Cybersecurity Measures for Third-Party Technicians

# Cybersecurity Measures for Third-Party Technicians Many factors contribute to maintaining cybersecurity onboard a ship. However, only a few fall under the responsibility of the crew while preparing for and supervising a third-party technician. In this training, we: - Evaluate vulnerable system components. - Map physical locations of vulnerable systems. - Assess secondary vulnerabilities that share either physical location or data with those systems. - Create a security plan to prevent cybersecurity breaches. ## System Evaluation Third-party technicians require access to more than a single piece of equipment. Therefore, crew members must assess the cybersecurity risks for entire systems and all connected components. ### Step 1: Itemize the Affected System Begin by making a line drawing of the affected system to ensure you account for all components. Next, list each system component in the Cybersecurity Table (see Example Table A). - List each component name. - List connected components. - List connected internal networks. - List connected external networks. *Example Tabe A* | Component Name | Connected to Component | Internal Network | External Network | |-------|-------|-------|-------| | Ballast pump | Computer controlled valve | Operating control system | None | | ECDIS | Radar, AIS, Gyro Compass, Speed Log, GPS | Bridge Control | SATCOM, Internet | ### Step 2: Map the Affected System’s Physical Location Reference ship drawings to map the physical location of the affected system. Mapping the physical location of the system a third-party technician is working on allows you to plan for physical securi-ty. Remember, the third-party technician may need access to cable runs. Confirm the location of the full length of all connecting cables and add them to the Cybersecurity table. Add the physical location of each component in the Cybersecurity Table. See Example Table B. *Example Table B* | Component Name | Connected to Component | Internal Network | External Network | Physical Location | |-------|-------|-------|-------|-------| | Ballast pump | Computer controlled valve | Operating control system | None | STBD Ballast Tank 1 | | ECDIS | Radar, AIS, Gyro Compass, Speed Log, GPS | Bridge Control | SATCOM, Internet | Bridge | ### Step 3: Assess Secondary Vulnerabilities A third-party technician can also access nearby systems. Therefore, you must include secondary sys-tems and components in your cybersecurity assessment. Refer to your physical location map to de-termine other systems the technician can access. Add secondary systems and components to the Cybersecurity Table. See Example Table C. *Example Table C* | Component Name | Connected to Component | Internal Network | External Network | Physical Location | Secondary Systems / Components | |-------|-------|-------|-------|-------|-------| | Ballast pump | Computer controlled valve | Operating control system | None | STBD Ballast Tank 1 | None | | ECDIS | Radar, AIS, Gyro Compass, Speed Log, GPS | Bridge Control | SATCOM, Internet | Bridge | Steering equipment, engine controls, ballast controls | ### Step 4: Select Mitigation Method Select the best mitigation method from the list below to prevent a cybersecurity breach for each component in the Cybersecurity Table. **Isolate** - Can you isolate the affected system by physically disconnecting it from external networks and shared internal networks? Consider whether the third-party technician will need the system connected to internal or external networks or both to complete repairs and testing. **Remove** - Can you remove primary or secondary components from the space to prevent unauthor-ized access? If the third-party technician requires access to a space with vulnerable systems unre-lated to their work, can you remove those components from the space? **Restrict** - Can you restrict access to the physical location of components? Can you assign added se-curity personnel to monitor the third-party technician? Add your selection to the Cybersecurity Table. See Example Table D. *Example Table C* | Component Name | Connected to Component | Internal Network | External Network | Physical Location | Secondary Systems / Components | Mitigation Method | |-------|-------|-------|-------|-------|-------|-------| | Ballast pump | Computer controlled valve | Operating control system | None | STBD Ballast Tank 1 | None | Isolate, Restrict | | ECDIS | Radar, AIS, Gyro Compass, Speed Log, GPS | Bridge Control | SATCOM, Internet | Bridge | Steering equipment, engine controls, ballast controls | Restrict | ## Security Plan You can now create a thorough security plan from the system assessment. Write detailed descrip-tions of mitigation methods, including required crew and equipment. Distribute the Cybersecurity table and the written security plan to all crew members assigned to the third-party technician work group.