TABLE OF CONTENTS

Cover page
Index
Familiarization record for the cyber security manual
Revisions
Definitions
Distribution list

1. INTRODUCTION

1.1 What is cyber security?

1.2 Elements of security
1.3 Why maritime industry is vulnerable to cyber-attack?
1.4 Why cyber security is important to ships?
1.5 Resilience of ship systems
1.6 What are the threats that cyber security is seeking to address?
1.7 What are the effects that threat actors are trying to achieve?
1.8 Need for cyber security risk management

2. CYBER SECURITY POLICY

3. IDENTIFY THREATS

3.1 Categorization of attacks

3.2 Network-related threats

3.2.1 Denial of Service

3.2.1.1 Definition
3.2.1.2 DoS structure
3.2.1.3 Implications
3.2.2 Email
3.2.2.1 Definition
3.2.2.2 Email Security
3.2.2.3 Suspicious messages
3.2.2.4 Email threats
3.2.2.5 Email attack vectors
3.2.3 Spoofing
3.2.3.1 Definition
3.2.3.2 Types of Spoofing
3.2.3.3 Social Engineering
3.2.4 Phishing

3.3 Computer – related threats

3.3.1 Malware
3.3.1.1 Definition
3.3.1.2 Viruses
3.3.1.3 Worms
3.3.1.4 Trojan Horses
3.3.1.5 Trojans vs. Worms vs. Viruses
3.3.1.6 Spyware

3.4 Stages of cyber attack

4. IDENTIFY VULNERABILITIES
 4.1 Determination of vulnerability

5. RISK ASSESSMENT

5.1 Activity phases

5.2 Impact assessment
5.3 Reducing/ Managing the risk

6. DEVELOPING PROTECTION MEASURES

6.1 Information security manager

6.2 Providing standards and governance
6.3 Provision of perimeter defence and physical security
6.4 Technical cyber security controls
6.5 Configuration of network devices such as firewalls, routers and switches
6.6 Satellite and radio communication
6.7 Malware detection
6.8 Secure configuration for hardware and software
6.9 Email and web browser protection
6.10Execution of access management
6.11Application software security (patch management)
6.12Execution of change control as an enterprise process
6.13Procedural protection measures

6.13.1 Training and awareness

6.13.2 Physical and removable media controls
6.13.3 Upgrades and software maintenance
6.13.4 Access for visitors
6.13.5 Use of administrator privileges

6.14Actions against threats

6.14.1 Physical threats

6.14.2 Email threats
6.14.3 Internet threats
6.14.4 Social media threats
6.14.5 Telework threats

7. CONTINGENCY AND RESPONSE PLAN

7.1 Incident analysis

7.2 Investigation of cyber incidents
FAMILIARISATION RECORD FOR THE CYBER SECURITY MANUAL
It is hereby confirmed that I have read the Cyber Security Manual and content well understood.

DATE NAME RANK SIGNATURE

REVISIONS

Ref no Date Section Revision No Description

DEFINITIONS

Advanced persistent threat (APT): An Internet‐borne attack usually perpetrated by a group of individuals with significant
resources, such as organized crime or a rogue nation‐state.

Adware: Pop‐up advertising programs that are commonly installed with freeware or shareware.

Backdoor: Malware that enables an attacker to bypass normal authentication to gain access to a compromised system.

Bit Torrent: A P2P file‐sharing communications protocol that distributes large amounts of data widely without the original
distributor incurring the costs of hardware, hosting and bandwidth resources.

Bootkit: A kernel‐mode variant of a rootkit, commonly used to attack computers that are protected by full‐disk encryption.

Bot: A target machine that is infected by malware and is part of a botnet (also known as a zombie).

Botnet: A broad network of bots working together.

Cyber-attack: Any type of offensive manoeuvre that targets IΤ and OT systems, computer networks, and/or personal
computer devices attempting to compromise, destroy or access company and ship systems and data.
Cyber system: any combination of facilities, equipment, personnel, procedures and communications integrated to provide
cyber services; examples include business systems, control systems and access control systems.

Distributed Denial‐of‐Service (DDoS): A large‐scale attack that typically uses bots in a botnet to crash a targeted network or
server.

Drive‐by Download: Software, often malware, downloaded into a computer from the Internet without the user’s
knowledge or permission.

Firewall: Is a logical or physical break designed to prevent unauthorized access to IT infrastructure and information.

Information security: Security applied to information (rather than systems) protecting it from unauthorized access,
disclosure, modification or destruction.

Local Area Network (LAN): a computer network that interconnects computers within a limited area such as a home, ship or
office building, using network media.

Malware: Malicious software or code that typically damages or disables, takes control of, or steals information from a
computer system. Broadly includes viruses, worms, Trojan horses, logic bombs, rootkits, bootkits, backdoors, spyware, and
adware.

Router: is a device which forwards data from one network to another network, e.g., from a satellite communications
network to an on board computer network.

Rootkit: Malware that provides privileged (root‐level) access to a computer.

Service provider: a company or person who provides and performs the software maintenance.

Spear phishing: A targeted phishing attempt that seems more credible to its victims and thus has a higher probability of
success. For example, a spear‐phishing email may spoof an organization or individual that the recipient actually knows.

Transmission Control Protocol (TCP): A connection‐oriented protocol responsible for establishing a connection between
two hosts and guaranteeing the delivery of data and packets in the correct order.
Trojan horse: A program designed to breach the security of a computer system while apparently performing some harmless
function.

Virtual Local Area Network (VLAN): the logical grouping of network nodes. A virtual LAN allows geographically dispersed
network nodes to communicate as if they were physically on the same network.
Virtual Private Network (VPN): enables users to send and receive data across shared or public networks as if their
computing devices were directly connected to the private network, thereby benefiting from the functionality, security and
management policies of the private network.

Virus: is a hidden, self-replicating section of computer software that maliciously infects and manipulates the operation of a
computer program or system.

Wide Area Network (WAN): network that can cross regional, national or international boundaries.

Wi-Fi: all short-range communications that use some type of electromagnetic spectrum to send and/or receive information
without wires.

Zombies: the primary attack vector in DDoS attacks. These are user machines - usually sitting on insecure “home” networks
- that are taken over by a hacker who plans to turn them into agents.

DISTRUBITION LIST OF CONTROLLED COPIES

Copy No Manual Holders

Original Board members
1 Technical /Operation/Crew Department Copy
1 Ship Copy ( to be hard copy)

1. INTRODUCTION

The vast technological advancements in Information Technology (IT) have resulted to the networking of ships which are
interconnected via the World Wide Web. Due to the latter’s given proneness to cyber-attacks, in conjunction with the
increased complexity of electronic equipment onboard resulting in high risk of human error in the use of this equipment,
the marine industry should be prepared to face increased cyber threat. This means that the company needs to assess risks
arising from the use of IT and OT (Operation Technology) onboard ships and establish appropriate safeguards against cyber
incidents.

Operational technology (OT): The technology commonly found in cyber-physical systems that is used to manage physical
processes and actuation through the direct sensing, monitoring and or control of physical devices, for example, motors,
valves, pumps, etc. In a vessel these systems include: plant and machinery, RF communications, on and off board sensors
and navigation systems.

1.1 What is cyber security?

Cyber security can be defined as “the collection of tools, policies, security concepts, security safeguards, guidelines, risk
management approaches, actions, training, best practices, assurance and technologies that can be used to protect the
cyber environment and organization and user's assets”.

Within this definition, “cyber environment” comprises the interconnected networks of both IT and cyber-physical systems
utilizing electronic, computer-based and wireless systems, including the information, services, social and business functions
that exist only in cyberspace. On a ship the computer-based systems will comprise a range of information technology
components (for example, personal computers (PCs), laptops, tablet devices, servers and networking component such as
routers and switches, etc.) and operational technology (for example, control systems, sensors, actuators, radars, etc.).

The “organization and user's assets” includes connected computing devices, personnel, infrastructure, applications,
services, telecommunication systems and the totality of transmitted, processed and/or stored data and information in the
cyber environment.

The varied nature of cyber security threats means that there is no single approach that is capable of addressing all the
resultant risks. The rate of change of technology and the steady flow of serious vulnerabilities in operating systems,
software libraries and applications, means that any strategy needs to be kept under regular review.
Business change also has a significant impact on cyber security, for example, the introduction of bring-your-own-device
(BYOD) and the trend to deliver some assets as services, for example, the provision of power plants / turbines remotely
managed by a third party that offers power/propulsion as a service.

Within the maritime environment a variety of IT-based devices may legitimately be brought into the ship, for example
devices owned by the shipboard personnel or shore-based contractors. The nature of these devices and their relative cyber
hygiene could have a significant impact on the cyber security of the ship, particularly if they are connected to sensitive
communications or network infrastructure within the ship or critical ship systems.

Cyber security is not just about preventing hackers gaining access to systems and information, potentially resulting in loss of
confidentiality and/or control. It also addresses the maintenance of integrity and availability of information and systems,
ensuring business continuity and the continuing utility of digital assets and systems. To achieve this, consideration needs to
be given not only to protecting ship systems from physical attack, force majeure events, etc., but also to ensuring the
design of the systems and supporting processes is resilient and that appropriate reversionary modes are available in the
event of compromise. Personnel security aspects are also important. The insider threat from shore-based or shipboard
individuals who decide to behave in a malicious or non-malicious manner cannot be ignored. Ship owners and operators
need to understand cyber security and promote awareness of this subject to their stakeholders, including their shipboard
personnel.

The maritime sector is a vital part of the global economy, whether it is carrying cargo, passengers or vehicles. Ships are
becoming increasingly complex and dependent on the extensive use of digital and communications technologies
throughout their operational life. Poor security could lead to significant loss of customer and/or industry confidence,
reputational damage, potentially severe financial losses or penalties, and litigation affecting the companies involved. The
compromise of ship systems may also lead to unwanted outcomes, for example:
(a) physical harm to the system or the shipboard personnel or cargo – in the worst-case scenario this could lead to a
risk to life and/or the loss of the ship;
(b) disruptions caused by the ship no longer functioning or sailing as intended;
(c) loss of sensitive information, including commercially sensitive or personal data; and
(d) permitting criminal activity, including kidnap, piracy, fraud, theft of cargo, imposition of ransomware.

The above scenarios may occur at an individual ship level or at fleet level; the latter is likely to be much worse and could
severely disrupt fleet operations.

1.2 Elements of security

While it is difficult to come up with a precise definition, depending on the context, one or more of the following elements
are used to establish information security:

Availability - Is the system functioning when you need it. Availability is concerned with the prevention of unauthorized
withholding of information or resources.

Authorization - Who will be given access? The process of allowing only authorized users access to sensitive information. An
authorization process uses the appropriate security authority to determine whether a user should have access to resources.

Authenticity - How do I know who sent this? For most online transactions, businesses will want to know that the person
conducting the transaction is who they claim to be. For example, only authorized signatories should be able to access a
business bank account.

Integrity - Has the data/information changed? Integrity deals with the issue of how to preserve digital objects to make
them trustworthy, i.e. how to avoid the unauthorized modification of objects.

Non-repudiation - How do I know that the sender won’t deny sending this?” Users need certainty that a transaction
conducted over the Internet is irrevocable, and that the person who conducted the transaction will not be able to deny (at
a later date) that the transaction never took place.

Privacy and Confidentiality - How do we keep secrets secret? It involves the assurance that data are not disclosed to
unauthorized persons, processes, or devices and sensitive information is not leaked as a result of physical, technical or
electronic penetration and exploitation.

1.3 Why maritime industry is vulnerable to cyber-attack?

The maritime industry possesses a range of characteristics which affect its vulnerability to cyber incidents:

• Multiple stakeholders are often involved in the operation and chartering of a ship potentially resulting in lack of
accountability for the IT infrastructure.
• The ship being online and how it interfaces with other parts of the global supply chain.
• Business-critical and commercially sensitive information shared with shore-based service providers.
• The availability and use of computer-controlled critical systems for the ship’s safety and for environmental
protection.
• The increasing use of big data, smart ships and the ‘internet of things’ increase the amount of information
available to cyber attackers, making the need for robust approaches to cyber security important.
As the safety, environmental and commercial consequences of not being prepared for a cyber incident may be dire, it is
imperative to:

• raise awareness of the safety, security and commercial risks if no cyber security measures are in place;
• protect shipboard IT infrastructure and connected equipment and data used onboard ships or being
communicated between the ship and office;
• manage users, ensuring appropriate access to necessary information; and
• authorize administrator privileges for users, also during maintenance and support on board or via remote link.

Cyber safety is as significant as cyber security. Both have equal potential to affect the safety of onboard personnel, ships,
and cargo. Cyber security is concerned with the protection of IT, OT and data from unauthorised access, manipulation and
disruption. Cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT.

Cyber safety incidents can arise as the result of:

• A cyber security incident, which affects the availability and integrity of OT, for example corruption of chart data
held in an Electronic Chart Display and Information System (ECDIS).
• A failure occurring during software maintenance and patching.
• Loss of or manipulation of external sensor data, critical for the operation of a ship. This includes but is not limited
to Global Navigation Satellite Systems (GNSS).
Whilst the causes of a cyber safety incident may be different from a cyber security incident, an effective response to both is
based upon training and awareness of appropriate company policies and procedures. As a result of all mentioned above,
cyber risk management should be incorporated into the company SMS.

1.4 Why cyber security is important to ships?

A ship is a complex cyber-physical engineered system that encompasses both waterborne activities and systems, and
remote elements such as navigation signals. As shown above, a ship comprises five main asset types (i.e. plant and
machinery, operational technology, information technology, radio frequency (RF) communications, and navigation systems)
that are used to provide a range of operational services and where technology plays an increasingly important role.
The loss, or compromise, of one or more of these assets has the potential to impact upon:

(a) the health and safety of staff and other people impacted upon by the work activities being undertaken and to
whom a duty of care is owed;
(b) the ability of the ship to operate safely and to not endanger other ships, maritime structures or the environment;
and
(c) the speed and efficiency at which the ship can operate.

Further, the failure of a Company or shipboard personnel to appreciate the structure and operation of its assets, systems
and associated business processes may result in a number of undesirable situations, including:

(a) accidental or inadvertent exposure of sensitive systems, applications or data to unauthorized users;
(b) loss of resilience or system redundancy; and
(c) emergent failure modes that result in the cascade or catastrophic failure of critical systems or processes.

Any of the types of failure described can also have significant economic and reputation consequences.

1.5 Resilience of ship systems

Resilience of ship systems is closely linked to safety and the higher the potential safety risk so the higher level of
redundancy and availability of critical systems. These systems are monitored so as to provide constant situational
awareness based on sensor data received from a number of sensor types.

The integrity and availability of such data is therefore critical for the safe and secure operation of the ship and its systems
especially where systems are integrated into a system of systems each interdependent on the others for data acquisition,
computational analysis or physical actuation.

Understanding these interdependencies and relationships between systems at a data or information level is essential in
maintaining the integrity of the overall system of systems.

In addition to the human threat actors, there are resilience threats to ship systems arising from natural causes, including:
solar events; weather; flora and fauna. Their effects may result in damage, failure or significant impairment to ship systems,
which may result in the loss or corruption of ship data, and subsequent loss of integrity or availability of the subsystem.

An example of the impact of natural causes on ship systems is a terrestrial or solar storm causing interference with
communication systems and the loss of ship-to-shore link.

In addition, the reaction to false sensor data due to malfunction also needs to be considered. The absence of data may be
as significant as a constant stream of data when considering the resilience of the various systems.

1.6 What are the threats that cyber security is seeking to address?

The motivation for a cyber-attack on a ship system may be generated from one of the following six purposes.
a) cyber misuse – this includes low-level criminal activities including vandalism and disruption of systems, defacement of
web sites and unauthorized access to systems. The acts may be perpetrated by script kiddies or through insider activity by
disgruntled personnel and contractors. Where researchers access a system without authority from the system's owner,
their actions may not be malicious but are nevertheless deemed as a criminal act.
b) activist groups (also known as “hacktivism”) – seeking publicity or creating pressure on behalf of a specific objective or
cause, for example, to prevent the handling of specific cargoes or to disrupt the operation of the ship. The target may be
the ship itself, the operator of a ship or a third party such as the supplier or recipient of the cargo.
c) espionage – seeking unauthorized access to sensitive information (intellectual property, commercial information,
corporate strategies, personal data, pattern of life) and disruption for state or commercial purposes.
d) organized crime – largely driven by financial gain, this may include criminal damage, theft of cargo, smuggling of goods
and people, and seeking to evade taxes and excise duties.
e) terrorism – use of the ship to instill fear and cause physical and economic disruption.
f) warfare – conflict between nation states, where the aim is disruption of transship systems/infrastructure to deny
operational use or disable specific ships, such as product tankers.

1.7 What are the effects that threat actors are trying to achieve?

Whatever the aim and motivation for attacking a ship or fleet of ships, the threat actors will have an outcome that they are
attempting to achieve. These effects may be aimed at the overall business, the ship or the ship subsystems and are grouped
into the following categories:
a) destroy – examples may include the destruction of cargo, ship, or port in such a way that they are no longer available for
use.
b) degrade – examples may include impacting the speed or maneuverability of the ship, the ability to navigate accurately or
monitor the local environment accurately to the point where the ability of the ship to operate is significantly impaired.
c) deny – examples may include the denial of access to ship systems or information/data possibly for such reasons as
extortion for financial gain or to mount a physical attack on the ship for kidnap and ransom purposes.
d) delay – examples may include to delay the timely operation of the ship or ship subsystems so that the knock-on effect
may impact business operations or cause penalties to be incurred.
e) deter – examples may include influencing the business from operating in certain areas of the world oceans, operating in
specific markets or accessing specific ports from a commercial perspective.
f) detect – examples may include the detection and tracking of people, cargo or ship locations so that planned physical
theft or cargo manipulation might take place.
g) distract – examples include the ability to alter the state of a sensor so as to provide a distraction whilst a
data/information extraction takes place.
The examples given are not exhaustive and appropriate effects are selected when considering the threat actor and the
motivation behind any attack.

1.8 Need for cyber security risk management

Cyber Security risk management exists to:

• identify the roles and responsibilities of users, key personnel and management both ashore and on board,
• identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the ship’s operations and
safety,
• implement technical measures to protect against a cyber incident and ensure continuity of operations. This may
include configuration of networks, access control to networks and systems, communication and boundary defense
and the use of protection and detection software,
• implement activities and plans (procedural protection measures) to provide resilience against cyber incidents. This
may include training and awareness, software maintenance, remote and local access, access privileges, use of
removable media and equipment disposal,
• implement activities to prepare for and respond to cyber incidents.

Equipment and data protected by layers of protection measures are more resilient to cyber-attacks. In order to protect
critical systems and data with multiple layers of protection measures, the use of more than one technical or procedural
protection is recommended in order to:

• increase the probability that a cyber incident is detected,

• increase the effort and resources needed by threat actors to exploit vulnerabilities of IT and OT systems.

Such protection measures are:

• physical security of the ship in accordance with the ship security plan (SSP),
• protection of networks, including effective segmentation,
• intrusion detection,
• software whitelisting,
• access and user controls,
• appropriate procedures regarding the use of removable media and password policies,
• personnel’s awareness of the risk and familiarity with appropriate procedures.

2. CYBER SECURITY POLICY

This policy is designed to guide employees towards understanding and adhering to best security practices that are relevant to their job
responsibilities. A security policy is only as valuable as the knowledge and efforts of those who adhere to it, whether IT staff or regular
users. Understanding the importance of computer and network security and building accountability for these concepts are critical for
achieving organizational goals. With this in mind, establishing principles for security awareness and conducting subjective security
training are integral endeavours for the Company. Security awareness ensures that users are familiar with potential threat mechanisms,
while training teaches them the strategies they must employ to prevent or respond to these threats.

The purpose of this policy is to describe the necessary requirements for users to receive contextual security training that relates to the
scope of their duties and responsibilities. The Company’s Top Management is committed to enforce the required behaviours mandated
by these programs.

A meaningful security awareness and training program explains areas of caution, identifies appropriate security procedures that need to
be followed and discusses any sanctions that might be imposed due to lack of compliance. Accountability originates from a well-informed
and well-trained workforce.

The Company is focused on the overall purpose of security training, to help make employees aware of actions they can take to keep
information safe, such as correct password usage, using security software to block viruses and spam, repelling social engineering attacks,
backing up data and setting appropriate channels to report suspected incidents or violations. Because new vulnerabilities, risks, and
hacks arise on a regular basis, new technological developments require continuous monitoring and improvement of security awareness
and training guidelines.
COMPANY’S CYBER SECURITY POLICY
The purpose and objective of this Policy is to protect the company's information assets (note 1) from all threats, whether internal or
external, deliberate or accidental, to ensure operations continuity, minimize damage and maximize return on investments and relevant
industry opportunities.
To fulfil these objectives, the management is committed to the following approach:
1) It is the Policy of the Company to ensure that:
a) Information and Systems identified as vulnerable to Cyber-attacks will be protected from a loss of confidentiality (note 2),
integrity (note 3) and availability (note 4).
b) Regulatory and legislative requirements are to be met.
c) Cyber Security Contingency Plans have been produced for support.
d) Cyber Security training will be available to all staff.
e) All breaches of information security, actual or suspected, will be reported and investigated.
2) Guidance and procedures have been produced to support this policy. These include incident handling, information backup,
system access, virus controls, passwords and encryption.
3) The role and responsibility of the Information Security Manager is to manage information security and to provide advice and
guidance on implementation of the Cyber Security Policy.
4) All managers are directly responsible for implementing this Policy within their departments.
5) It is the responsibility of each employee/crew member to adhere to the Cyber Security Policy.
NOTES
1) Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using
electronic means, stored on tape or video, spoken in conversation.
2) Confidentiality: ensuring that information is accessible only to authorized individuals.
3) Integrity: safeguarding the accuracy and completeness of information and processing methods.
4) Availability: ensuring that authorized users have access to relevant information when required.

SIGNED ........................................ DATE: 01.12.2020

BOARD

3. IDENTIFY THREATS

Regardless of the type of system or platform used, all computers are subject to misuse and vulnerable to attacks.
Vulnerabilities are loopholes that attackers can use to gain access to computer- or network- related resources and they
represent a “potential for unintended use”.
Common types of system damage include the following:
• Leaking (reading, by speech) of sensitive data
• Modification of sensitive data
• Destruction of sensitive data
• Unauthorized use of a system service
• Denial of a system service, and
• Disruption or degradation of any system operation in general.

The key point to remember is that a vulnerability is NOT an attack, but rather a weak point that is exploitable. Hackers
exploit vulnerabilities in order to achieve some goal- to gain control of damage or bring down a device or network.

Examples of system vulnerabilities that attackers take advantage of:

Protocol design- attackers can take advantage of weaknesses in communication protocols to gather information and
eventually gain access to systems they are monitoring.

Commands revealing sensitive information- Unix commands such as “finger” can reveal account information that attackers
can use to break into a system.

Asynchronous transfer mode (ATM)- using a technique called “manhole manipulation.” In order to compromise security,
attackers obtain direct access to network cables and connections in underground parking garages and elevator shafts.

Software bugs- programmers can never track down, much less eliminate, all of the vulnerabilities that are located in code.
To mount an attack, hackers need only to find one vulnerability (e.g. buffer overflows).

In contrast to vulnerabilities, security threats can be likened to potential violations (malicious or otherwise) of security and
they exist because of the weaknesses found in most systems.

It is important to clarify that cyber-attacks have evolved from the “genius kids” sequestered in a basement, motivated by
curiosity and pursuit of knowledge and thrill, into vicious Cybercriminals, often motivated by significant financial gain and
on occasions sponsored by nation-states, criminal organizations, or even radical political groups. There are motives for
organizations and individuals to exploit cyber vulnerabilities of the Company and produce high scale attacks. For indication,
the most usual of them are listed below, along with the separate types of groups capable of cyber-attacks:

Group Motivation Objective

Activists (including  Destruction of data

 Reputational damage
disgruntled employees)  Publication of sensitive data
 Disruption of operations
 Media attention

 Selling stolen data

 Financial gain  Ransoming stolen data
Criminals  Commercial espionage  Ransoming system operability
 Industrial espionage  Arranging fraudulent
transportation of cargo

 Getting through cyber security

Opportunists  The challenge
defences
 Financial gain

States  Political gain  Gaining knowledge

State sponsored  Espionage  Disruption to economies
and critical national
organizations infrastructure.
Terrorists

Today’s attacker fits the below profile:

• Has far more resources available to facilitate an attack.

• Has greater technical depth and focus.
• Is well funded.
• Is better organized.

3.1 Categorization of attacks

An attack is defined as an action (unfriendly or vengeful) that is taken with the express purpose of harming an asset or
violating security. It represents an intentional threat. For example, an attack might produce the destruction, modification,
fabrication, interruption or interception of data. Similarly, a system breach might result in the disclosure of confidential
information, the defacement of a website or the disruption of service.

In contrast, actions that are taken to reduce the harm caused by an attack and/or to mitigate the effect of an attack are
considered a countermeasure. One of the main objectives of the Cyber-Security Manual is to encourage users to do
whatever they can to neutralize the effect of cyberattacks:

• Attacks are destructive.

• Attacks cost money.
• Attacks result in a loss of confidence; and
• Attacks make it harder to do business.
In general, there are two categories of cyber-attacks, which may affect companies and ships. The untargeted attacks,
where a company or a ship’s systems and data are one of many potential targets and targeted attacks, where a company or
a ship’s systems and data are the intended target. Untargeted attacks are likely to use tools and techniques available on the
internet which can be used to locate, discover and exploit widespread vulnerabilities which may also exist in a company and
onboard a ship. This categorization is dictated by means usually employed by the hackers in order to invade a ship’s data
and systems.

Untargeted-Indirect attacks may use the following techniques:

• Installation of malware with the ability to encrypt data on systems until such time as the distributor decrypts the
information.
• Scanning, or attacking large portions of the internet at random.
• Sending emails containing hyperlinks usually leading to a fake website, to a large number of potential targets
asking for particular pieces of sensitive or confidential information (Phishing).
• Establishment of a fake website or compromise of a genuine website in order to exploit visitors.
• Through interaction via social media, cyber attackers manipulate insider individuals into breaking security
procedures (Social engineering).

Targeted-Direct attacks may be more sophisticated and use tools and techniques such as:

• Individuals are targeted with personal emails, often containing malicious software or links that automatically
download malicious software (Spear-phishing).
• Botnets are used to deliver Distributed Denial of Service (DDoS) attacks which overload the ship’s servers
(Deploying botnets).
• Attacking a Company or ship by compromising equipment or software being delivered to the Company or the
managed ship.

The above examples are not exhaustive. Other methods are evolving, i.e. impersonating a legitimate shore based employee
in a shipping company to obtain valuable information, which can be used for a further attack. The potential number and
sophistication of tools and techniques used in cyber-attacks continue to evolve and are limited only by the ingenuity of
those organisations and individuals developing them.

3.2 Network-related threats

A network is defined as a group of two or more computer systems linked together. The most common networks are:

• Local-area networks (LANS) - LANs are made up of computers (physically close together) that are connected (by
cable) into a single network (for example, the computers might be located in a single building or department).

• Wide-area networks (WANs) - WANs are made up of computers that are farther apart (geographically separated)
that are connected by telephone lines or fiber optics (for example, the computers might be located in different
regions of the country or in different parts of a city).

• Internet (‘Net) - the ‘Net is a global network comprised of a series of nodes (access points) interconnected by
communication paths. The Internet is considered to be the largest network whose ownership is shared amongst
different entities (governments, public/private corporations, schools/ colleges/universities) and is spread across
myriad locations (international, national, regional, and local).
Virtual Private Networks (VPNs) - VPNs are private data networks built on top of the Internet. Hosts within a VPN use
“encryption” to talk to other hosts; hosts outside the VPN are excluded (even though they are using a public network). In
this way, a VPN ensures that only authorized users can view or “tunnel” into the private network.
Other criteria used to characterize networks are:

• Topology - the geometric arrangement devices on the network. Common topologies include a bus, star, and ring.
For example, devices on a LAN can be arranged in a straight line.

• Protocol - the common set of rules and signals computers use to communicate on a network. For example, the
web uses the HTTP protocol, file transfers use FTP and the Internet uses TCP/IP.

• Architecture - networks can be broadly classified as using either a client-server (many-to-one) or a peer-to-peer
(one- to-one) architecture.

• Media - devices can be connected to a network using twisted-pair wire, coaxial cables, or fiber optic cables. Some
networks communicate via radio waves.

In addition, networks can be classified in terms of:

- who can use the network (open or closed), whether it carries voice, data or both kinds of signals;
- the issue of ownership (public or private); and
- what type of connection (dial-up or switched, dedicated or non-switched, or virtual connections) is required for
access.

3.2.1 Denial of Service

3.2.1.1 Definition

Denial of service (DoS) attacks (originating from a single computer) and distributed denial of service (DDoS) attacks
(originating simultantaneously from several computers) take place over the Internet. DoS attacks can have a malicious
intention, or they can occur accidentally through user/system administrator or even programming error.

While there are many different types of attacks or exploits that can be mounted against public/ private organizations (more
on that later), DoS attacks are usually designed with a single purpose: to disable the legitimate use of a service in order to
cause disruption and inconvenience. Success is usually measured by how long the chaos lasts.

Examples of DoS attacks include:

• Saturating network resources to prevent users from accessing network.

• Crashing connections between two computers to disable communications.

Basically, most DoS/DDoS attacks can be divided into three categories:

1) Consumption of scarce resources - these attacks work by opening many connections simultaneously.
2) Destruction or alteration of configuration information - these attacks work by altering routing table contents, and
redirecting network traffic.
3) Physical destruction or alteration of network components - these attacks work by deleting/changing information or
by creating power interruptions.
3.2.1.2 DoS structure

The critical components that are necessary for a DoS/DDoS attack to take place are as follows:
• The client is the machine from which the hacker coordinates the attack.
• The handler is a compromised host with a special program running on it. These machines (between three and
four) are under the attacker's direct control. They act like “generals on a battlefield” to carry out the attacker's
orders and each handler is capable of controlling multiple agents.
• The agent represents a compromised host that also runs a DoS program. On due, agents (broadcasters or zombies)
unleash the denial of service attack. Numbering in the thousands, these machines act like the “foot soldiers in the
infantry”, since they are responsible for running the code that figures in the attack.

In order to mount a successful DDoS attack, the attack needs to compromise several hundred to several thousand hosts.
Using automated tools, a DoS attacker will:

• Initiate a scan phase - a large number of hosts (100,000 or more) are probed for weaknesses. Using port scanning
software, the attacker will try to appropriate root privileges.
• Exploit known vulnerabilities - e.g., hackers will use dictionary and brute force attacks or download a Trojan to gain
a foothold on the user’s machine.
• Install DoS tools - these tools will remain dormant until the time of the attack.
• Iterate and redeploy - the attacker will use the “hostages” to scan and compromise additional hosts.

Because the process is automated, it takes less than 5 seconds for an attacker to disable an unsuspecting host and install
the attack tools. This means that: (i) thousands of poorly secured machines can be commandeered in less than an hour and
(ii) even unskilled individuals (programming-wise) can launch fairly sophisticated attacks. Once the attack vectors are in
place, a DoS attack presents an almost unstoppable threat. Because the attack originates from many different machines,
would-be victims must completely disconnect from the Internet or deny access to all clients (both legitimate and non-
legitimate) in order to fully protect themselves.

3.2.1.3 Implications

As a rule, most DoS attacks do not result in the theft of information or the destruction of hardware/software. Nor do they
affect the confidentiality and/or the integrity of the data. Nevertheless, these attacks tend to be quite devastating. A DoS
attack can negatively impact the target (person or company) in terms of opportunity costs (i.e., lack of availability -
customers go elsewhere; a tarnished reputation - rivals gain a competitive advantage, system outages - productivity suffers,
and/or lost revenues - profit margins are squeezed). In most situations, the shutdown is temporary, but in other cases,
depending on how hard or how concentrated the hit is, the website owner may be forced to cease operations.

Reasons behind DoS attacks are as varied as the perpetrators who mount them. In general, the main excuses for launching
a DOS attack are: political, revenge, and economic. All too often, most DoS attacks have no motivation other than to wreak
havoc (virtual vandalism). Plus, they generally don’t result in any gain for the hacker other than the inexplicable “joy” of
rendering the network, or parts of it, inoperable.

3.2.2 Email
3.2.2.1 Definition

Email is primarily a text-based communication system that transmits messages over a computer network. The types of
information that can be sent using email range from word documents and HTML, to graphics and audio/ video files. An
email client (consisting of a text editor, address book, file folders, and a communications module) is used to read, write and
send messages.
To be a valid email address, three key elements are required:
• A user ID or handle - this is used to associate a user with an online account.
• A domain name - this represents a unique name that a company, organization, school or Internet service provider
(for example, amazon.com, fsu.edu or aol.com) registers for use on the Internet.
• An “@” symbol - this symbol must be included in the address in order to work.

Thus, a typical email address would look something like:

your.userid@companyname.net

3.2.2.2 Email Security

An email address or the information contained in an email header can be easily spoofed (faked or tampered with). While
some email systems may allow the sender to secure the contents (using encryption), the other parts of an email message
may or may not be correct. Thus, the recipient of the email message is responsible for verifying authenticity. Recall the
following factors that - if taken as a whole - either increase/decrease our confidence that an email message has not been
tampered with and/or compromised:

Confidentiality - protects data from being exposed to the “wrong” person.

Integrity - confirms that data received is the same as data sent.
Authentication - verifies the identity of the organization and/or the user.

To minimize the threat of an attack, email filters can be used to intercept incoming or outgoing emails or to block unwanted
messages. Most software programs offer a quarantine option. A “suspect” message is placed in a separate directory where
the user (depending on what rules have been set up) or the network administrator (depending on what policies have been
established) can decide whether or not the message is allowed.

On the other hand, email monitoring systems do not intercept emails to prevent harmful messages from being sent or
received.
Instead, these programs are used to analyse stored messages for attributes such as offensive words, attachment names and
file sizes. In this way, these programs can be used to detect email abuse patterns or function as a policy enforcer. When
using this kind of software, it is necessary to have a proper email policy in place before installing the software.

3.2.2.3 Suspicious messages

Because almost anything in the “headers” of an email message can be “spoofed”, including the “From” and “Reply To”
addresses (for more information, see Spoofing), it is necessary to double-check before responding to a suspicious email. A
bogus message may appear to be coming from someone known or from a trusted source. Any message that was not
expected to be received, should be categorized as more than “a little suspicious”.
Furthermore, a legitimate business will never ask the receiver to reply to an email that directs him to provide personal
information such as date of birth, credit card data, password, or other critical data such as his password or PIN number.
NEVER reply to an email that requests to submit this kind of information.
If an email instructs you to click on a link in order to supply personal data or update your account profile, make sure that
you don’t end up at a spoofed website, that is, one that appears to be a real, but it’s not.
Common sense is the best defense against spoofed email and websites. Any messages that look suspicious - even those
that appear to be from someone known, should be deleted.
3.2.2.4 Email threats

Common email threats include:

Spam: Unsolicited Commercial Email (UCE), bulk email.
Intrusions: Denial of Service (DoS) attacks, unauthorized access.
The main email vulnerabilities come from:
• Weak passwords - using recognizable words that can be found in a dictionary, names of family members or a
family pet, or any information (for anyone known) that can be readily deduced and/or is easy to guess.
• Open file shares - using email clients that do not allow for encryption. Sending an unencrypted email is like
sending a message that has been written on the back of a postcard.
• Missing security patches - system weaknesses that have not been closed or repaired can be exploited by attackers.

3.2.2.5 Email attack vectors

While email attachments are still the biggest hazard, spam is quickly becoming a serious attack vector. Malicious code
“technology” has been moving from attachments into the message itself. Just reading the message can launch an attack.

Combined attacks are also being used. If reading the message is not successful, opening the attachment will be. The
payload of hostile email can be completely hidden. For example, an email in HTML format can contain computer code that
accomplishes the same goal that a malicious attachment would.
Reading the message, or simply viewing it in a preview screen can immediately activate any hidden malicious content. You
can defeat this kind of email by setting up your email client (program) properly.
When dealing with email attachments there are three file types to be aware of as far as security is concerned:
1) Executable files
2) Exploitable files
3) Inactive files
The first two categories involve “active” content that may, or may not, contain hostile code. This means that Windows will
enable whatever action they have been programmed to do - good or bad.

3.2.3 Spoofing
3.2.3.1 Definition

“Spoofing” in the context of the Internet occurs when someone assumes an identity without permission. Variations on
spoofing involve: masking, mimicking, impersonating, masquerading and social engineering - i.e., the hacker term for
“tricking” users into revealing passwords and other personal information that can be used to gain access to a user’s private
accounts and assets (e.g., SSNs, PINs, mother’s maiden name, etc.).

However, the simple act of spoofing an identity is not “illegal” (i.e., no hacking is involved in the commission of the act). It
only becomes illegal when a threat of death or violence is involved or personal data are stolen in order to commit fraud or
identity theft.

3.2.3.2 Types of Spoofing

Most users, at one time or another, will encounter a minimum of three types of spoofing:

• IP spoofing - it is beyond the scope of the Cyber-Security Manual to discuss IP spoofing in any detail. Suffice it to
say that masking IP packets is one of the ways that malicious hackers use to breach the security of small business
or home networks. Most systems are configured to allow network traffic coming from a trusted source to pass
through the firewall. All other traffic is denied. To put it simply, before accepting any packets, the firewall
examines the source IP addresses to determine whether they are legitimate or not. A malicious hacker will try to
get past this form of security by "spoofing" the source IP address of packets sent to the firewall.
• Web spoofing - tricks the browser into serving up a different web address than the one it appears to be resolving
i.e., the URL that you think you clicked on is different from the one that is eventually displayed. This form of
deception is accomplished by:

i. attacking the DNS (domain name system) that maps the web address (e.g., www.website.com) in the URL to a
network location (IP address),
ii. modifying a webpage (i.e., the source code) so it returns a misconfigured URL,
iii. confusing the browser when it tries to interpret a form (e.g, cgi data) or read a script (e.g., Perl, JavaScript, etc.)
and/or
iv. creating a ‘fake’ website that sits between the user and his or her intended destination (note: this type of spoofing
is covered in more detail in the section on Phishing. Once the browser has been tricked into the serving up the
wrong webpage, the hacker can send bogus information or prompt the user to provide personal information (e.g,
passwords, credit card numbers and so forth). Depending on how good the “con” is, the user may not even notice
that s/he has been duped.

• Email spoofing - is the act of forging the “header” information in an email so that it appears to have originated
from a bona fide source (e.g., the network administrator) when in fact, the dubious email has been sent from a suspicious
source (e.g., a hacker, a con artist or a spammer). The main motivation behind a spoofed email is to trick the user into:

i. making a damaging statement,

ii. releasing sensitive information or
iii. clicking on a link that will take that the user to a forged webpage.

In addition, email spoofing is a favorite bet used by malicious hackers. They rely on forged email to make it more difficult
for investigators (of a malware attack) to track down the offender(s).

Because SMTP (Simple Mail Transfer Protocol) lacks authentication, it is fairly easy to spoof - particularly if a network
administrator has configured the mail server to allow connections to the SMTP port. This enables any hacker/attacker to
connect to the SMTP port and issue commands that will send email that appears to be from the address of the would-be
con/scam artist's choice (either a valid email address or a fictitious address that has been correctly formatted).

Or else, all the users have to do is to reconfigure the settings on any standard email client or if they are using web-based
email, all they have to do is to modify the web browser interface. Plus, many unscrupulous websites offer services that
automate the creation and distribution of spoofed emails.
3.2.3.3 Social Engineering

Relying on social engineering techniques, hackers are able to get people to reveal information that should be kept secret or
perform tasks outside their norm or behave in ways that are contrary to their own self- interest.

For example, virus writers use social engineering techniques to compel email recipients to open attachments that carry
viruses and worms. They can also use the phone to get users to reveal passwords or other sensitive information. Lastly, it's
not just malware that you need to be on the lookout for. Internet cons (scams, fraud and hoaxes) and to some extent spam,
all require the unwitting cooperation of the user in order to succeed. Not all social engineering takes place via the Internet.
Dumpster-diving for pieces of paper that contain sensitive information (e.g., credit card numbers) is a common ploy.
Another favorite trick is to call up low-level employees and get them to reveal information that hackers will later use to
compromise a system/network.
3.2.4 Phishing

Phishing is a graphic term, coined by hackers to indicate how easily an innocent victim can be “hooked” online. This type of
scam relies on email to drive users to a spoofed website where they are tricked into sharing their passwords or credit card
numbers. Phishing combines the use of email and the web to create a deceptive attack vector.

For example, spam is used to lure users to websites that look like those of reputable companies, and social engineering
techniques are used to pressure users into divulging critical information such as passwords or financial data. Major
corporations who have been hit by this scam include: Best Buy, eBay and Citibank. Information obtained in this matter is
later used to commit identity theft.

The main elements involved in phishing (also called “carding”) are:

• The source code of a major website (an ISP, major retailer, a financial services company) is copied.
• A fake email (usually HTML-based) is sent out with a link to the spoofed page.
• The email informs the user that there has been a problem with their account, e.g., the social security number is
missing.
• The recipient is instructed to fix the problem by entering their credit card numbers or other sensitive personal
information at the site or else they risk having their account terminated or access will be denied.

The phishing messages being spammed to users will contain legitimate “From:” email addresses, logos, and links that have
been appropriated from reputable businesses such as AOL, PayPal, Best Buy, Earthlink and eBay. These elements are used
deliberately to confer a feeling of legitimacy and authenticity.

Such sites will ask the receiver to input his name, address, phone number, date of birth, Social Security number, and bank
or credit card account number. Providing this kind of information will leave the person who responds to the query at great
risk for identity theft.
The key thing to remember about phishing is that it is a two-part scam that works as follows: the “look and feel” of a well-
known company is spoofed. This can be done by simply downloading the source code with the images and saving it on
another server.

To the casual observer, the forged website appears to be an exact replica of the original site. Don’t be fooled. There are
some subtle differences and you need to look for these. On first blush, the URL (address) will look real but if you look
closely you’ll notice some hard to detect elements (for example, spaces or underscores or hyphens) that have been added
to give the appearance that the URL is trustworthy.

Another popular modification, called “link alteration” involves the alteration of the return address in a web page to make it
go to the hacker’s site rather than the legitimate site.

This is accomplished by adding the hacker’s address before the actual address in any email, or page that has a request going
back to the original site. To check whether the URL has been modified in this fashion, you need to look at the source code.
Either of these tricks will ensure that anyone who clicks on the link is routed to the spoofed site and not the real one.

Next, the hackers will spam millions of users with a barrage of emails falsely claiming to be from the “real” company. This
email will inform the recipient that if he doesn’t update his account information ASAP, his account will be closed. To
prevent this from happening, the email urges the person to click on the link provided. This link then takes the soon-to-be
victim to a website that contains a form that can be used to input the information.

In addition to personal information, the person may be asked to enter their password or to include their credit card
number. Once the form is submitted, it sends the data to the scammer and it returns the victim back to the “real”
company’s website so he or she won’t suspect anything.
What makes the phishing scam really under- handed is how very convincing it can be. If the victim happens to have an
account with the company named in the email and the company is unaware that this type of fraud is being perpetrated,
then it is very likely the victim will do as instructed. Because it appears to be “legit,” it is not hard to understand why or how
someone might be tricked into believing that they are dealing with a trusted source.

Ironically, the latest batch of phishing scams crosses the line on the meanness scale. The latest scam advises users to sign
up for a “new” service to protect their credit cards from fraud. They ask for updated credit card account information or
other pieces of personal financial information and state that the consumer’s account will be immediately terminated if the
information being requested is not provided.

3.3 Computer – related threats

3.3.1 Malware
3.3.1.1 Definition

Malware - “malicious software” - is defined as any type of program that is introduced into a computer to cause damage,
steal information and/or act in an unexpected or undesirable manner. It is important to note that this kind of code executes
without the express consent of the user. Malware covers the entire gamut of “hostile” code - viruses, worms and Trojan
Horses to commercial software (unauthorized registration, undisclosed adware, spyware, stealth installation of bundled
apps), device drivers, Hacker tools and network sniffers.
Most malware behaviour involves the four E’s:
(i) Enter,
(ii) Escalate,
(iii) Extend, and
(iv) Execute.

1) Enter - this represents the primary entrance points where malware can enter a system. Such entrance points are:
files incoming via users, removable disks, downloads or email attachments, data files (Office and HTML) where
scripts are auto-executed, and hacking in through the network (LANs or the Internet). In addition, entrance may be
gained where a limited range of behavior is possible, for example, a script embedded in an HTML email message,
or a scripting language that places limits on what can be done.

2) Escalate - extends the range of possible behaviors from whatever initial beachhead the attacker may have
established. Escalation may exploit secondary entrance points such as backdoors or startup routines.

3) Extend - during this phase, the malware propagates itself and it is similar to the escalate phase except that here,
the malware spreads from machine to machine. Not all malware self-propagates.

4) Execute - this represents the payload, the nature of which may terminate all of the other E’s with the functional
death of the host.
Before downloading or installing any program, the onus is on the user to ensure that the program or script doesn’t contain
any malicious code. When using commercial applications, the vendor should certify that any code used in the development
of the product is malware-free.

Understanding how each piece of malware works is the first step in hardening a system against these types of attacks. The
following section takes a look at each of the major types of malicious code and some of their less notable variations.

3.3.1.2 Viruses
A virus is a code fragment (not an independent program) that spreads by attaching itself to a host, often damaging the host
in the process. The host is another computer program, often a computer operating system, which then infects the
applications that are transferred to other computers. It may damage data directly, or it may degrade system performance
by taking over system resources, which are then not available to authorized users. Upon execution, the virus replicates. The
key issue here is the fact that the user does NOT give his or her permission for the code to run. Viruses are hard to detect as
well as hard to deactivate. They spread widely and have the potential to keep infecting the environment over and over
again.

Most viruses have a two-pronged objective:

(i) propagation, that is to spread themselves from system to system and
(ii) destruction, that is to perform some action (the virus payload) on each system they infect.

The payload varies from virus to virus. Benevolent viruses might be programmed to display an annoying message or alter
the appearance of your desktop whereas a malicious virus might be programmed to destroy data stored on your hard drive
or crash your system.

Most computer viruses are malicious - they can erase your files or lock up whole computer systems. Other computer
viruses are more benign - they don’t do any direct damage other than by spreading themselves locally or throughout the
Internet. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances
cause their code to be executed by the computer. Regardless of intent, computer viruses should always be treated.

3.3.1.2.1 Virus types

In the early days, most viruses started out as someone’s “research project” and these viruses were tightly contained. The
viruses that you are most likely to come in contact are “in the wild” and were mostly likely written by amateurs and
pranksters. According to a virus expert, in order for a virus to be considered in the wild, it must spread “as a result of
normal day-to-day operations on and between the computers of unsuspecting users.”

Some viruses masquerade as a fun program (like an electronic greeting card) that secretly infects your system. If you pass
the program along, not realizing that it contains a virus, you will enable the virus to propagate manually.

Viruses can be transmitted as email attachments, as downloads, or be present in a USB stick or CD.

Virus Types
Type Description
Boot Sector A boot sector virus replaces or implants itself in the DOS boot
sector on diskettes or the Master Boot Record on hard disks.
Boot-sector viruses hide in executable programs (attached to
email or shared documents.
File Infector File infector viruses are hidden in program or application files
(.exe, .dll, .pif or .com). These viruses can be spread through USB
sticks/CDs/DVDs, downloads or scripts sent as an attachment to
an email note.
Macro A macro programming language (e.g. Visual Basic) is used to
modify commonly used commands such as the ‘Save’ command
to trigger a payload. These viruses are getting activated by
opening a shared document file or spreadsheet and they are
trans-mitted in documents, the most prevalent being Microsoft
Word and Excel.
These viruses account for about 75 percent of viruses found in
 the wild.
Multipartite A multipartite virus infects both files and the boot sector of a
computer system and this type of virus can reinfect a system
several times before it's finally eliminated.
Polymorphic Polymorphic viruses are comprised of two parts: (i) the
encryption/decryption engine and (ii) the infector. The crypto
engine encrypts/decrypts the infector and each time the virus is
activated, it uses a different crypto- key. Because the crypto
engine cannot encrypt itself -- if it did, there would be no code to
decrypt the engine next time the virus ran – it relies on a form of
self modifying code that changes whenever it is transmitted.
Stealth A stealth virus hides its presence by making an infected file
appear non-infected. SPAM (Stealth, Polymorphic, Armored,
Multipartite) represent the most dangerous and sophisticated
form of this type of virus. These viruses are equipped to disguise
themselves from AV software by employing stealth tactics. The
virus itself is encrypted and the structure of it armored making
the task of writing AV software much harder.

3.3.1.2.2 How does a virus spread?

Strictly speaking, viruses are not the attack vector. They usually function as the payload. The main attack vector for viruses
used to be infected floppy disks; these days, the primary vectors for viruses are email attachments, downloaded files, and
worms. Most viruses are designed to spread from computer to computer. To successfully duplicate itself, a virus must be
permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable programs.

Below is a list of some of the most common ways viruses are transmitted:
• Once a virus has infected your system, it may automatically send out emails containing more copies of the virus
using the address book in your email program.
• A macro virus may attach itself to any document you create or modify. If you send another document to someone
by email, the virus goes along with it.

3.3.1.2.3 What kind of damage can a virus do?

How much damage a computer virus can inflict on your system depends on a number of factors, including how
sophisticated the virus is. Some viruses can delete or change files. They can slow down your system, impairing performance
or they reformat your hard drive making your computer unusable. Viruses can take advantage of your address book,
release confidential information or they can email personal data back to the virus developer. Other viruses might plant
monitoring software or change security settings, allowing hackers to enter your computer, take control and steal
information.

3.3.1.2.4 Hiding strategies

Viruses employ different kinds of obfuscation. In the old days, viruses (especially in MS DOS) altered the information
attached to the files they infected, for example, last updated and the file size. Another hiding technique was to infect the
hard disk drive instead of the files saved on it. The stealth viruses try to exploit the failings of how modern antivirus
software tries to detect viral infections. Modern state-of-the- art viruses encrypt themselves to avoid detection. This is
often done with a combination of encryption and self-modifying code.
3.3.1.3 Worms
3.3.1.4.1 Definition

Worms are similar to viruses. They share the same goals of propagation and payload delivery but they differ in terms of
operation mode. A virus attaches itself to, and becomes part of, another executable program, whereas a worm is self-
contained. It does not need to be part of another program to propagate. Nor do they alter any files.

Instead, worms reside in active memory and they use the facilities of an operating system that are meant to be automatic
and invisible to the user. It is not uncommon for worms to be noticed only when their uncontrolled replication consumes
system resources, slowing or halting other tasks.

Because of their ability to spread independently, worms are able to cause a great amount of destruction in record time.
Millions of computers can be attacked in minutes, spreading exponentially like an epidemic of human disease, or a nuclear
chain reaction amongst fissionable atoms.

3.3.1.4.2 Disruption

Worms cause disruption in a several ways. First, they use a newly compromised computer to look for more vulnerable
computers. Second, they use up network and system resources as they spread. The more systems they infect, the greater
the amount of traffic they generate.
Like viruses, worms may damage data directly, or they may degrade system performance by consuming system resources
and even shutting down a network. Other ways that worms can cause indirect damage include:

• Degrading service levels (worms can generate a phenomenal amount of network traffic);
• Sending junk emails that may include information from/about the victim);
• Moving/deleting information on the victim system;
• Installing backdoors for subsequent misuse; and
• Permitting spammers to use victims' machines for sending spam while hiding their own tracks.

3.3.1.4.3 How worms work?

Regardless of the OS, all worms need several interdependent components to cooperate in order to work. They need: (i) a
spread algorithm for finding other hosts, (ii) one or more exploits allowing them to break into other computers remotely,
and (iii) a payload, which is what it does to your computer after it’s broken into it, other than just using it to spread.

Usually, a user may be unaware that his/her computer has been infected by a worm until it is too late. In part because a
worm can infect a single machine and then propagate to another machine while removing itself as it moves along. On the
other hand, a worm can remain silent and invisible, idling in the background, until certain conditions are met.

However, once a worm is activated, it can send back information, trigger alarms, create status messages, or take any other
actions for which it has been programmed. They can carry any kind of payload (from viruses to Trojan Horses).

In fact, the newer class of worms has evolved into a highly efficient multi-headed attack vector that can carry several
executables as their payload.

3.3.1.4 Trojan Horses

A Trojan horse is an independent program that appears to perform a useful function but in reality, it hides an unauthorized
program that allows the collection, exploitation, falsification, or destruction of data, without the user’s permission.
Trojan horses are similar in function to remote administrative tools (RATs) that are used by system administrators to install
programs or update files on multiple computers from a central location. However, most Trojan horses found “in the wild”
are illicit RATs.

A Logic Bomb is a special type of Trojan horse. It includes a feature (such as a timer) that causes it to perform some
destructive or security-compromising activity. A logic bomb will lie dormant until certain threshold conditions/criteria are
met. Crossing the threshold will activate the logic bomb code.
The threat posed by logic bombs tends to come from insiders (for example, disgruntled or former employees). A Hijacker is
a Trojan horse that resets your browser’s home page and/or search settings to point to another site (for example, one
containing porn) loaded with advertising.

A new breed of malware, called uber-Trojans, is capable of completely hiding itself. These process-injecting Trojan horses
attach themselves to a key process in Windows and then they proceed to deactivate any firewalls, antivirus programs, or
anti-Trojan horse programs that might be installed on the machine. Once that mission is accomplished, the user is no longer
in control of the computer, much less its assets.

3.3.1.4.1 How Trojans work?

A Trojan horse has two parts: a server and a client. Contrary to expectation, the server is installed on the victim’s machine
and it contains a program or file that masks the Trojan horse. The client remains on the attacker’s system. Once the server
is resident on the machine, the Internet is used to establish a connection between the victim’s machine and the attacker.
Using remote access, the attacker can perform almost the same actions as if he was right there - copy/view/delete
information from the hard drive, run applications, change settings, and control the infected computer’s hardware. All of this
can be done without the user of the infected machine being aware that the computer has been taken over by a hostile
party. In fact, a user may never realize that a Trojan horse has been mounted on his machine, or he will discover it only by
accident.

In theory, there is no limit to what a Trojan horse can do. In reality, most are used as a backdoor, or trapdoor - the classic
example is Back Orifice.

Hackers also use Trojan horses to turn personal computers (PCs) into “zombies.” It is not uncommon for an unwitting user
to get “a knock on the door” because the FBI has traced a denial of service attack back to his IP address. Or worse still, the
user is served a subpoena because a stash of pirated “warez” (hacker tools), put there by somebody else, is discovered on
his or her PC.

Most Trojans horses are spread by infiltrating small utility programs (for example, screen savers, wall paper for desktops,
games, pirated warez) or applications (for example, spread sheets, web pages, greeting cards). They can be sent via email.
Or, they can hide in a worm. Trojan horses can be installed on your machine by another user. Or, they may come bundled
with decoy software (that is, when opened, the program does what it’s supposed to do, plus it secretly installs a Trojan
horse in the background). Nor is it unusual to find that one or more have been secretly installed on one machine, just
waiting for someone to sniff them out. There are thousands of hackers scanning the Internet at any one time, looking for
Trojan horses that can be used for mischief making.
Worms aren’t the only means for spreading Trojan horses. Peer to Peer (P2P) file sharing programs have become another
popular attack vector. Grokster and Limewire were used to spread W32.DIDer, a Trojan horse that was designed to copy
user ID names and Internet addresses. To eliminate the vulnerability, these companies were forced to rewrite their
software. Likewise, attackers are also taking advantage of the vulnerabilities in Instant Messaging to hide Trojan horses.
The key point to remember when dealing with this type of attack vector: Trojan horses do not need to infect a network,
system, disk, or file in order to spread. They rely on someone (users, hackers) or something (programs, files, other malware)
to be executed.

3.3.1.5 Trojans vs. Worms vs. Viruses

A Trojan horse differs from a virus in that it is a stand-alone program. Usually a virus is a portion of code that targets
specific applications such as Microsoft Word or Excel. Nor does a Trojan horse require a host program in which to embed
itself. A Trojan horse differs from a worm in that it does not move from one computer to another on its own. A person must
transfer it intentionally, using some type of container that is, an email/attachment, script, program, and so on. Worms
generally act as the attack vector and a Trojan horse or virus functions as the payload. In addition, the newer Trojans horses
are being used to lay the groundwork for Distributed Denial of Service (DDoS) attacks.

While Trojans horses are not much different from the vectors that deliver viruses or worms, there is a key difference and
that has to do with purpose. Viruses and worms are explicitly designed to cause disruption and they make themselves
known by the damage they produce. For Trojan horses, just the opposite is true. They try to stay hidden for as long as they
can so that the attacker can take control of the machine.
3.3.1.6 Spyware
Spyware is defined as any product that employs a user’s Internet connection in the background to send information to
another destination on the Internet. Most commercial spyware programs are fairly innocuous - these companies gather
information to build user profiles for statistical data, or to repackage and sell consumer information to third parties to do
targeted advertising. For this reason, they collect referrer information (log data that reveals what URL you linked from), IP
address (identifies location on the Internet) and system information (time of visit, type of browser used, operating
system/platform and CPU speed).
Other types of spyware programs, bundled with freebies, may contain spyware that scans for proprietary data and
communicates with unauthorized remote hosts. This latter type of malicious code has recently come to public attention and
is now raising the alarm bells.
Many of these spyware programs that are being installed without users’ express permission pose significant security and
privacy risks.
Spyware differs from adware in that it involves a two-way flow of information, whereas most adware involves only a one-
way flow. In this respect, spyware has the ability to act like a Trojan horse, allowing your machine to be controlled by a
third party and unless you’ve installed a host-based firewall that reports network activity, you may not be aware that many
common personal productivity programs (for example, Microsoft Money) and some hardware (for example, a wireless
mouse and keyboard) communicate with the vendor at regular intervals. This form of spyware is often referred to as
“nagware.”

Most spyware is considered “anti-consumer” because it is primarily designed to:

• Collect information (personal, financial and behavioural)

• Transmit a unique code (for tracking purposes)
• Log keystrokes/make screen captures/record conversations
• Monitor computer use and habits
• Reinstall itself, even if it has been removed
• Perform any other actions for which it has been programmed

ALL without the user’s knowledge or consent.

3.4 Stages of cyber attack

Cyber-attacks are conducted in stages. The length of time taken to prepare a cyber-attack can be determined by the
motivations and objectives of the attacker, and the resilience of technical and procedural cyber security controls
implemented by the company, including those onboard its ships.
The four stages of an attack are:

• Survey/Reconnaissance: Open/public sources are used to gain information about the Company, ship or seafarer
which can be used later-on to prepare for a cyber-attack. Social media, technical forums and hidden properties in
websites, documents and publications may be used to identify technical, procedural and physical vulnerabilities.
 The use of open/public sources may be complemented by monitoring (analysing) the actual data flowing into and
from a company or a ship.

• Delivery: Attackers may attempt to access Company and ship systems and data, either remotely or directly from
inside the Company or ship. Examples of methods used to obtain access include:

 Company online services, including cargo or consignment tracking systems,

 Sending emails containing malicious files or links to malicious websites to personnel,
 Providing infected removable media, for example as part of a software update to an onboard system,
 Creating false or misleading websites which encourage the disclosure of user account information by
personnel.

• Breach: The extent to which an attacker can breach a company or ship system will depend on the significance of
the vulnerability found by an attacker and the method chosen to deliver an attack. It should be noted that a breach
might not result in any obvious changes to the status of the equipment. Depending on the significance of the
breach, an attacker may be able to:

 make changes that affect the system’s operation, for example interrupt or manipulate information used
by navigation equipment,
 gain access to commercially sensitive data such as cargo manifests and/or crew,
 achieve full control of a system, for example a machinery management system.

• Effect: The motivation and objectives of the attacker will determine what affect they have on the Company or ship
system and data. An attacker may explore systems, expand access and/or ensure that they are able to return to
the system in order to:
• access commercially sensitive or confidential data about cargo and crew to which they would otherwise
not have access
• manipulate crew or cargo manifests. This may be used to allow the fraudulent transport of illegal cargo, or
facilitate thefts
• cause complete denial of service on business systems
• enable other forms of crime for example piracy, theft and fraud
• disrupt normal operation of the company and ship systems, for example by deleting critical pre-arrival
information or overloading company systems.

It is crucial that users of IT systems onboard ships are aware of the potential cyber security risks and are trained to identify
and mitigate such risks.
4. Identify Vulnerabilities

In order to address the cyber risk, the Company shall initially perform an assessment of the potential threats that may
realistically be faced. This should be followed by an assessment of the systems and procedures on board, in order to map
their robustness to handle the current level of threat. These vulnerability assessments should then serve as the foundation
for a senior management level discussion/workshop, facilitated by internal experts or supported by external experts,
resulting in a strategy centred around the key risks.
The purpose of performing the cyber security assessment is to adopt a risk management approach to assessing and
mitigating the risks associated with the threat actors that are relevant to the ship or ships that are being assessed. The
benefits of adopting this approach are that cyber security risks may be prioritised, enabling appropriate and proportionate
investment to be made in a portfolio of security controls to mitigate those risks with potentially the greatest impact.
These assessments should encompass the ship as a complete cyber physical engineered system and will involve:
a) identification and evaluation of essential or sensitive assets and infrastructure (for example, facilities, systems and
data) considered important to protect and the external infrastructure systems upon which they depend;
b) identification of the ship's business processes using the assets and infrastructure, so as to assess criticality of
assets and understand any internal and external dependencies;
c) identification and assessment of risks arising from possible threats to the assets and infrastructure, vulnerabilities
and the likelihood of their occurrence, in order to establish the need for and to prioritise security measures;
d) identification, assessment, selection and prioritisation of security controls and procedural changes, based on their
costs, the level of effectiveness in reducing the risk and any impact on the ship's operations; and
e) identification of the acceptability of the overall residual risk, including human factors, and weaknesses in the
infrastructure, policies and procedures, based on the portfolio of security controls that have been selected.

Where these assessments do not cover the full range of potential cyber security threats, the Company/ship should produce
a new assessment that includes each of the aspects listed in this section.

4.1 Determination of vulnerability

The Company:
• runs periodic vulnerability scans against its systems, seeking gaps in protective coverage and in configuration of
systems;
• considers the connections of each system with reported vulnerabilities to determine the criticality of those
vulnerabilities and the priority to be assigned for patching those systems; and
• has a process by which recognized and discovered vulnerabilities from scans and asset assessments are fed back to
the risk assessment process for prioritization and decisions on mitigation actions.

In general, stand-alone systems will be less vulnerable to cyber-attacks compared to those attached to uncontrolled
networks or directly to the internet. Care should be taken to understand how critical shipboard systems might be
connected to uncontrolled networks. When doing so, the human element should be taken into consideration, as many
incidents are initiated by personnel actions. Onboard systems could include:
• Bridge systems. The increasing use of digital, networked navigation systems, with interfaces to shore side networks for
update and provision of services, make such systems vulnerable to cyber-attacks. Bridge systems that are not connected to
other networks may be equally vulnerable, as removable media are often used to update such systems. A cyber incident
can extend to service denial or manipulation, and therefore may affect all systems associated with navigation, including
ECDIS, GNSS, AIS, VDR and Radar/ARPA.

• Cargo management systems. Digital systems used for the management and control of cargo, may interface with a variety
of systems ashore. Such systems may also include shipment-tracking tools. Interfaces of this kind make cargo management
systems and data in cargo manifests vulnerable to cyber-attacks.

• Communication systems. Availability of internet connectivity via satellite and/or other wireless communication can
increase the vulnerability of ships. The cyber defence mechanisms implemented should be carefully considered but should
not be solely relied upon to secure every shipboard systems and data.

• Access control systems. Digital systems used to support access control to ensure physical security and safety of a ship
and its cargo, including surveillance, shipboard security alarm and electronic “personnel-on-board” systems.

• Propulsion and machinery management and power control systems. The use of digital systems to monitor and control
onboard machinery, propulsion and steering make such systems vulnerable to cyber-attacks. The vulnerability of such
systems can increase when they are used in conjunction with remote condition-based monitoring and/or are integrated
with navigation and communications equipment on ships using integrated bridge systems.

• Administrative and crew welfare systems. Onboard computer networks of such use are particularly vulnerable when
they provide internet access and email. These systems should be considered uncontrolled and should not be connected to
any safety critical system on board.

Ships are becoming more and more integrated with shoreside operations because digital communication is being used to
conduct business, manage operations and stay in touch with head office. Furthermore, critical ship systems essential to the
safety of navigation, power and cargo management have been increasingly digitalised and connected to the internet to
perform a wide variety of legitimate functions such as:

• engine performance monitoring,

• maintenance and spare parts management,
• cargo, crane and pump management,
• voyage performance monitoring.

The above list provides examples of this interface and is not exhaustive. The above systems provide data which may be of
interest to cyber criminals to exploit. Modern technologies can add vulnerabilities to the ships especially if there are
insecure designs of networks and uncontrolled access to the internet. Additionally, shoreside and onboard personnel may
be unaware of how some equipment providers maintain remote access to shipboard equipment and its network system.
The risks of misunderstood, unknown and uncoordinated remote access to an operating ship should be taken into
consideration as an important part of the risk assessment.
The following are common cyber vulnerabilities, which may be found onboard existing ships and on some newbuild ships:
• obsolete and unsupported operating systems,
• outdated or missing antivirus software and protection from malware,
• inadequate security configurations and best practices, including ineffective network management and the use of
default administrator accounts and passwords, and ineffective network management which is not based on the
principle of least privilege,
• shipboard computer networks, which lack boundary protection measures and segmentation of networks,
• safety critical equipment or systems always connected with the shore side,
• inadequate access controls for third parties including contractors and service providers.

The following should be considered regarding makers and third parties including contractors and service providers:

• The maker’s and service provider’s cyber security awareness and procedures: Many of these companies lack cyber
awareness training and governance in their own organizations and this may represent more sources of vulnerability, which
could result in cyber incidents. The companies should have an updated cyber security company policy, which includes
training and governance procedures for accessible IT and OT onboard systems.

• The maturity of a third-party’s cyber security procedures: The shipowner or Management company should query the
internal governance for cyber network security and seek to obtain a cyber security assurance when considering future
contracts and services. This is particularly important when covering network security if the ship is to be interfaced with the
third-party.

In shore based location, the IT infrastructure including Server Room and desk workstations should be considered also
vulnerable to cyber-attacks. Cyber Security of these systems should follow the same principles along with the onboard
systems and it is responsibility of the IT department to assess the risk and the extent that are exposed to cyber-attacks.

5. Risk assessment
The risk assessment process starts by assessing the systems on board, in order to map their robustness to handle the
current level of cyber threats. Thus, it is necessary to physically test and assess the IT and OT systems on board as follows:

1. Identification of existing technical and procedural controls to protect both the onboard IT and OT systems and the
office IT and OT systems that are vulnerable, the specific vulnerabilities identified, including human factors, and
the policies and procedures governing the use of these systems;
2. Identification and evaluation of key shipboard operations that are vulnerable to cyber-attacks.
3. Identification of possible cyber incidents and their impact on key shipboard operations, and the likelihood of their
occurrence in order to establish and prioritize mitigating measures.

The Company shall:

a) perform periodic risk assessments by revisiting operating assumptions regarding capabilities and systems
monitoring needs.
b) exercise due care and due diligence concerning cybersecurity assets, risks, and protective systems, provisioning
appropriate capabilities that yield protections which can be judged adequate against expected threats.
c) use a construct, or a framework, to frame the methods and techniques required to bring all cybersecurity actions,
automated systems and risk management processes into a single management system.

5.1 Activity Phases

Phase 1: Pre-assessment activities

Prior to commencement of a cyber security assessment onboard, the following activities should be performed:
• Map the ship’s key functions and systems and their potential impact levels;
• Identify main providers of critical shipboard IT and OT equipment;
• Review detailed documentation of critical OT and IT systems, and their interfaces;
• Identify cyber security points-of-contact at each of the providers and establish working relationships with them;
• Review detailed documentation of the ship’s maintenance and support of its IT and OT systems;
• Establish contractual requirements and obligations that the Company may have for maintenance and support of
shipboard networks and equipment; and
• Support, if necessary, the risk assessment with an external expert to develop detailed plans and include makers
and service providers.

Phase 2: Ship assessment

The goal of the assessment of a ship’s network and its systems and devices is to identify any vulnerabilities that could
compromise or result in a loss of service of the equipment, system, network, or even the ship. These vulnerabilities and
weaknesses may be of technical nature such as software defects, or outdated or unpatched systems, or of design, such as
access management or implementation errors.

The activities performed under the assessment should include a build and configuration review of computers, servers,
routers and firewalls. The assessment should also include reviews of all available cyber security documentation and
procedures for connected OT systems and devices.

Phase 3: Debrief and vulnerability review/reporting

Following the assessment, each identified vulnerability should be evaluated for its potential impact and the probability of
its exploitation. Recommended technical and/or procedural corrective actions should be identified for each vulnerability in
a final report.

The cyber security assessment report should include:

• Executive summary – a high-level summary of results, recommendations and the overall security profile of the
assessed environment, facility or ship;
• Technical findings – a detailed, tabular breakdown of discovered vulnerabilities, their probability of exploitation,
the resulting impact and appropriate technical fix and mitigation advice;
• Supplementary data – a supplement containing the technical details of all key findings and comprehensive analysis
of critical flaws. This section should also include sample data recovered during the penetration testing of critical or
high-risk vulnerabilities;
• Appendices – detailed records of all activities conducted by the cyber security assessment team and the tools used
during the engagement.

Phase 4: Provider debrief

Relevant findings may need to be sent to the providers of the affected systems. Any findings could be further analyzed with
support from external experts, to ensure that a full risk and technical understanding of the problem is achieved. This
supporting activity is intended to ensure that any remediation plan developed by the provider is comprehensive in nature
and the correct solution to eliminate the vulnerabilities is identified.
5.2 Impact assessment
The confidentiality, integrity and availability (CIA) model provides a framework for assessing the vulnerability to, and
impact of:
• unauthorised access to and disclosure of information or data about the ship, crew, cargo and passengers
• loss of integrity, which would modify or destroy information and data relating to the safe and efficient operation
and administration of the ship
• loss of availability due to the destruction of the information and data and/or the disruption to services/ operation
of ship’s systems.

Potential
Definition In practice
impact
The loss of CIΑ could be expected A limited adverse effect means that a security
to have a limited adverse effect breach might: (i) degrade ship operation to an
on Company and ship, extent and duration that the organization is
Low organizational assets, or able to operate but the effectiveness of the
individuals. functions is noticeably reduced; (ii) result in
minor damage to organizational assets; (iii)
result in minor financial loss or minor harm to
individuals.
The loss of CIA could be expected A substantial adverse effect means that a
to have a substantial adverse security breach might: (i) significantly degrade
effect on Company and ship, ship operation to an extent and duration that
assets, or individuals. the organization is able to operate, but the
Moderate effectiveness of the functions is significantly
reduced; (ii) result in significant damage to
organizational assets; (iii) result in significant
financial loss or in significant harm to individuals
that does not involve loss of life or serious life-
threatening injuries.

The loss of CIA could be expected
to have a severe or catastrophic
adverse effect on Company and
High ship operations, Company and
ship assets, or individuals.
A severe or catastrophic adverse effect means
that a security breach might: (i) severely
degrade or cause loss of ship operation to an
extent and duration that the organization is not
able to perform one or more of its primary
functions; (ii) result in major damage to
organizational assets; (iii) result in major
financial loss or in severe or catastrophic harm
to individuals involving loss of life or serious life-
threatening injuries.

5.3 Reducing/ Managing the risk

The Company shall:

a) use a risk management method or conceptual framework to contain and contextualize all cybersecurity and
related risk issues into a risk management and handling system.
b) not pursue “perfected” security, but rather seek a sustainable and acceptable risk posture that is economical,
feasible and supportable.
c) communicate information system and data risks relating to financial stability, brand reputation and operations
integrity, in terms that its stakeholders will understand.
d) define a risk tolerance strategy, monitoring the risk indicators that support that risk tolerance strategy.
e) link security controls to the compliance reporting requirements, so that reporting indicates the degree of
attainable security, not simple compliance.
f) define risk to sufficient detail as to allow intelligent procurement of cyber insurance as a risk sharing mechanism,
when the organization’s cybersecurity maturity allows for the decisions that support insurance.

There are occasions during the lifecycle of a ship where the normal controls are invalidated, such as when there is no
control over who has access to the onboard systems (for example during dry-docking or when taking over a new or existing
ship- it is impossible to know if malicious software has been left in the onboard systems), when third-party technicians
connect via remote access to perform maintenance, read system data or troubleshoot, or when service providers or
authorities connect using removable media directly to an onboard system. Considerations on how to deal with such
occasions also have to be done separately.

Cyber security defenses may be technical and focused on ensuring that onboard systems are resilient to cyber-attacks.
Defenses may also be procedural covered by Company policies, safety management procedures, security procedures and
access controls. Both technical and procedural controls should be compatible with the CIA model for protecting data and
information. Implementation of cyber security controls should be prioritized, focusing first on those defenses, or
combinations of defenses, which offer the greatest benefit.

6. Developing protection measures

Cyber security starts at the senior management level of the Company, instead of being immediately delegated to the Ship
Security Officer or the head of the IT department. There are several reasons for this:

1. Initiatives to heighten cyber security may at the same time affect standard business procedures and operations,
rendering them more time consuming or costly. Moreover, they might be related to crew training and business
processes which are out of the reach of the IT department, while also affecting the Company’s interaction with
third parties such as customers, suppliers and authorities.
2. Only when the above have been decided upon will it be possible to clearly outline the IT requirements of the cyber
security.
3. Based on the strategic decisions in general, and the risk versus reward trade-offs, relevant contingency plans have
been established in relation to handling cyber incidents if they should occur.

The Company shall:

a) share threat information including technical information to promote greater awareness and resistance to attacks;
b) use regional and national resources to gain access to recent vulnerability and threat information relevant to its
assets;
c) actively engage and train all personnel, on cybersecurity practices, potential impacts of cybersecurity risks and
ongoing issues due to cybersecurity in the organization’s environment and context;
d) prioritize key risk areas for investment and improvement to keep cyber risks understood and manageable; and
e) consider cyber security as at least equivalent to economics when pursuing system, process, or architecture
changes.

Furthermore, the Company shall:

a) match cyber security tasks to required skills, building employee skills for long-term development of experience and
institutional knowledge.
b) perform periodic capability assessments to confirm that organizational leadership understands current cyber
security status, personnel and organizational capabilities and gaps in processes, staffing or systems.
With a large proportion of security breaches caused by people and poor processes, it is essential that personnel, process
and physical aspects directly related to the technological systems for which cyber security measures are required, are also
considered and appropriate measures put in place. For example, sensitive ship systems must be protected from
unauthorised access or modification as follows:

a) physical – the system and its components are located in a restricted access area, to which only those personnel
who have been authorised for access are permitted unsupervised access, a log of all authorised personnel is kept
and regularly updated;
b) personnel – personnel with privileged (administrative, engineering or technical support) access to the systems are
subject to pre-employment screening and periodic background checks;
c) process – processes are in place to ensure that all access to the systems is monitored and logged and that
personnel accessing controlled spaces or sensitive systems, who were not subjected to the screening and
background checks, are supervised by a person who is authorised to access the systems;
d) technical – measures are in place to check any removable media or portable devices that will be connected to the
system for malware (for example, software updates on USB memory sticks or diagnostic software on laptops or
tablet devices). Access to systems consoles, displays, etc is password protected.

The measures required in each of the aspects above will also depend on the level of resilience that the ship may call upon.

Regular training and assessment should be established for all those who are granted “authorised” status for access to
systems and subsystems to ensure that appropriate cyber hygiene is carried out when accessing systems for whatever
reason.

6.1 Information Security Manager

Duties and responsibilities

The Information Security Manager is responsible for:

• Monitoring all information/technology operations and infrastructure.

• Monitoring internal and external Cyber Security Policy compliance.
• Detailing out the security incident response program.
• Ensuring Cyber Security stays on the organizational radar and implementing new technology.
• Initiating, developing and maintaining information security policies and procedures and ensuring that the security
strategies are being followed, in order to meet the organizational security goals and standards.
• Identifying the security risks involved and resolve them, performing assessment of security risks and functioning as
an auditor for security.
• Documenting all the security policies and promoting activities and procedures to create a general awareness about
the significance of security within the organization.
• Reviewing the security plans that have been implemented on the systems throughout the entire network of the
organization.
• Acting as a liaison to the department of information system, monitoring its compliance and directing the unsolved
issues to the appropriate department.
• Monitoring the internal controlling systems so as to ensure accessibility whenever it is required by the users.

Heads of departments are responsible for:

• Promptly reporting problems and breakdowns in communication systems to the IT Manager so that remedial
measures can be implemented as soon as possible.
The Master of the ship is responsible for:

• Ensuring that all personnel onboard can communicate effectively in order to carry out their duties, having due
regard to the Company's Cyber Security Policy.
• Confidentiality: All shore personnel, the Master as well as all sea-going personnel involved in preparation and
handling of incoming or outgoing messages, containing Company confidential information or other of a more
general nature, observes and ensures confidentiality of communications to extend required by the Company and
applicable international or local regulations.

6.2 Providing Standards and Governance

a. Cyber issues focus on risks to the organization, investments required to address those risks and personnel and
staffing needed for solid programs.
b. Cybersecurity information provided to the Top Management is of sufficient quantity and frequency to enable solid
understanding of cybersecurity risks, necessary mitigation efforts and trade-off decisions about those risks.
c. The organization has an appointed and empowered Information Security Manager whose responsibilities unify all
information technology, information systems and data systems security in a single point of accountability.
d. The organization has a governance structure that makes timely decisions about cybersecurity, systems and risk,
balancing required investments, business rules, and operations in order to minimize possible risks and maximize
benefits from expenditures.

6.3 Provision of Perimeter Defence and Physical Security

The Company:

a. understands its networked systems and decides on protective systems based on the functions they provide, rather
than the category or brand name. The functions integrate within the security organization to provide more
complete knowledge of operational security;
b. retains tools that are effective when they are used by experienced, trained personnel who have the access and
insight to interpret the tools’ output as required actions;
c. screens communication paths and messaging (e.g., email or social messaging methods) prior to its delivery into the
organization, or to the recipient’s mailbox, in order to detect and remove any hazardous files, attachments, or
links;
d. protects perimeter or protective equipment, appliances or systems against unauthorized access by use of
screening mechanisms, access control lists, complex passwords and/or two-factor authentication and out-of-band
communications paths; and
e. documents and tracks security device, appliance and system configurations and settings, for better understanding
of current configurations, periodic training for existing and new personnel and audit capability for the equipment
and systems.
Regarding the physical security measures, the Company:

a. provides security and securing methods for all computational equipment that controls aspects of safety-related
operations, or interfaces to systems that control aspects of safety-related operations;
b. keeps physical security sensor feeds and system connections logically separate from production network content,
segregating physical security system data flows to prevent either casual snooping or inadvertent interference
within the normal scope of network operations;
c. confirms all computationally-enabled physical security equipment (cameras, sensors, electronic locks, networked
accesses, etc.) have passwords that are (1) changed from default; and (2) non-trivial and cryptologically strong;
d. considers risks associated with computationally-enabled physical security equipment so that inadvertent login
failures and/or lockouts, loss of power, reboot events and the like will not impact safety-critical operations;
e. safeguards its systems and device infrastructure with physical security and other means to limit access to critical
equipment or safety-related equipment to authorized personnel, with appropriate accesses and means, only; and
f. regularly tests physical and environmental control and security sensors, devices, systems, appliances and
applications, in accordance with both manufacturer and owner direction or guidance, in order to keep these
systems in peak operational state.

6.4 Technical cyber security controls

The company:

a. integrates security requirements into operational technology safety cases, so that security testing will not
invalidate or adversely affect safety tests, but while also security is included as a fundamental part of system and
human safety considerations;
b. restricts and filters all traffic from IT-based control systems to operational and process technology systems, so that
authentication and verification of commands occurs outside the OT systems, software and appliances;
c. uses signed copies of software updates to its systems, working only with manufacturers to obtain system updates
and patches;
d. restricts access to ordinary Internet protocols and traffic (e.g., email, FTP, etc.) from machines authorized to
connect to operational technology and process control systems;
e. architects protective devices between information technology networks and operational technology networks to
limit traffic types, protocols and origins, and to trace and log all traffic into the operational technology network(s);
f. not allows cyber-enabled systems that control, monitor, or record data from physical security systems to reside on
the same control networks as the physical security systems;
g. cross-trains cybersecurity personnel and operational technology engineers to keep communications between the
organization’s engineering groups open;
h. defines and strictly limits the types and mechanisms for file input and output to and from operational technology
networks; and
i. ensures that the latest operating system is installed with all the relevant security updates (e.g. the main operating
system used onboard vessels, is windows XP, which is unsupported by Microsoft since April of 2014, and no longer
are any security updates being developed, resulting in vulnerabilities that could be exploited by malware).

6.5 Configuration of network devices such as firewalls, routers and switches

It should be determined which systems should be attached to controlled or uncontrolled networks. Controlled networks are
designed to prevent any security risks from connected devices by use of firewalls, security gateways, routers and switches.
Uncontrolled networks may pose risks due to lack of data traffic control and they should be isolated from controlled
networks, as direct internet connection makes them highly prone to infiltration by malware. For example:

• Networks that are critical to the operation of a ship itself, should be controlled. It is imperative that these systems
have a high level of security.
• Networks that provide suppliers with remote access to navigation and other OT system software on onboard
equipment, should also be controlled. These networks may be necessary for suppliers to allow upload of system
upgrades or perform remote servicing. Shoreside external access points of such connections should be secured to
prevent unauthorized access.
• Other networks, such as guest access networks, may be uncontrolled, for instance those related to private internet
access for crew. Normally, any wireless network should be considered uncontrolled.

Onboard networks should be partitioned by firewalls to create safe zones. The fewer communication links and devices in a
zone, the more secure the systems and data are in that zone. Confidential and safety critical systems should be in the most
protected zone. It is ensured that wireless access to networks on the ship is limited to appropriate authorized devices and
personnel and secured using a strong encryption key, which is changed regularly.

6.6 Satellite and radio communication

Cyber security of the radio and satellite connection should be considered in collaboration with the service provider. In this
context, the specification of the satellite link should be considered when establishing the requirements for onboard
network protection.

When establishing an uplink connection for ships’ navigation and control systems to shore-based service providers,
consideration should be given in how to prevent illegitimate connections gaining access to the onboard systems.

The access interconnection is the distribution partner’s responsibility. The final routing of user traffic from the internet
access point to its ultimate destination onboard (“last mile”) is the responsibility of the shipowner or management
company. User traffic is routed through the communication equipment for onward transmission on board. At the access
point for this traffic, it is necessary to provide data security, firewalling and a dedicated “last-mile” connection.

When using a Virtual Private Network (VPN), the data traffic should be encrypted to an acceptable international standard.
Furthermore, a firewall in front of the servers and computers connected to the networks (ashore or on board) should be
deployed. The distribution partner should advise on the routing and type of connection most suited for specific traffic.
Onshore filtering (inspection/blocking) of traffic is also a matter between a shipowner or management company and the
distribution partner. However, it is not sufficient to have either onshore filtering of traffic or firewalls/security
inspection/blocking gateways on the ship, because both types are needed and supplement each other in order to achieve a
sufficient level of protection.

Providers of satellite communication terminals and other communication equipment may provide management interfaces
with security control software that are accessible over the network. This is primarily provided in the form of web-based
user interfaces. Protection of such interfaces should be considered when assessing the security of a ship’s installation.

6.7 Malware detection

Scanning software that can automatically detect and address the presence of malware in systems onboard should be
regularly updated.

Onboard computers should be protected to the same level as office computers ashore. Anti-virus and anti-malware
software should be installed, maintained and updated on all personal work-related computers onboard. This will reduce the
risk of these computers acting as attack vectors towards servers and other computers on the ship’s network. The decision
on whether to rely on these defence methods should take into consideration how regularly the scanning software will be
able to be updated.

6.8 Secure configuration for hardware and software

Only Senior Officers should be given administrator profiles so that they can control the set up and disabling of normal user
profiles. User profiles should be restricted to only allow the computers, workstations or servers to be used for the purposes
for which they are required. User profiles should not allow the user to alter the systems or install and execute new
programs.

6.9 Email and web browser protection

Email communication between ship and shore is a vital part of a ship’s operation. Appropriate email and web browser
protection serves to:

• protect shoreside and onboard personnel from potential social engineering;

• prevent email being used as a method of obtaining sensitive information;
• ensure that the exchange of sensitive information via email or by voice is appropriately protected to ensure
confidentiality and integrity of data, for example protected by encryption; and
• prevent web browsers and email clients from executing malicious scripts.

Some best practices for safe email transfer are: email as zip or encrypted file when necessary, disable hyperlinks on email
system, avoid using generic email addresses and ensure the system has configured user accounts.

Appropriate email and web browser protection serves to protect seafarers and shore side personnel from potential social
engineering while ensuring that the exchange of sensitive information via email or by voice is appropriately protected to
ensure confidentiality and integrity of data. It can furthermore prevent web browsers and email clients from executing
malicious scripts.

Virus detection and prevention

• Do not open any files attached to incoming emails that are not addressed to you or your department and are not
related to your work.
• Do not open any files attached to incoming emails that are in any way odd, suspicious or unexpected. Be especially
careful with files that are executables (end in .EXE .PIF .BAT .COM .SCR etc.).
• Do not open any files attached to an email from an unknown, suspicious or untrustworthy source.
• Do not open any files attached to an email unless you know what it is, even if it appears to come from a dear
friend or someone you know. Some viruses can replicate themselves and spread through email. Better be safe
than sorry and confirm that they really sent it.
• Do not open any files attached to an email if the subject line is questionable or unexpected. If the need to do so is
there, always save the file to your hard drive before doing so.
• Do not download files directly from the Internet.
• Do not download any files from strangers.
• Exercise caution when downloading files from the Internet. Ensure that the source is a legitimate and reputable
one. Verify that an anti-virus program checks the files on the download site. If you're uncertain, don't download
the file at all or download the file to a floppy and test it with your own anti-virus software.
• Do not copy software/data from floppy disks or CD’s from sources outside the Company without the prior approval
of the IT Manager, even if they are supplied from companies that the organization is collaborating with.
• Do not send USB sticks or CD’s with software or data to the vessels without the prior approval of the IT Manager
• Backup all important files on a weekly basis. If a virus destroys your files, at least you can replace them with your
back-up copy. You should store your backup copy in a separate location(out of the office) from your work files, one
that is preferably not on your computer. IT department is responsible for this type of work.
• Delete chain emails and junk email. Do not forward or reply to any of them.
• Update your anti-virus software regularly. Over 500 viruses are discovered each month, so continuous protection
is needed. These updates should be at least in the product’s virus signature files. You may also need to update the
product's scanning engine as well. Your antivirus software is automatically updated each time you open your
computer. Periodically check that this is so and your antivirus software is current.
• When in doubt, always err on the side of caution and do not open, download, or execute any files or email
attachments. Not executing is more important of these caveats.

6.10 Execution of Access Management

The Company:
a. screens personnel for security issues prior getting onboard.
b. allows no group login credentials and shared credentials/sharing of credentials are prohibited.
c. requires two-factor authentication to access sensitive resources or assets, or to access networked assets remotely.
d. periodically inventories third-party access and relationships to confirm that all network and/or data access are
current, required and under governance and control.

e. requires authorized third-party personnel with access to organizational networked systems to use two-factor
authentication for connection, or strong passwords that cannot be easily guessed.
f. defines and uses, a third-party supplier program, including supplier evaluation prior to granting access to
networked resources.
g. requires all remote access users to pass through security and authentication systems to provide traceability of
communications and tracking or logging of actions carried out remotely. No remote access can occur without
strict accountability for all communications.
h. limits privileged access accounts to those personnel identified with specific work-related needs.
i. limits privileged accounts to specific systems and does not allow Internet access to those accounts (outside access
is limited to non-privileged accounts).
j. requires login credentials for users to access guest wireless network resources, to provide usage tracking as
necessary.
k. implements login failure time-out periods to prevent password guessing.
l. decides single sign-on (SSO) boundaries on the basis of data or application criticality, leaving certain designated
applications, systems, repositories or functions outside SSO in order to measure access based on separate
authentication for traceability and accountability.
m. is deprovisioning former employees promptly so that there are no unauthorized accesses of a former employee
account after terminating employment.
n. ensures that wireless access to networks is limited to appropriate authorized devices.
o. ensures that no staff is allowed to delete any files from the server.

The final objective of access control is simple: Know when and under what circumstances any person or machine has access
to every secured entity in the organization.

6.11 Application software security (patch management)

Critical safety and security updates should be provided to onboard systems. Such updates or patches should be applied
correctly and in a timely manner to ensure that any flaws in a system are addressed before they are exploited by a cyber-
attack.

The Company:

a. catalogs its hardware configurations and software holdings and licenses so that it can prioritize and apply patches
that address identified vulnerabilities arising from threat reports, vulnerability scans, or risk analyses.
b. tests system and application patches on a testbed prior to applying the patches to operational systems.
c. understands and controls the use of applications and executable software in its systems and restrict any software
from running unless the software has been tested and approved for use (whitelisting).
The “threat-vulnerability-configuration-patch-change-risk” management cycle leverages many sides of the technology
management domain to include as many considerations as possible when integrating new software, patches, or changes in
system configuration when integrated with the enterprise networked systems’ architectures.

System and application patch testing, whether on information technology systems, or on operational technology or process
control systems, is an important consideration in order to reduce the risk associated with implementing new software,
(presumably) functioning systems, with the intent of modifying the existing, working software.

Equally important, however, is documentation of existing systems and changes to those systems. Corporate knowledge in
the organization requires continuity and currency of documentation.

6.12 Execution of Change Control as an Enterprise Process

The Company:

a. retains an authorization process for hardware, software, firmware and architecture or configuration upgrades that
does not allow unexpected, unattended, or unauthorized changes to be made to critical systems, or in operational
systems that connect to critical systems.
b. performs a formal, rigorous change control process critical to documenting both information technology and
operational technology systems, maintaining enterprise knowledge of both and implementing cybersecurity
controls and security.
c. maintains logs, system diagrams and records for all business-critical or mission-critical systems that note the
changes made during the change control processes.

Change control is the process by which patches, vulnerability mitigation actions, architectural changes, system
improvements, software updates, system concept of operations changes, staffing and supportability changes and security
improvements are registered and approved across the organization. Changes are then cataloged and documented to
confirm completeness for accessibility within the organization.

6.13 Procedural protection measures

Procedural controls are focused on how personnel use the onboard systems. Plans and procedures that contain sensitive
information should be kept confidential and handled according to company policies. Examples for procedural actions can
be:

6.13.1 Training and awareness

Training and awareness is the key supporting element to an effective approach to cyber safety and security. The internal
cyber threat is considerable and should not be underestimated. Personnel have a key role in protecting IT and OT systems
but can also be careless, for example by using removable media to transfer data between systems without taking
precautions against the transfer of malware. Training and awareness should be tailored to the appropriate levels for:
• onboard personnel including the Master, Officers and crew;
• shoreside personnel, supporting the management and operation of the ship.

An awareness programme is in place for all onboard personnel, covering at least the following:

• risks related to emails and how to behave in a safe manner (examples are phishing attacks where the user clicks on
a link to a malicious site);
• risks related to internet usage, including social media, chat forums and cloud-based file storage where data
movement is less controlled and monitored;
• risks related to the use of own devices (these devices may be missing security patches and controls, such as anti-
virus, and may transfer the risk to the environment to which they are connected);
• risks related to installing and maintaining software on company hardware using infected hardware (removable
media) or software (infected package);
• risks related to poor software and data security practices where no anti-virus checks or authenticity verifications
are performed;
• safeguarding user information, passwords and digital certificates;
• cyber risks in relation to the physical presence of non-company personnel, eg, where third-party technicians are
left to work on equipment without supervision;
• detecting suspicious activity or devices and how to report if a possible cyber incident is in progress (examples of
this are strange connections that are not normally seen or someone plugging in an unknown device on the ship
network);
• awareness of the consequences or impact of cyber incidents to the safety and operations of the ship;
• understanding how to implement preventative maintenance routines such as anti-virus and anti-malware,
patching, backups and incident-response planning and testing; and
• procedures for protection against risks from service providers’ removable media before connecting to the ship’s
systems.

Further, personnel should be able to identify the signs when a computer has been compromised. This may include the
following:

• an unresponsive or slow to respond system;

• unexpected password changes or authorized users being locked out of a system;
• unexpected errors in programs, including failure to run correctly or programs running unexpectedly;
• unexpected or sudden changes in available disk space or memory;
• emails being returned unexpectedly;
• unexpected network connectivity difficulties;
• frequent system crashes;
• abnormal hard drive or processor activity; and
• unexpected changes to browser, software or user settings, including permissions.

In addition, personnel need to be made aware that the presence of anti-malware software does not remove the
requirement for robust security procedures, for example controlling the use of all removable media.

Seminars to crew, shore-personnel and relevant third parties must be conducted and include, but not limited to:
• Locking of unattended work stations.
• Safeguarding of passwords.
• No use of unauthorized software.
• Responsible use of social media.
• Control/prevention of misuse of portable storage and memory sticks.

Posters promoting cyber security awareness to all personnel should be easily accessible at Company’s premises and vessels.

6.13.2 Physical and removable media controls

Transferring data from uncontrolled systems to controlled systems represents a major risk of introducing malware.
Removable media can be used to bypass layers of defenses and can be used to attack systems that are otherwise not
connected to the internet. A clear policy for the use of such media devices is essential; it must be ensured that media
devices are not normally used to transfer information between un-controlled and controlled systems. There are, however,
situations where it is unavoidable to use these media devices, for example during software maintenance. In such cases, it is
required to check of removable media for malware and/or validating legitimate software by digital signatures and
watermarks.
Any removable media device in a computer that is not connected to the ship’s controlled networks, shall be scanned before
use. If it is not possible to scan the removable media on board, e.g. the laptop of a maintenance technician, then the scan
could be done prior to boarding with the result and timing duly documented. It is considered to notify ports and terminals
about the requirement to scan removable media prior to permitting the uploading of files into a ship’s system. This
scanning sahll be carried out when transferring the following file types:

• cargo files and loading plans;

• national, customs, and port authority forms;
• bunkering and lubrication oil forms;
• ship’s stores and provisions lists;
• engineering maintenance files.

6.13.3 Upgrades and software maintenance

Hardware or software that is no longer supported by its producer or software developer will not receive updates to address
potential vulnerabilities. For this reason, the use of hardware and software, which is no longer supported, should be
carefully evaluated by the company as part of the cyber risk assessment.
Relevant hardware and software installations on board should be updated to maintain a sufficient security level.
Procedures for timely updating of software may need to be put in place taking into account the ship type, speed of internet
connectivity, ship’s trade, etc. Software includes computer operating systems, which should also be kept up to date.
Additionally, a number of routers, switches and firewalls and various OT devices will be running their own firmware, which
may require regular updates and so should be addressed in the procedural requirements.
Effective maintenance of software depends on the identification, planning and execution of measures necessary to support
maintenance activities throughout the full software lifecycle. Anti-virus and anti-malware tools should be updated. These
updates should be distributed to ships on a timely basis ensuring that all relevant computers onboard are updated.

6.13.4 Access for visitors

Visitors such as authorities, technicians, agents, port officials and owner or manager representatives should be restricted
with regard to computer access whilst on board. Unauthorized access to sensitive OT network computers should be
prohibited through clearly marked physical barriers. If access to a network by a visitor is required and allowed, then it
should be restricted in terms of user privileges. Access to certain networks for maintenance reasons should be approved
and co-ordinated following appropriate procedures as outlined by the company/ship operator. If a visitor requires
computer and printer access, an independent computer, which is air-gapped from all controlled networks, should be used.
To avoid unauthorised access, removable media blockers should be used on all other physically accessible computers and
network ports.

If a visitor wants to print documents on board, do not let them to connect any usb sticks or external drives to ship’s
network computers. Usb sticks can be connected directly to printers. If not possible, printing only can be done from a
network isolated computer.

6.13.5 Use of administrator privileges

In a business environment, such as shipping, access to onboard systems is granted to various stakeholders. Suppliers and
contractors are a risk because they often have both intimate knowledge of a ship’s operations and often full access to
systems. Access to information should only be allowed to relevant authorized personnel. Administrator privileges allow full
access to system configuration settings and all data. Users logging into systems with administrator privileges may enable
existing vulnerabilities to be more easily exploited. Administrator privileges should only be given to appropriately trained
personnel who need them, as part of their role in the company or on board, to log into systems using these privileges. In
any case, use of administrator privileges should always be limited to functions requiring such access. User privileges should
be removed when the people concerned are no longer on board. User accounts should not be passed on from one user to
the next using generic usernames. Similar rules should be applied to any shore personnel with remote access to systems on
ships when they change role and no longer need access.
6.14 Actions against threats

6.14.1 Physical Threats

Your Workspace

Individuals that you do not know may be in your physical space, in the office and at your other work locations.
• Do not allow unauthorized access to your work area.
• Do not let anyone borrow your keys or security badge.

Your Devices

Individuals will look for easy ways to steal PC’s, cell phones, and other devices.

• Put away and lock your PC and other devices when not using them.
• If you have a laptop or another mobile device, make sure it is encrypted.
• If you use a thumb drive or external hard drive, make sure it is encrypted.
• Do not leave your PC unattended, particularly in public spaces.
• Never use laptops or PCs as admin.
• Use your PCs and laptops with clean screen.
• Take weekly backups of your PCs and laptops.
• Use antivures porgrammes for your mobile phones.
• Use add-blockers for pop-ups on web sites.
Your Password

Your password is also a key. Individuals will try to steal your passwords if they are in plain sight or easy to determine.

• Do not write down your passwords on sticky notes or paper in plain sight.
• Change your passwords frequently and make them hard to guess. Passwords must contain at least 1 upper case, 1
lower case, 1 number, 1 symbol and must be minimum 8 characters.
• Report immediately all suspicious activities and breaches of physical security.
• Keep password memory.

6.14.2 Email Threats

Phishing, Spoofs, Goofs, Hoaxes, Malware, Scams and Spam

The most prevalent and persistent threats to your security come to you in your Inbox. They come by different names and
may even appear legitimate and even supposedly from people you may know.
They all have this in common: they are designed to get you to click on an item like an attachment, link or picture.

Result: If you click, you may launch a harmful program or be directed to a harmful web site. You may then find your
personal information compromised and you may subject your network to malicious software.

Stop: Do not click. Do not assume that links in your email are automatically safe.

Think: If you cannot identify the source and attachments as legitimate or be sure the links are safe by looking at the actual
web address, you can logically conclude that you should be alert.

Click: Only after you are completely confident that the action is safe.

6.14.3 Internet Threats

Browsing Can Be Hazardous to Your PC

The Internet is a significant resource for business and government services. However, some of the same issues as with
email can create security issues that you need to be aware of.

The Common Threat: On the web, the threats come from malicious links. Most of the threats come when you click on a link
that launches a malicious program or re-directs you to a dangerous site.

Result: If you click, you may launch harmful programs or be directed to a harmful web site. You may then find your
personal, client, or sensitive business information compromised and you may subject your PC and network to malicious
software.

Stop: Do not automatically click on Internet links until you have confidence in them. This includes pictures, videos and
navigational elements.

Think: Look at the actual address for the links in question. For instance, if the link indicates “Click Here” be sure to hover
your mouse pointer over the link and investigate the actual web address before you proceed.

Click: Only after you are completely confident that the web site is safe.

6.14.4 Social Media Threats

Social Media Can Be Suspect

While usually relatively safe, the rapid increase in social networking and collaborative sites has offered new opportunities
for hackers, thieves and others. You should use common sense and be cautious when visiting these sites.

The Common Threat: Similar to email threats, postings on Facebook, LinkedIn, YouTube, and others may appear to take
you to interesting content, funny videos, or connect you to other users and organizational sites of common interest.

Result: In reality you may be clicking on links that launch malware or take you to sites other than the ones you expected
exposing your personal information.
Stop: Do not assume social networking sites are safe. Do not click on links until you are sure they are legitimate. This
includes pictures, videos, invitations to games and applications and navigational elements.

Think: Look at the actual web addresses for the links in question. Investigate all links and linkable items by hovering your
mouse over them. Look at the actual web address before you proceed. Be careful of postings and sites that ask to share
your personal information

Click: Only after you are completely confident that the web site is safe.

6.14.5 Telework Threats

For Mobile Workers: Be Careful with Your Connections

The ability to work away from the office is beneficial and flexible, however mobile workers need to take special care of the
inherent threats to systems when connected to public access points.

Wireless Networks: Assume when you connect to a public wireless access point that it is inherently not secure. Other
individuals can potentially “see” your activity. When connecting to such a sensitive system, this could expose your sensitive
data.

Virtual Private Network: VPN allows you to launch a secure Internet connection so that even with a public access point,
you are able to work connected to your home network, applications and databases with a greater level of security.

Device Encryption: Always make sure your Laptop, Tablet or another mobile device is protected from someone else logging
in. Device encryption should be installed on all mobile devices that connect to other systems.

Stop: Do not connect to a public wireless access point without VPN.

Think: When you are prompted to connect to a public wireless node, know what you are connecting to and assume it is
public.

Click: Only proceed if you are confident of the connection and only use of VPN.

Basic Concept
YOU Control What You Choose to CLICK
Most end user threats are targeted specifically in hopes that you will click on a harmful link, attachment, picture, video or
icon in an email or web page, including social media applications

What you can do

STOP, and THINK, BEFORE you CLICK
Your job is to be aware, alert and diligent. Always look for the signs that external entities are trying to gain access to your
PC and your network.

7. Contingency and Response Plan

The loss of OT systems may have a significant and immediate impact on the safe operation of the ship. Should a cyber
incident result in the loss or malfunctioning of OT systems, it will be essential that effective actions are taken to ensure the
immediate safety of the crew and the ship and the protection of the marine environment. Responding to a cyber incident
may however be beyond the competencies held within the Company and onboard due to the complexity or severity of such
incidents. In such cases, external expert assistance should be available to ensure an effective response. Without a
contingency plan, decisions and actions may be made that inadvertently make recovery work more difficult and
compromise evidence. The following is a non-exhaustive list of the actions in response to the type of cyber incidents, which
should be addressed in contingency plans on board:

• loss of availability of electronic navigational equipment or loss of integrity of navigation related data;
• loss of availability or integrity of external data sources, including but not limited to GNSS;
• loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress
and Safety System (GMDSS) communications;
• loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems,
as well as loss of integrity of data management and control;
• the event of a ransomware or denial or service incident.
It is important that onboard personnel understand that the loss of OT systems due to a cyber incident must be treated like
any other equipment failure. When a cyber incident is discovered, it is important that all relevant personnel are aware of
the exact procedure to follow. Furthermore, it is important to ensure that a loss of equipment or reliable information due
to a cyber incident does not make existing emergency plans and procedures redundant. It is crucial that contingency plans,
and related information, are available in a non-electronic form as some types of cyber incidents can include the deletion of
data and shutdown of communication links.

Response Plan

As with a successful cyber incident itself, an effective response has four stages:
1. Identify the cyber security incident;
2. Define the objectives for response and investigate the situation;
3. Take appropriate action to address a cyber incident that affects systems and/or data; and
4. Recover systems, data and connectivity.

The response plan should, as a minimum, include the following considerations:

• Which systems does this apply to?
• Should systems be shut down immediately or kept running?
• Should certain ship communication links be shut down?
• Should certain pre-installed security software be activated?
• Who is the correct person in the IT department to contact immediately? In addition, what to do if communication
links are severed?
As such, the Company shall retain an Incident Response Plan (IRP) that incorporates:
• Lessons learned from previous incidents and events;
• Notification lists for those personnel needed to understand the incident, or to take part in the response to it;
• Communications plan for internal personnel that provides continued operations while minimizing fear;
• Communications plan for external agencies and personnel to maintain the organizational perspective and policies;
• Control plan for hazards that may affect personnel or systems;
• Control plan for hazards that may spill from the organization’s boundaries into the surrounding environment (i.e.,
affect neighbors or otherwise foment liability); and
• Recovery plan for establishing a known set of conditions, consolidating those conditions for safety of personnel,
systems, ship/platform/facility, and environment, and moving back to full operational capabilities.

The Company shall conduct periodic cyber incident drills that rehearse actions and reactions designed to recognize, control
and recover from a cybersecurity event that affects critical systems, data and functions.
It is vital, incident preparation to be a collaborative, inclusive activity involving all parties concerned with operations of the
Company. The communications plans for both internal and external personnel and contacts should be prepared in advance
so as to avoid hasty decisions, mistakes and omissions when pressured by crisis conditions. Crisis control plans must target
safety for personnel and systems, protect against environmental or surrounding organizational harms and provide a basis
for reporting to authorities and stakeholders.

Plan for Disaster Recovery (DR)

The Company:
a. defines the requirements and needs for business or mission continuity in face of cyber threats and risk conditions
and plans against those risks so that the business can continue even through serious interference effects.
b. plans for, and resources, disaster recovery capabilities to provide continuity of business or mission capabilities
when responding to risk conditions.
c. conducts periodic table-top exercises that allow revisit of disaster plans, initial training for new personnel and
refresher training for experienced personnel.

d. confirms that security architecture protecting the existing systems, facilities, personnel and assets is adequately
replicated in terms of functions during a disaster recovery scenario. Under no circumstance should a DR effort
leave cyber security behind unmonitored.
Mission-critical functions are cataloged as part of asset management. As such, the technology team in the organization has
plans in place to recover from highly unusual events. These plans might be enabled by physical relocation, alternate
equipment, alternative work regimes or a combination of all.

Recovery
Recovery plans should be accessible to Officers on board in accordance with their responsibilities defined in the plans. The
purpose and scope of each specific plan should be defined and understood by the Officers and potential external IT
personnel.
Essential information and software backup facilities should be available to ensure recovery can take place following a cyber
incident.

Recovery of essential ship or system functions related to the safe operation and navigation of the ship may have to take
place with assistance from ashore. How and where to get assistance, for example by proceeding to a port, needs to be part
of the recovery planning carried out by the ship in cooperation with the shipowner or operator.
7.1 Incident Analysis

Incident detection and analysis would be easy if every precursor or indicator were guaranteed to be accurate;
unfortunately, this is not the case. For example, user-provided indicators such as a complaint of a server being unavailable
are often incorrect. Intrusion detection systems may produce false positives - incorrect indicators. These examples
demonstrate what makes incident detection and analysis so difficult: each indicator ideally should be evaluated to
determine if it is legitimate. Making matters worse, the total number of indicators may be thousands or millions a day.
Finding the real security incidents that occurred out of all the indicators can be a daunting task.

Even if an indicator is accurate, it does not necessarily mean that an incident has occurred. Some indicators, such as a
server crash or modification of critical files, could happen for several reasons other than a security incident, including
human error. Given the occurrence of indicators, however, it is reasonable to suspect that an incident might be occurring
and to act accordingly. Determining whether a particular event is actually an incident is sometimes a matter of judgment. It
may be necessary to collaborate with other technical and information security personnel to make a decision. In many
instances, a situation should be handled the same way regardless of whether it is security related. For example, if an
organization is losing Internet connectivity every 12 hours and no one knows the cause, the staff would want to resolve the
problem just as quickly and would use the same resources to diagnose the problem, regardless of its cause.

An incident response team that suspects that an incident has occurred should immediately start recording all facts
regarding the incident. A logbook is an effective and simple medium for this, but laptops, audio recorders, and digital
cameras can also serve this purpose. Documenting system events, conversations, and observed changes in files can lead to
a more efficient, more systematic, and less error- prone handling of the problem. Every step taken from the time the
incident was detected to its final resolution should be documented and timestamped. Every document regarding the
incident should be dated and signed by the incident handler. Information of this nature can also be used as evidence in a
court of law if legal prosecution is pursued. Whenever possible, handlers should work in teams of at least two: one person
can record and log events while the other person performs the technical tasks.

Prioritizing the handling of the incident is perhaps the most critical decision point in the incident handling process. Incidents
should not be handled on a first-come, first-served basis as a result of resource limitations. Instead, handling should be
prioritized based on the relevant factors, such as the following:

• Functional Impact of the Incident. Incidents targeting IT systems typically impact the business functionality that
those systems provide, resulting in some type of negative impact to the users of those systems. Incident handlers should
consider how the incident will impact the existing functionality of the affected systems. Incident handlers should consider
not only the current functional impact of the incident, but also the likely future functional impact of the incident if it is not
immediately contained.
• Information Impact of the Incident. Incidents may affect the confidentiality, integrity, and availability of the
organization’s information. For example, a malicious agent may exfiltrate sensitive information. Incident handlers should
consider how this information exfiltration will impact the organization’s overall mission. An incident that results in the
exfiltration of sensitive information may also affect other organizations if any of the data pertained to a partner
organization.
• Recoverability from the Incident. The size of the incident and the type of resources it affects will determine the
amount of time and resources that must be spent on recovering from that incident. In some instances, it is not possible to
recover from an incident (e.g., if the confidentiality of sensitive information has been compromised) and it would not make
sense to spend limited resources on an elongated incident handling cycle, unless that effort was directed at ensuring that a
similar incident did not occur in the future. In other cases, an incident may require far more resources to handle than what
an organization has available. Incident handlers should consider the effort necessary to actually recover from an incident
and carefully weigh that against the value the recovery effort will create and any requirements related to incident handling.

Combining the functional impact to the organization’s systems and the impact to the organization’s information determines
the business impact of the incident—for example, a distributed denial of service attack against a public web server may
temporarily reduce the functionality for users attempting to access the server, whereas unauthorized root-level access to a
public web server may result in the exfiltration of personally identifiable information (PII), which could have a long-lasting
impact on the organization’s reputation.

The recoverability from the incident determines the possible responses that the team may take when handling the incident.
An incident with a high functional impact and low effort to recover from is an ideal candidate for immediate action from the
team. However, some incidents may not have smooth recovery paths and may need to be queued for a more strategic-level
response—for example, an incident that results in an attacker exfiltrating and publicly posting gigabytes of sensitive data
has no easy recovery path since the data is already exposed; in this case the team may transfer part of the responsibility for
handling the data exfiltration incident to a more strategic-level team that develops strategy for preventing future breaches
and creates an outreach plan for alerting those individuals or organizations whose data was exfiltrated. The team should
prioritize the response to each incident based on its estimate of the business impact caused by the incident and the
estimated efforts required to recover from the incident.

An organization can best quantify the effect of its own incidents because of its situational awareness. Table 1 below
provides examples of functional impact categories that an organization might use for rating its own incidents.

Category Definition
None No effect to the organization’s ability to provide all services to all users
Low Minimal effect; the organization can still provide all critical services to
all users but has lost efficiency
Medium Organization has lost the ability to provide a critical service to a subset of
system users
High Organization is no longer able to provide some critical services to any users
 Table 1. Functional Impact Categories

Table 2 provides examples of possible information impact categories that describe the extent of information compromise
that occurred during the incident. In this table, with the exception of the ‘None’ value, the categories are not mutually
exclusive and the organization could choose more than one.

Category Definition
None No information was exfiltrated, changed, deleted, or otherwise compromised
Privacy Sensitive personally identifiable information (PII) of taxpayers, employees,
Breach beneficiaries, etc. was accessed or exfiltrated
Proprietary Unclassified proprietary information, such as protected critical
Breach infrastructure information (PCII), was accessed or exfiltrated
Integrity Sensitive or proprietary information was changed or deleted
Loss
Table 2. Information Impact Categories

Table 3 shows examples of recoverability effort categories that reflect the level of and type of resources required to recover
from the incident.

Category Definition
Regular Time to recovery is predictable with existing resources
Supplemented Time to recovery is predictable with additional resources
Extended Time to recovery is unpredictable; additional resources and outside help are
needed
Not Recoverable Recovery from the incident is not possible (e.g., sensitive data exfiltrated and
posted publicly); launch investigation
Table 3. Recoverability Effort Categories

Incidents that are categorised as:

• Functional Impact >= Medium (as per Table 1) or

• Information Impact >= Proprietary Breach (as per Table 2) or
• Recoverability Effort >= Extended (as per Table 3),
should initiate the investigation procedures as described below.

7.2 Investigation of cyber incidents

Investigating a cyber incident can provide valuable information about the way in which a vulnerability was exploited. This
information can be used to improve the Company’s approach to cyber security and/or provide the wider maritime industry
with a better understanding of the threats it faces. An investigation should result in:

• A better understanding of the threats shipping companies and the ships they operate are facing;
• Identification of lessons learned; and
• Updates to technical and procedural control measures, as appropriate.

Investigating cyber incidents can be a complex and challenging task. Company may consider using external expert
assistance to investigate such incidents as appropriate.
Initial Investigation

In the early stages of investigating a cyber security incident, the precise nature of the incident may be unknown and initial
analysis will be required. When investigating a cyber security incident, the approach taken can be either:
- intelligence driven, based on information gathered from: government agencies, monitoring of internal resources,
open source information or data provided internally or
- evidence-driven, based on information gathered from corporate infrastructure or applications (typically event
logs).

Investigators will often have to:

• Examine important alerts or suspicious events in logs or technical security monitoring systems (e.g. IDS, IPS);
• Correlate them with network data (including data from cloud service providers);
• Compare these against threat intelligence.

When carrying out an investigation, each possible trigger event should be thoroughly investigated, including:

1. Date/time;
2. Internet protocol (IP) address (internal or external);
3. Port (source or destination), domain and file (e.g. exe, .dll); and
4. System (hardware vendor, operating system, applications, purpose, location).

Follow up incident investigation

There are many important activities that should be undertaken following a cyber security incident. In practice, some of
these (often important) follow-up actions may not be carried out due to insufficient resources, higher priorities, lack of
awareness or the pressing need to return the organization to its normal operation.
Following up a cyber security incident should address the following items:

1. Investigate the incident more thoroughly;

2. Report the incident to relevant stakeholders;
3. Carry out a post incident review;
4. Communicate and build on lessons learnt;
5. Update key information, controls and processes; and
6. Perform trend analysis

Investigate the incident

As part of the investigation Company has to perform problem cause analysis, carry out root cause identification and
quantify the impact of the incident (e.g. in terms of financial, operational, reputational, management or compliance
impact).

Report the incident

Once a cyber security incident has been successfully handled, formal reporting will often be required to both internal and
external stakeholders.
This report addresses the following:
1. The reporting requirements;
2. Who does Company report to?
3. What the report should contain?
4. The format of the report; and
5. The objective of the report.

The report contains a full description of the nature of the incident, it's history and what actions were taken to recover, a
realistic estimate of the impacts of the incident and recommendations regarding enhanced or additional controls required
to prevent, detect, remedy or recover from cyber security incidents more effectively.

Post incident review

Important information about the cyber security incident should be discussed during a post incident review. Questions to be
answered in such a review may include:

1. How well did staff and management perform in dealing with the incident? Were the documented procedures
followed? Were they adequate?
2. What information was needed sooner?
3. Were any steps or actions taken that might have inhibited the recovery?
4. Could any unforeseen events have been prevented?
5. What would the staff and management do differently the next time a similar cyber security incident occurs?
6. How could information sharing with other organizations be improved?
7. What corrective actions can prevent similar incidents in the future?
8. What precursors or indicators should be watched for in the future to detect similar incidents?
9. How can results be fed back into our risk assessment methodology?
10. What are the lessons learned?

Lessons Learned

An essential part of following up a cyber security incident is to document, communicate and build on lessons learned. This
should be viewed as an on-going process in order to learn from previous mistakes, incidents and experiences.
Communication to all stakeholders should be clear, concise and focused on problem resolution and control improvement. It
should clearly identify any gaps that remain and propose efforts to mitigate them. An action plan should be created that
explains how the Company will leverage lessons learned from the incident to become more resilient in the face of future
cyber security attacks. The action plan should include projects or initiatives, technical and nontechnical, that will help
reduce an attacker's chance of success and respond to an attacker's activities more rapidly and effectively.
Analysis of the cyber security incident should consider whether technical capability gaps contributed to the attacker's
success or whether people or process gaps were the main culprit.

Update Key Information and Procedures

Following a cyber security incident, it is important to update your cyber security incident response approaches, control,
procedures and related documents.
Factors to be reviewed and considered are:
1. Poorly designed web applications
2. Misconfigured systems
3. Internet downloads
4. Personal devices (e.g. tablets or smart phones)
5. Authorized third parties (e.g. customers, suppliers, visitors).
Trend Analysis

Cyber incidents should be analysed like all other incidents (onboard and ashore). The review and analysis of the cyber
security incidents will help Company to:

1. Evaluate patterns and trends of cyber security incidents;

2. Identify common factors that have influenced cyber security incidents;
3. Determine the effectiveness of controls (e.g. which controls are better at preventing, detecting and delaying cyber
security incidents or minimising their business impact); and
4. Understand the costs and impacts associated with cyber security incidents.

Cyber Incident Investigators

Company's Personnel:
For cyber incident investigations, the Company has authorized the following personnel to act as initial/follow up
investigators:
1. Company Incidents: IT Manager/Information Security Manager
2. Vessel Incidents:
a. Initial: SSO
b. Follow up Investigation: IT Manager/Information Security Manager
Third Party Investigators:
There are many reasons why a Company may wish to employ external cyber security incident investigators, such as to help
carry activities outlined in previous sections.

1. Providing resourcing and response expertise - giving access to more experienced, dedicated technical staff who
understand how to carry out sophisticated cyber security incident investigations quickly and effectively;
2. Conducting technical investigations for example:
- by providing deep technical knowledge about the cyber security attack;
- reporting to top management about how they were dealt with it;
- remediating the problem effectively (ensuring that attackers are not alerted thereby allowing them to
take further action) and
- performing expert deep-dive forensics.
3. Performing cyber security analysis, for example:
- by monitoring emerging cyber threats (allowing them to be more pre-emptive to cyber security attacks);
- applying modern analytic capabilities to aggregate relevant data from many different systems and
- providing situational awareness, particularly in the area of cyber intelligence (e.g. to help create a clear
picture of their threat adversaries).