Tag: cyber resilience

Cybersecurity – and Resilience – in Shipbuilding

Cybersecurity - and Resilience - in Shipbuilding
Written by David Bacque, VP of Operations and Director of OT Security


“Cybersecurity” is a broad term, and the implications are more far-reaching than we typically consider – it isn’t just important for keeping our onshore systems safe. While cybersecurity and cyber resilience are certainly important to the health of all land-based IT/OT infrastructure, they are imperative for keeping ships and vessels secure, as well. Maritime cybersecurity is unique in the fact that the vessel itself is isolated from onshore systems but needs to integrate internally as well as be able to back up to prevent data loss while at sea.

The Challenge

Shipbuilders build ships – they have expertise around the process of engineering and constructing a ship – but often lack expertise in securing and integrating the modern electronic systems being delivered with various equipment packages. Vessels are comprised of many subsystems containing various degrees of complexity, automation, and integration which are required to work together for the safe and efficient operation of the vessels. While the package suppliers have expertise in building the subsystems, no one vendor, nor the shipbuilder, has the expertise to deliver a cohesive system and meet the cybersecurity expectations of modern ship owners. To equip a vessel with the tools and processes needed to secure its systems, an external cybersecurity specialist is often commissioned to evaluate and prescribe the measures necessary to meet the asset owner’s expectations.

The Solution

A clearly defined cybersecurity program needs to be created to communicate the asset owner’s security expectations while collaborating with suppliers to deliver secure systems. The cybersecurity program should align with the project phases and be tracked along with other project deliverables. Using our project security assurance process, RED Group has aligned cybersecurity into all aspects of the shipbuilding lifecycle:

  • Standards and requirements definition – align customer requirements with industry standards to create project-specific cybersecurity specifications.
  • Purchasing Specifications – build cybersecurity into the procurement process and include cybersecurity expectations into supplier contracts.
  • System Assessments – review and assess supplier and engineering documentation to validate alignment with standards and requirements.
  • Remediation Tracking – Identify gaps and coordinate with vendors to remediate
  • Acceptance Testing – witness and verify compliance with specifications during factory or site acceptance testing.

RED Group can Help

When your business is building ships, cybersecurity is not always at the forefront of considerations. Floating, propulsion, steering and navigation – these are the things that make a ship a ship. Not always considered, but no less important, is securing the systems onboard. RED Group has the expertise needed to ensure your vessel meets your client’s needs and expectations regarding the protection and recovery of the systems onboard. Contact us to find out how partnering with RED Group can help you deliver a ship that exceeds your clients’ expectations.

David Bacque, an experienced cybersecurity and operational technology (OT) professional, has led, advised on and delivered OT projects and ICS security initiatives with industrial clients around the world.

Creating and Maintaining a Cyber Resilient Organization

Creating and Maintaining a Cyber Resilient Organization
Written by David Bacque, VP of Operations and Director of OT Security


When major cyber events hit the news, we are reminded again of the best practices and continuous improvement opportunities we may, or may not, be employing to lead a cyber resilient organization. Teams responsible for operational technology and industrial control systems should be keenly aware of the risks associated with cyber events and the potential for costly production downtime, not to mention damage to people, property, or the environment.

While it is important to have procedures in place to respond to cyber incidents, preventative measures should be your first line of defense. For OT Systems, there are several critical security controls that are often overlooked or not fully implemented which can go a long way towards mitigating risk and improving an organization’s ability to respond to a cyber event. This article briefly outlines a few foundational elements which should be utilized in addition to proper incidence response planning.

Asset Management

Often, organizations have an incomplete or outdated asset inventory stored in a file which is hard to find and even harder to manage or derive value from. Modern OT Asset Discovery and Monitoring solutions, such as Forescout, can proactively and safely monitor OT systems to maintain an asset inventory as well as monitor for unplanned system changes, current patch levels, and unauthorized devices.

Portable Media and Device Management

Because OT systems are typically segmented from other enterprise systems as well as the internet, well-intentioned administrators, consultants and technicians often must get creative on how to connect, update and configure devices. This typically involves connecting a portable computer to the system or bringing data in on a portable media device, such as an external hard drive. In order to maintain the integrity of an OT system, it is critical that a process exists to limit the use of unknown portable media and computers as well as a process to scan and quarantine any device which needs to connect into the OT environment.

System Patching and Hardening

Modern operating systems are insecure by design and require a plan for patching and unnecessary features to be disabled to minimize the possibility of malicious code execution. OT system administrators often skip patching and hardening OT systems because of the false sense of security provided by network boundaries, firewalls or even “air-gaps”. The fact is that malware or other exploits can still find their way into OT systems through portable media and computers or even through poorly configured firewalls or inadvertently connected systems. Once inside a network of unpatched computers, exploits are far more likely to wreak havoc through well-known vulnerabilities. Typically, these vulnerabilities have long been addressed by system vendors.

Disaster Recovery Planning

Most people know that it is important to routinely back-up mission critical data and systems to avoid data loss in the event of a system failure. What is often overlooked, however, is utilizing a process and practicing an actual system restore from that backup to verify that systems can be recovered in an amount of time consistent with a risk-based plan. In the same way disaster preparedness is important to ensure your team is familiar with the safety protocols put into place for emergency situations, disaster recovery planning prepares your team in the event of a cyber-attack. Backup integrity needs to be regularly verified and systems should be restored onto test hardware to verify that recovery processes are accurate and reduce the impact of a cyber event or system failure.

Preventative Measures

In summary, there are a number of risks associated with industrial cybersecurity of OT systems. While it is certainly important for organizations to have procedures in place to respond to cyber events, it is also crucial to be proactive about protecting your assets. A few preventative measures that should be implemented within organizations include:

  • Asset management
  • Portable media and device management
  • System patching and hardening
  • Disaster recovery planning

Ensure your systems are protected and your assets are defensible – contact RED Group today to get a better idea of where you currently stand on your cybersecurity journey and to lay out a roadmap to better cyber resilience.

David Bacque, an experienced cybersecurity and operational technology (OT) professional, has led, advised on and delivered OT projects and ICS security initiatives with industrial clients around the world.