the computer system must be
taken as a red flag and a sign of trouble. Changed
passwords, unsolicited software installs, automatic
mouse movements and tampered security settings
are all signs that computer security has been
compromised. The security breach can be because
of a hack or a virus attack. There will be times when
the computer seems to be controlling itself without
user inputs. Sometimes, an unfamiliar toolbar may
indicate an unauthorized program installation.
47
Phishing
A compromised computer may be used by a hacker
to send phishing email to company employees or
other related companies. Be alert when receiving
phishing emails since it may indicate that vessel or
office computer is breached.
Unfamiliar programs running in Task Manager
One of the ways to detect a security breach is to
open the Windows Task Manager and detect
suspicious processes that are running in the
background. These processes will often have cryptic
names. The programs usually utilize the CPU and
other resources more than any other program.
Many times, the computer performance gets very
sluggish even when user is not using any program.
Other signs of potential cyber breach or attack may
include:
• an unresponsive or slow to respond system
• unexpected password changes or
authorised users being locked out of a
system
• unexpected errors in programs, including
failure to run correctly or programs running
unexpectedly
• unexpected or sudden changes in available
disk space or memory
• emails being returned unexpectedly
48
• unexpected network connectivity difficulties

• frequent system crashes
• abnormal hard drive or processor activity
• unexpected changes to browser, software
or user settings, including permissions
Inform office if there is any suspicious software,
hardware or system behaviour.
49
Cyber Security Measures and User

Guidelines
Acceptable use of systems and confidentiality
The IT equipment and information system installed
on the ship belong to the Company. Use IT systems
for business purposes only.
Ship staff must not:
• Use Company supplied equipment or
systems for personal use, except those
specified for recreational purpose.
• Use Company supplied equipment for
storing private data (e.g. documents, videos,
photos).
• Install any hardware or software without
prior approval by the Company.
• Make or attempt to change the setup or
configuration of the computer, hardware
and software.
• Change or disable software setup including
web browser, anti-virus protection, network
configuration.
• Disconnect or connect any equipment in the
network, or alter network connection
without approval from the Company
50
• Connect a computer directly to satellite

communication equipment (e.g. FBB)
bypassing the network firewall, without
explicit authorisation from the Company.
• Copy or transfer ship files or data to a
private or non-Company supplied computer
or storage device.
- Get approval from the Master with
advice to the Company for any
exceptions.
- Delete all ship data and information
from the non-Company computers or
storage devices upon the conclusion of
the work.
• Connect personal IT equipment to the ship
business network, wired or Wi-Fi (wireless).
• Use personal IT equipment to access or
store ship systems, data and information.
The Company provides ship staff access to ship
information or systems based on the crew rank.
Warning!
Ship staff must not attempt to access any

confidential or password protected files or
folders without permission from the Master or
the office.
An authentication method is used to provide the

crew with access to ship systems. This is usually a
51
combination of user ID and password (credentials).
Company IT creates and provides a password with
suitable complexity for better security protection.
Information and data (including files, documents,
databases, emails, photos, audios or videos)
created, sent, received, and stored on the Company
supplied equipment or systems remains the
property of the Company.
Caution: Ship staff have no expectation of

privacy while using any Company supplied
equipment or systems. The Company has access
to all data.
The Company does not provide support service to

ship staff's personal IT equipment.
52
IT system accountability
Ship staff:
• Are directly responsible and accountable for
any Company provided IT system and the
information stored within the equipment.
• Must report damage, loss or theft of any
Company-issued computers, laptops, mobile
devices or IT equipment immediately to the
Master who will inform the Company.
• Are responsible for the cost of replacement
if their negligence results in any theft, loss
or damage.
• Must not remove any Company supplied IT
equipment (including removable media)
from the ship without approval from the
Company or Master.
• Scheduled to leave a ship must return all
Company-issued IT equipment and
removable media before departure.
53
Anti-virus security crew responsibilities

A virus is any malware programme that can spread
into computer systems, network or data and cause
damage or disruption. Some anti-virus software is
configured to regularly report the anti-virus update
status to a shore-based system.
Follow best practices guidelines for anti-virus
protection:
• Be alert when receiving emails with
suspicious titles or sender address.
• If it is suspected that an email from a known
source has a virus, inform the sender and
verify the person has sent the email.
• Delete all virus-infected emails immediately,
and empty "trash bin" or "deleted items"
folder.
• Be aware that viruses can generate emails,
which look very authentic, such as including
the office email domain name as the sender.
• Do not open, click or download links or
attachments contained in emails from
unknown, suspicious or untrustworthy
sources. Delete these attachments
immediately and empty the trash bin
(deleted items folder).
• Do not forward spam emails, chain letters,
mass-mail, virus hoaxes, charity requests,
virus or malicious code or other junk email.
54
• Install the latest virus update and scan the

computer before connecting any computer
to the network.
• Install anti-virus software and the latest
update then scan the computer before use.
55
Password security crew responsibilities

Follow best practices guidelines for password
security:
• Keep password confidential
• Do not disclose to anyone except with the
permission of the Company or Master
• Only keep a paper record of the password if
the paper can be stored securely
• Select a quality password (if password
change is required) with minimum length of
8 and a combination of at least 3 types
(characters, numerals, symbols, upper or
lower case characters)
• Do not use simple passwords (e.g.
"password") or anything someone can easily
guess
• Do not use the same business account and
password for non-business purposes
• Inform Company IT if there is any indication
or suspect of password compromise
56
Email Communication
Caution: Only use the Company provided email

system and address for business related
communication. Do not use private email
accounts for business purposes.
Note: The ship’s email system can be used for

limited personal communications if there
is no dedicated crew email system or
internet access. On ships with a dedicated
crew email system, ensure only this
system is used for private
communications.
Email network
Designate a communications computer and install
the ship communications software. Use this
computer solely for email communications. Do not
use it for any other activities. Ship staff are strictly
prohibited from installing, re-installing, or
uninstalling software on the communications
computer without prior approval from the
Company.
Company IT creates an administrator account for
the communication system and gives the credentials
to the Master. This administrator account connects
to the primary business mailbox of the ship. The
Master can decide to share this information with
designated staff. Company IT provides credentials
57
for additional business email accounts to the
required users.
All emails are automatically scanned for viruses,
malware spam at the email server level, before
delivery to the ship. Such service includes removing
of defined attachment files (e.g. , bat, ).
Email privacy
All emails and related contents (including personal
emails if any) created, received, traversed,
processed and maintained by the ship email system
are the Company’s property. The Company reserves
the right to monitor or review anything stored,
created, or received in the Company's email system
without prior notification.
Email best practice
Follow guidelines when using ship email system.
Print this table and keep it next to the
communication computer.
Note: The maximum message size (starting from

0.5MB) is set for an individual ship to
control of data.
DO DO NOT
Ensure that a professional Create, send, forward or store

image is projected when emails with messages or
communicating with third attachments that might be
parties. illegal or considered offensive
by an ordinary member of the
public e.g. sexually explicit,
racist, defamatory, abusive,
58
DO DO NOT
obscene, derogatory,
discriminatory, threatening,
harassing or otherwise
offensive.
Send emails only to those Send sensitive or confidential
required. information, unless it is
authorised by the Company to
do so.
Check the distribution list Commit the Company to a
carefully before you click Send. third party for example through
Is it the list you really purchase or sales contracts,
intended? job offers or price quotations,
unless the user is explicitly
authorized by Company to do
so
Distinguish between “To” and Send emails in ways that
“Cc” and use them could be interpreted as
purposefully. Use “To” for representing or making official
persons who need to act, use public statements on behalf of
“Cc” to persons for information the Company, unless it is
only. Avoid using “Bcc”. explicitly authorized by the
Company
Write in a factual style cannot Send an email that can be
be misinterpreted. E-mail is taken out of context or that
one-directional and the contains confidential, internal
recipient cannot "hear" your information. Email is easily
intonation. You cannot see his forwarded and copied, once it
or her facial expressions as leaves your account an email
they read your message. can take on a "life of its own."
Write in a concise way and to Send or exchange materials in
the point. violation of copyright laws.
Structure the email using short “Reply All” to messages as
paragraphs and separate ideas most people do not need to
with bullets. have a copy of every reply, to
every iteration of the same
message.
59
DO DO NOT
Spell-check and proofread the Forward ship emails to

email before it is sent. external private email accounts
or set up auto-forwarding of
emails.
Delete the previous trail of Send messages with blank
emails if not required. subject lines as they are likely
to be treated as junk mail.
Zip or compress attachments Disguise or attempt to
for ship mails. disguise identity when sending
email.
Send emails as plain text (to Open wilfully emails or
reduce size and resulting cost). attachments from an unknown
or untrustworthy source or with
a suspicious or unexpected
subject line.
Try to answer all questions, to Send an email from any user’s
pre-empt further questions, as account or in their name
it will reduce the email load. (including the use of false
“From” address), unless it is
authorized by the person.
Keep emails constructive in Use slang or idioms that could
substance and professional in be misunderstood outside of
tone. your own region or country.
Treat people with the same Send e-mail when angry.
courtesy and respect in email,
as you would do face-to-face.
Only use URGENT or Type in capital letters, as this
IMPORTANT if completely is interpreted as yelling.
necessary.
Read the email from start to Send unnecessary
finish before sending. attachments as every byte
costs money.
60
Network and Internet Security

The Company provides controlled and secure
Internet access on ships for business related
purposes. Some ships can only access business email
communication, as determined by the ship budget.
The Company controls all remote connections from
shore to ship. No remote connection is accessible to
external parties or third-party technicians without
authorisation by Company IT.
The Company implements suitable systems and
controls to secure the computer network such as
firewall, gateways, managed switches.
The Company implements ShipSecure on VSAT
vessels, if approved by owner, for further security
protection including:
• Cisco UTM firewall, IDS / IPS
• Vulnerability scanner
• Web / URL filtering, gateway malware
security
• Security monitoring and support by World-
Link SOC (security operation center)
The company segregates networks on board to
enhance security:
• IT / business network
• Crew network
• Telemetry / shipboard equipment /
operations network
61
Remote access is provided to authorised ship

computers only. Remote connection between ship
and office is through secure connection e.g. VPN,
using industry standard encryption and protocols.
Company IT controls and administers all VPN
connections.
For ships where only email communication is
provided (e.g. FBB low data plan), the firewall rule is
set to allow email only, all other internet traffic is
blocked.
Only access the Internet for work e.g. to gather
information from websites of port authority or class
via company computers connected to the business
LAN.
Avoid downloading large files from the Internet,
which may cause problems for other systems (e.g.
email) and increase data consumption.
The Company monitors Internet access on-board.
The Company can restrict or disable Internet access
on-board at any time if considered appropriate.
62
Responsible use of Internet and social media

Act professionally while on leave and on board
regarding any information put on the Internet or
social media. This is to ensure that it will not result
in detriment or damage to the reputation or interest
of the Company or its clients.
Ship staff must not:
• Perform any activity or provide any material
that may defame, insult, abuse, embarrass,
tarnish, present a bad image of, or portray
in false light, the Company, the recipient,
the sender, or any other person or
organisation.
• Perform activities intended to circumvent
security or access controls of any
organisation, including the possession or
use of hardware or software tools intended
to defeat software copy protection, discover
passwords, identify security vulnerabilities,
and decrypt encrypted files or compromise
information security by any other means.
• Use other services available on the Internet,
such as FTP or streaming, on systems for
which the user does not have an account, or
on systems that have no guest or
anonymous account for the service being
used.
63
• Write, copy, execute, or attempt to

introduce any computer code designed to
self-replicate, damage, or otherwise hinder
the performance of or access to any
Company's computer, network, or
information.
• Make any derogatory, offensive,
discriminatory or defamatory comments
about the Company, its employees,
contractors, suppliers, customers or clients.
• Access the Internet on board the ship by
bypassing the ship's computer and
communication infrastructure network
without the approval of the Company.
• Download or upload any inappropriate,
illegal or offensive materials.
• Defeat or attempt to defeat security
restrictions or controls on ship systems.
• Send, receive, or access pornographic
material.
• Exchange confidential company
information, do not disclose any corporate
information that is not otherwise public.
• Browse, post, send, or access explicit
pornographic, gambling or hate-based web
sites, hacker or cracker sites, or other sites
that the Company has determined to be off-
limits.
64
• Conduct fraudulent or illegal activities,

including but not limited to: gambling,
trafficking in drugs or weapons,
participating in terrorist acts,or attempting
unauthorized entry to any corporate or non-
corporate computer.
• Steal or copy electronic files without
permission.
• Use someone else's logon I D and password
without explicit permission to access the
private files or accounts of others.
• Violate copyright laws.
• Conduct fundraising, endorse any product
or service, lobby or participate in any
partisan political activity.
• Act in a way that is detrimental to the
Company or brings the Company into
disrepute.
• Give external party access to or use of ship
Internet without explicit permission by the
Master.
• Post Company information on social
networking or media sites (such as Twitter,
Facebook, YouTube) including: Cargo
information
- Cargo information
- ISPS related information (access points
of a ship, piracy counter measures, etc.)
65
- Photographs or video of the ship that

identifies the ship or owner name,
unless the publication has been
authorised by the Company or the
Owner.
- Abusive, profane, discriminative, racist
or other objectionable language in
messages.
66
Social engineering, phishing and security guidelines
Social engineering refers to psychological
manipulation of people into performing actions or
divulging confidential information. It is a kind of
confidence trick (con) to gather information, commit
fraud or access systems. It is different from a
traditional con in that it is often one of many steps
in a more complex fraud scheme.
Phishing is a common tool used for social
engineering. Phishing uses email or malicious
websites to solicit sensitive information by posing as
a trustworthy sender. For example, an attacker may
send an email that seems to come from a reputable
or trustworthy source, such as credit a card or
financial institution, a charity, or even from the
Company. It may request personal or bank account
information, often suggesting that there is a
problem.
Caution: Beware of cyber frauds sending social

engineering (fraudulent emails) or phishing
emails.
Follow best practice guidelines, whether on board or

on leave:
67
• Be suspicious of unsolicited phone calls,

visits, or email messages from individuals
asking about employees or other internal
information. If some unknown individuals
claim to be from a legitimate organisation,
try to verify their identity directly with their
employer.
• Do not provide personal information or
information about ship or Company, your
colleagues or clients, unless you are certain
of a person's identity or authority to have
the information.
• Do not reveal personal or financial
information in an email. Do not respond to
email solicitations for this information. This
includes clicking or following links sent in
email.
• Beware of any email that claims to activate
or suspend a financial account, change a
password or payment method, or that
prompts for personal or banking details.
• Do not send sensitive information over the
Internet before checking a website's
security.
68
• Pay attention to the URL of a website.

Malicious websites may look identical to a
legitimate site, but the URL may use a
variation in spelling or a different domain
(e.g.,.com vs. .net).
• Pay attention to the sender or reply email
address. It may look genuine but may
contain small differences to the genuine
address.
• If you are unsure whether an email request
is legitimate, try to verify it by contacting
the Company directly. Do not use contact
information provided on a website
connected to the request; instead, check
previous emails or statements for contact
information.
• Check with the office if there is any doubt or
question.
69
Use of personal device

Personal devices are private equipment such as:
• Laptop computers
• Smart phones
• Tablets
• USB sticks
• Other USB devices
Caution: Always separate personal use from
business use
Follow below guidelines:

• Do not use personal device to access vessel
systems
• Do not connect personal device to the
vessel network unless it is approved e.g.
crew internet access through Wifi
• Do not transfer or store vessel files or data
to personal device e.g. USB
• Use personal device, not company
computer, for personal internet access
• Use crew personal PIN (purchased or
supplied) only for personal internet access
• Do not use personal devices outside public
spaces like mess rooms, cabins, recreational
areas
70
Physical security
Place critical IT equipment such as servers, firewall,
switches and communication equipment, in an area
with restricted physical access. This will reduce the
risk of unauthorised access by ship staff or visitors.
Put critical IT equipment in an enclosed cabinet (e.g.
rack- mount type), located in a room with a door
lock, if available.
Connect the following to suitable uninterrupted
power supply (UPS):
• PAL server
• Ship communication and email server
• Communication management device
(e.g.Shipsat,Infinity)
• Loading computer (only class approved
desktops)
The UPS protects equipment from intermittent
power fluctuation on board. The Company advises
the UPS specification.
Computers, especially critical IT equipment, must be
secured to reduce the risk of damage due to
vibration or ship rolling. Route power and network
cable through suitable conduits to prevent physical
damage or interference.
Make clear, identifiable markings on cabling and IT
equipment. This supports efficient tracing and
identification of equipment and cable connections
71
and reduces error of incorrect patching and

handling.
Keep IT equipment in a locked room when not in
use. Secure removable media (e.g. DVD, paper
documents) containing sensitive information in
locked drawers or cabinets to prevent physical
access.
Do not allow access by visitors (e.g. third-party
technician, inspector) to shipboard equipment or IT
systems without Master approval.
Access or use of shipboard systems by visitor, if
approved, must be accompanied by ship staff. Do
not leave shipboard system unsupervised if the
visitor is present.
72
Use of computers by third parties
Advise any visitors such as external contractors or
family members of the IT and cyber security
procedures and guidelines.
Strictly control use of ship's computers, IT systems
or other IT services. Only allow third parties to use
the IT systems in the presence of ship staff. If
visitors do not agree, do not allow them to use the
computer systems.
73
Wi-Fi access
A Wi-Fi (wireless) network is available on some
ships, mostly for crew Internet access purpose. Wi-Fi
access points are installed at suitable locations (e.g.
near accommodation cabins). Wi-Fi is installed with
industry security and encryption standard e.g.
WPA2. The Master keeps the Wi-Fi access code and
provides it to ship staff only.
Ship staff can connect their personal devices to Wi-
Fi (wireless) network for crew Internet access. Ship
staff must use Wi Fi connection only in the areas
specified by the Master or the Company.
74
PAL System
The Company controls access to PAL based on rank.
Access is revised according to business needs.
A secure login account is created on the PAL server,
used by the PMSO or Company IT, for remote
support and maintenance of the ship PAL system.
The ship PAL server is protected with Raid 1
mirrored hard disk to reduce risk of system
disruption due to hard disk failure.
The Company sets up automatic daily back-ups of
the ship PAL database and related system files. The
back-up copy is stored on the local PAL server as
well as on an external storage. A copy of PAL
program and update releases is included in the
back-up.
Shipboard PAL back-up is depicted in the below
figures.
75
If a complete PAL recovery is required due to critical

failure, the Company will restore the latest database
from the ship back-up. The Company will investigate
and resolve any ship/office synchronization issues.
The restoration procedure is depicted in the below
figure.
76
All PAL ship system data is replicated to a central

PAL system in the office. A full up-to-date ship
database can be extracted from the office system if
the PAL restoration on-board is unsuccessful. The
Company will extract the latest database for the
ship in the office, install it on a new PAL server and
send it to ship.
The Company will support the ship while the PAL
system is out of operation. For example, requisition,
orders or crew allotment requests can be updated in
office PAL by authorised office users on behalf of the
ship.
77
OT systems protection measures

Operational technology or equipment like
navigational Systems or engine control are
controlled by officers and engineers through their
normal duties and good seamanship. For most OT
systems backup arrangements are in place as per
SOLAS requirements to ensure safety of navigation.
Manufacturers ensure that basic cyber security is in
place for the equipment.
Backup arrangements and training of ship’s crew
assist with cyber security. Response to a OT system
failure due to a cyber-attack is similar to dealing
with a technical breakdown.
The implementation of the Ship Security Plan,
restricted areas and access control onboard is an
effective measure to prevent any potential attacker
from physical interaction and manipulation on
scene.
Many shipboard OT systems are on separate
independent network and not connected to the IT
network or internet. The main vulnerability is USB
access. This is addressed by fully controlling access
to the OT systems. For OT systems with
interconnected networks e.g. with Internet or IT
network, the Company implements additional risk
control measures for security protection. Refer to
the below OT interconnected network section.
78
Bridge Systems
The increasing use of digital, network navigation
systems, with interfaces to shoreside networks for
update and provision of services, make such systems
vulnerable to cyber-attacks. Bridge systems that are
not connected to other networks may be vulnerable
as well, since removable media are often used to
update such systems from other controlled or
uncontrolled networks
ECDIS
The cyber vulnerabilities of ECDIS systems include

• Accidental or intentional infection with
malware or virus via USB stick
• Manipulation of chart Information by
malware or active manipulation on the
System
• Manipulation of sensor data by malware or
active manipulation on the System
• False sensor Input due to manipulation of
the sensors itself
The most effective protection of the ECDIS Systems
is that it is not connected to the ship’s IT network
and is therefore not affected automatically in case
of an IT security Incident. The most vulnerable point
is the USB Stick used for updates and transfer of
voyage information. This is also due to the fact that
ECDIS normally runs on a regular PC which is lacking
security software and updates. A virus or malware
79
which is not affecting the protected IT System can

compromise the not protected ECDIS when
transferred unintentionally by an USB Stick.
Therefore, always use a designated USB stick for
ECDIS update. The USB stick must be controlled and
scanned for virus free by the responsible officer.
Also refer ECDIS virus precaution procedure in this
manual.
GNSS (GPS)
One of the main navigational sensors on board a

ship is the GPS and it is one of the few systems
which can be attacked from the outside, without
any interactions on board. There are several
possible reasons for a GPS to show a false position,
like wrong settings or just a hardware defect. For
cyber security the threat comes from GPS spoofing -
interrupting, jamming or manipulation of GPS
Signals.
There is no measure a vessel can implement to
prevent GPS spoofing. It is part of good seamanship
to always verify GPS positions by secondary means
of position fixing, wherever is possible and, in an
interval appropriate to the current navigational
situation. Actions to be taken in case of a spoofed
GPS signal are the same to the case of a general
technical failure of the GPS receiver or a lost signal.
Also keep in mind that if the GPS Signal is spoofed
the backup arrangement is not an effective
measure.
80
Automatic Identification System (AIS)
AIS provides and receives vessel data and

navigational information via VHF. Therefore,
information provided from other vessels in the AIS
should always be handled with care as the position,
speed and course data depends on the functionality
of the other vessel's sensors. Also, vessel particulars
and other information can be illegally falsified or
manipulated. It is possible for potential attackers to
manipulate, block or even completely develop false
targets in the AIS.
To prevent manipulation of the vessels AIS the
equipment must never be unsupervised when third
parties are on the bridge. Information from the AIS
shall always be verified by secondary means like
ARPA and visual contact.
81
Cargo management systems

Cargo Management systems and sensors form a
separate independent network that is not
connected to the IT network nor the internet.
Therefore, the main vulnerabilities come from use
of USB sticks. System updates done by USB Sticks
which can lead to accidental or intentional infection
with malware or virus. A virus or malware which is
not affecting the protected IT System can harm the
unprotected computer when transferred
unintentionally by an USB stick. The management
and control of the use of USB stick is highly
important to reduce the risk of infection.
Loading Computer
Cyber vulnerabilities include

• Accidental or intentional infection with
malware or virus via USB stick
• Manipulation of stability information by
malware or active manipulation on the
system
The most effective protection of the loading
computer used for stability calculations is to
maintain it separate from the ship's IT network. This
will prevent spreading of viruses from the IT
network to the loading computer.
Refer to the Loading and stability computer
procedure in this document.
82
Propulsion and machinery management and power
control systems
The use of digital systems to monitor and control
onboard machinery, propulsion and steering
equipment make such systems vulnerable to cyber-
attacks. The vulnerability of these systems can
increase when they are used in conjunction with
remote condition-based monitoring and / or are
integrated with navigation and communications
equipment on ships using integrated bridge systems.
Propulsion and machinery management and power
control systems form a separate independent
network not connected to the IT network nor the
internet. Therefore, the main vulnerabilities come
from use of USB stick. System updates done by USB
Sticks which can lead to accidental or intentional
infection with malware or virus. A virus or malware
which is not affecting the protected IT System can
harm the not protected computer when transferred
unintentionally by an USB stick. A thorough
management and control of the used USB stick is
highly important to reduce the risk of infection.
83
OT interconnected network
The cyber risk is higher for OT systems having

network inter-connection, directly or indirectly, to
Internet, IT or business network, Wi-Fi network or
remote access from shore.
The Company evaluates risks and implements
suitable risk control and protection measures,
including a combination of the followings:
• Firewall – traffic, IP, port, protocol filtering

• Network segregation / VLAN
• Remote access control / VPN
• Network vulnerability assessment scan
• USB control or block
• Device or endpoint anti-malware
• User and privilege / administrator access
control
Work closely with OT system supplier or
manufacturer, incorporate supplier / product
provided security systems or measures if found
suitable.
For details of cyber security protection of shipboard
telemetry systems and network, refer IT and Cyber
Security manual appendix – Telemetry network
protocol (Ship)
84
Complete
¢¢ d ¢¢
85
IT Systems
Caution: All IT systems are at risk of cyber

threat. Cyberattacks on these systems can cause
significant disruption of ship operations and
result in major incidents.
86
Hardware and software

IT systems include:
• Computers
• Smartphones
• Printers
• Scanners
• External storage hard drives I USB memory
• Network
• Communication and network equipment
• Company provided software
The Master is to ensure safekeeping of system or
software DVDs, manuals or materials, after properly
labelling them, upon receiving IT equipment on
board.
The Company provides each ship with adequate
computer hardware, connected to an onboard
network.
Caution: Special purpose computers, such as

loading computers, must be standalone and
excluded from the network
A typical hardware specification for a new user

computer is:
• Intel Core i5 processor or above, 16GB RAM
• 500GB or above SATA HDD / SSD
• Ethernet, keyboard, mouse, DVD writer
87
• 19” TFT monitor (minimum 1024X768 pixel

resolutions for using PAL system)
The Company provides the following software to all
ships:
• Windows 7 or 10 edition OS x64
• Microsoft Office 2013 / 2016 or higher
(Business and Home edition or Office Pro
Plus)
• BSM PAL maritime enterprise software, or
other PMS software approved by the
Company
• Email system: Shipmail Connect (SMC3),
Amosconnect, or others approved by the
Company
• Antivirus: Port-IT, AMP, ESET or others
approved by the Company
• File compression software e.g. 7zip.
• Google Chrome for using PAL (Firefox as
backup)
• Adobe reader
• TeamViewer (as required)
• PDF writer / CutePDF / PDFsam (optional)
Other optional software or programme as advised
by the Company:
• Marine Info (BP Port to Port)
• CDI / OCIMF software (SIRE VPQ)
• Approved trim and stability program
88
• Approved engine, bridge and cargo control

software
• Charterer or pool software
The Company supplies and installs only licenced
software on Company issued computers. All
software installed on Company issued computers
are for work purposes only.
The Company supplied software complies with
copyright laws. Do not make unauthorised copies of
any software. Any ship staff making unauthorised
copies of software, installing or using illegal
(unlicensed) software will be personally liable and
subject to further disciplinary action
89
Data plans
The Company supplies the ship with a data plan for
satellite communication e.g. Inmarsat FBB, VSAT.
The plan defines a monthly data allowance (e.g.
250MB, 4GB, 8GB, unlimited) for the ship.
The Master will receive an email alert from the
communication service provider if the ship is close
to or exceeding the monthly allowance.
Caution: The Master must avoid exceeding the

allowance, which may incur high costs.
Reduce non-essential email and send large files via

shore networks or by post on external media.
Company IT continuously monitor data
communication use on the ship to identify any
anomalies.
90
PC supply
The Company will prepare the shipboard computers
before on-board installation as follows:
• Install the required Company approved and
licensed software
• Make necessary configuration and setup
• Ensure the configuration / setup details and
password information of the computer is
secure
• Send relevant setup and password
information of the computer to the Master
• Inform relevant service vendor (e.g.
communication vendor) about hardware,
software and configuration details if
required
91
Crew Internet access
On some ships, the Company provides crew
personal Internet access through the ship network
(usually WIfi) depending on the ship’s budget and
Owner’s requirements. This access must not
interfere with the work of the ship staff or the
Company’s ability to perform and meet its business
and operation obligations.
Access can be chargeable or free-to-use, depending
on owner requirement.
Note: Check with the Master what options are

available on board.
Ship staff can access the Internet for personal use

using personal device in their free time, unless there
is a different schedule or specific time slots
allocated by the Master or the Company. The
Company does not provide support or service to
personal device or computers used by ship staff for
crew internet access.
PIN access
• The PIN restricts and controls Internet
access for individual ship staff
• Ship staff purchases individual PIN (login
and password) for crew Internet access
through the Master, appointed vendor or
Company
92
• The PIN contains certain purchase value.

The Master, vendor or Company can top up
the value
Charges
• Crew Internet access charge is based on
data use or time
• Charge rates and plans vary on individual
ships, depending on the communication
systems installed and data plan subscribed
for the ship
• Crew charge rates may change during the
month depending on data consumption or
time
• Check with the Company about the charge
rates applicable for your ship, before using
the Internet
Access guidelines
Follow below guidelines when using personal

internet access
• Make sure you log off from internet after
use to prevent unintentional data quota
consumption
• Avoid using streaming services like YouTube,
video chat as it consumes much data quota
• Do not use any filesharing services like bit
torrent or similar
• Disable windows updates
93
• Disable automatic apps updates since it

consumes much data quota in the
background
• Keep your devices virus free, viruses can use
a lot of quota and bandwidth
94
Ship Leaving management

The Company will advise the ship on the handling of
hardware, software and data prior to the ship
leaving management. Measures may include:
- Return of equipment or pc
- Return of hard disk
- Program uninstallation
- Purge of files
For PAL system de-activation, follow procedure from
office PMSO.
95

Shipboard Cyber Security and Response Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Shipboard Cyber Security and Response Manual

Uploaded by

Copyright:

Available Formats

Shipboard Cyber Security and BSM

Cyber Security Measures and User Guidelines 50

Cyber response procedures

1) Cyber security events include:

4) For PAL system support, refer Reporting PAL

7) Follow the guidance from IT support

Caution: Do not disclose security events to

OT and critical system cyber

Note: This applies to cyber event related to

j) Loss or disruption to the availability of data

Caution: Do not disclose security events to

Reporting PAL and IT hardware

b) Use the ‘Include screenshot’ function to

Caution: Do not reply to the notification that the

g) Get a notification that the ticket has been

Virus, malware or ransomware

Satellite communication failure

OT and critical system failure

Note: If a cyber incident result in the loss or

Caution: Contingency plans for loss or

1) Refer to operating or emergency response

Cyber security procedures

1) Perform assessment in LPSQ PAL RAM, with

h) Identify protection controls or mitigating

Risk assessment - OT systems

l Cargo handling and management

management and power control

l Passenger servicing and

Note: Refer and complete Shipboard OT cyber

Access control to ship

1) Access for the on-board Administrator:

The Master is the main on-board administrator

2) Access for ship staff:

a) Accompany any engineer when IT, network

c) Follow Connecting External Media to Ship

USB and RJ45 access control

Do not uninstall, turn off or disable the anti-

1) Ensure the software is:

3) Manually install anti-virus update on computers

Connecting external media to

1) Verify the antivirus software is running

Software and patch management

Only install Company authorised software and

Note: The Company provides all necessary

c) Verify and test the installation

1) Back-up the following at least weekly onto DVD,

Note: The Company provides a software tool for

Visitor Dedicated Computer

Caution: Do not use this computer for operation

1) Install the supplied computer in a suitable

5) Restart the computer once all visitors leave ship

Loading and stability computers

1) Run the program once per month through a

ECDIS virus precaution

Other computer systems

Cyber Security Drill

Shipboard cyber security - Introduction

• Access control systems

with the internet, OT and IT are coming closer as

Cyber Security Policy

Cyber risk assessment and management

Refer Risk assessment - IT systems procedure for

Refer Risk assessment - OT systems procedure for