Parts-Syllabus
Part B
EM201 Advanced Navigation and Maritime Cyber Security
Cyber Security
Maritime Cyber Security for Ports management
monitoring and auditing of port cyber security plan ;

monitoring and auditing of port cyber security plan ;

Of course. Monitoring and auditing a Port Cybersecurity Plan is a critical, continuous process that transforms a static document into a living, effective defense mechanism. It’s about ensuring the plan is not only implemented correctly but also remains relevant and effective against evolving threats.

Here’s a comprehensive breakdown of how to approach monitoring and auditing for a port environment, which uniquely combines Information Technology (IT) and Operational Technology (OT).

The Goal: From Compliance to Resilience

  • Monitoring: The ongoing, real-time or near-real-time observation of systems to detect security events and verify that controls are working as expected. It asks: “What is happening right now?”
  • Auditing: The periodic, formal, and systematic examination of the cybersecurity plan and its implementation to verify its effectiveness, completeness, and compliance with regulations. It asks: “Did we do what we said we would do, and is it working over time?”

I. Monitoring the Port Cybersecurity Plan (The Continuous Check-up)

Monitoring in a port must cover both the corporate IT network and, crucially, the Operational Technology (OT) network that controls physical operations.

A. Key Areas for Continuous Monitoring:

  1. Network Traffic and Segmentation:

    • IT/OT Boundary: Monitor all traffic crossing the firewalls between the IT and OT networks. There should be very little, and it must be strictly controlled and logged.
    • Unusual Protocols: Use OT-aware monitoring tools (e.g., Nozomi, Dragos, Claroty) to detect unusual commands or protocols on the OT network (e.g., Modbus, DNP3).
    • External Connections: Monitor all connections to and from third parties, such as shipping lines, customs agencies, and logistics partners. Flag any unauthorized connections.

  2. System and Asset Health:

    • Log Aggregation (SIEM): Centralize logs from firewalls, servers, switches, and critical applications like the Terminal Operating System (TOS) and Vessel Traffic Service (VTS) systems.
    • Endpoint Security: Monitor the status of antivirus/EDR (Endpoint Detection and Response) on all workstations, servers, and Human-Machine Interfaces (HMIs).
    • Configuration Changes: Use automated tools to detect any unauthorized changes to the configurations of critical devices (firewalls, PLCs, switches).

  3. Access Control:

    • Privileged Accounts: Monitor all activity from administrative accounts on both IT and OT systems. Alert on unusual login times, locations, or commands.
    • Remote Access: Log and review every remote access session (VPN) from employees and, especially, third-party vendors who need to service OT equipment.
    • Failed Login Attempts: Monitor for brute-force attacks against any system, from email servers to the PLCs controlling cranes.

  4. Vulnerability Status:

    • Continuous Vulnerability Scanning: Regularly scan IT networks for new vulnerabilities.
    • Passive OT Scanning: Use passive monitoring tools on the OT network to identify vulnerable devices without actively probing them, which could cause disruption.
    • Patching Status: Monitor and report on the status of security patch deployment. For OT systems where patching is difficult, monitor that compensating controls (like network isolation) are in place.

B. Key Monitoring Tools and Technologies:

  • SIEM (Security Information and Event Management): The core of the Security Operations Center (SOC) for correlating events.
  • OT Security Monitoring Platform: Specialized tools that understand industrial protocols and can identify threats specific to OT environments.
  • NIDS/NIPS (Network Intrusion Detection/Prevention System): Deployed at key network boundaries.
  • EDR (Endpoint Detection and Response): For active threat hunting on endpoints.
  • Vulnerability Management Tools: To automate scanning and reporting.

II. Auditing the Port Cybersecurity Plan (The Periodic Deep Dive)

Audits should be conducted periodically (e.g., annually) by an independent party, which could be an internal audit team or a qualified external firm.

A. Scope of a Port Cybersecurity Audit:

The audit should be a structured review against a known framework (e.g., NIST Cybersecurity Framework, ISO 27001, IMO MSC.428(98)).

  1. Governance and Policy Audit:

    • Plan Review: Is the cybersecurity plan formally approved by port leadership? Has it been reviewed and updated within the last 12 months?
    • Risk Assessment: Was a comprehensive risk assessment performed? Does it specifically address both IT and OT risks (e.g., risk of TOS ransomware, GPS spoofing, crane manipulation)?
    • Roles and Responsibilities: Are roles like the Chief Information Security Officer (CISO) and system owners clearly defined and understood?

  2. Technical Controls Audit:

    • Penetration Testing:
      • External Test: Simulate an outside attacker trying to breach the port’s perimeter.
      • Internal Test: Simulate a malicious insider or a compromised workstation.
      • OT-Specific Test (Carefully Scoped): A highly specialized and carefully controlled test to see if the OT network can be accessed from the IT network.
    • Configuration Review: Audit the configuration of key devices (firewalls, core switches, domain controllers, key OT systems) against security best practices and established baselines.
    • Vulnerability Assessment: A formal, point-in-time assessment of all vulnerabilities present on the network, compared against the results of continuous monitoring.

  3. Process and People Audit:

    • Access Control Review: Audit user access lists for all critical systems. Verify that the principle of “least privilege” is enforced and that access for former employees has been revoked in a timely manner.
    • Incident Response Plan Test:
      • Tabletop Exercise: A discussion-based drill simulating a cyber incident (e.g., “The TOS is encrypted with ransomware. What’s the plan? Who do you call? How do we manually operate the yard?”).
      • Functional Drill: A hands-on test of specific functions, like restoring a server from backup.
    • Security Awareness and Training: Review training logs and test employee awareness through simulated phishing campaigns.
    • Third-Party Risk Management: Audit the process for vetting new vendors, shipping lines, and partners. Review security clauses in contracts.

  4. Compliance Audit:

    • Regulatory Checklist: Audit specifically against the requirements of relevant maritime regulations (e.g., IMO, US Coast Guard, ENISA).
    • Evidence Collection: The audit must produce documented evidence of compliance (or non-compliance), including log excerpts, configuration files, and interview notes.

B. The Audit Report:

The final output of an audit should be a formal report for port leadership, containing:

  • An Executive Summary of the port’s overall cyber posture.
  • A list of Findings, categorized by risk level (e.g., Critical, High, Medium, Low).
  • Recommendations for remediation for each finding.
  • A Corrective Action Plan (CAP) with assigned owners and deadlines for addressing the findings.

Putting It All Together: The Continuous Improvement Cycle

Monitoring and Auditing are not separate; they feed each other in a continuous cycle:

  1. Plan: Develop the Port Cybersecurity Plan based on a risk assessment.
  2. Monitor: Continuously monitor systems to detect deviations and threats in real-time.
  3. Audit: Periodically audit the entire program to find systemic weaknesses that monitoring might miss.
  4. Improve: Use the findings from both monitoring and auditing to update the risk assessment, refine security controls, and improve the overall Cybersecurity Plan.
Managing cyber security at a maritime port:security operations centre (SOC);port cyber security assessment and plan (CSA & CSP);