Request demo
Product_page_Icon

PrivX™ OT Case Study - Marine Vessel Operator

Container ships sailing the seven seas-1

A Marine Vessel Operator Secures Remote Access for Diagnostics, Maintenance and IoT Data Collection 

A Marine Vessel Operator Secures Remote Access for Diagnostics, Maintenance and IoT Data Collection 

PrivX for IT/OT Access Get the 2-pager

Cargo ship full of containers at sea

Customer

The customer is a global shipping company with a current fleet of over 100 ships and expanding. Since the fleet is travelling on the seas all over the world, the customer wants to stay up-to-date on the operational capability of the fleet and to pre-empt any potential problems by running regular diagnostics, remote mainatenance and troubleshooting on the ships.

Customer's security and operational concerns

Forcing the ships to dock at a port for checkups and diagnostics is costly and slows down the delivery times of goods. This is why the customer had deployed a CentOS server infrastructure with applications and remote diagnostics and maintenance tools that collect data from IoT sensors. 

The maintenance engineers access the ships from an AWS cloud. The customer soon realized that this mission-critical access from the public cloud environment came with risks, including:

  1. Disruption of critical systems, including cyberattacks on Automatic Identification System (AIS,) Electronic Chart Display and Information System (ECDIS), and Global Maritime Distress and Safety System, (GMDSS). These are critical navigation and communication systems, which – if hacked – could potentially leave ships unguided, lost at sea and without communication capabilities.
  2. Safety and security concerns: A compromised system can cause physical damage if safety mechanisms are turned off remotely, putting the safety of the crew at jeopardy.
  3. Third-party access: Remote diagnostics are often done by various vendor experts accessing the ship systems. Limited tracking, visibility and security might expose entry points for cyber threats.

Customer challenge - VPN limitations

To remedy, the customer tried using a VPN for remote diagnostic but soon encountered the following challenges:
  • Limited transparency into remote access without visibility into the sessions
  • The VPN connections to the ship networks were always on
  • Indiscriminate access to all areas once logged in to the VPN service
  • Untracked and unidentified connections to the ship subsystems
  • Shared accounts and manually managed access credentials
  • Scalability, connectivity and performance issues
The customer decided to look for an access solution that could meet their requirements and discovered PrivX OT by SSH Communications Security.
VPN tunnel with limited transparency

 

PrivX OT deployment in the customer environment

As the customer already had a well-thought-out technical infrastructure where the connections to the ships were made through a combination of the Amazon cloud and a satellite, it was important the deployed solution could fit into the existing infrastructure effortlessly.

PrivX_Maritime_UseCase_Deployment

  1. PrivX was integrated with multiple IAMs and ADs to always link an ID to a role for each session.
  2. PrivX offers multiple authentication methods, including: 
    • AD/LDAP user & password
    • Local user & password
    • OpenID Connect
    • MFA (TOTP & Biometric)
    • Passkeys / FIDO2
    • TLS client certificate
    • SSH public key
    • External JSON web token
    • PrivX Authorizer
  3.  PrivX stores and rotates the credentials needed for access or enables passwordless access. Credentials are vaulted and rotated after use, or in the case of passwordless access, the user never even sees or handles any credentials.
  4. After authentication, PrivX automatically maps the identity to the right role for access.
  5. The user (maintenance engineer, vendor engineer, ship technician, etc.) only sees a list of available targets based on the role – and nothing else.
  6. The user selects the target from the list and gets access to it. The target can be a single application, sensor, entire server, depending on the task at hand. The actions the user is allowed to perform can be restricted as necessary.
    Using PrivX Extenders, it is possible to connect to hosts without public IP addresses in Virtual Private Cloud (VPC), firewalled private networks or virtual private clouds.
  7. All sessions produce an audit trail. For the most important connections, session recording or live monitoring is available. It also possible to require external authorization by the site admin for critical sessions.
  8. After the session is over, offboarding is automatic. Every session is verified each time it is made, in a just-in-time (JIT) fashion to align with the Zero Trust security framework. 

Securing ships sailing at seven seas - benefits

PrivX_Maritime_UseCase_High_level

 

Global

Debugging and remote maintenance can be done remotely and securely regardless of the location of the ship or the technician. 

Robot-hand
Automated linking of a role to an identity ensuring that all sessions can be verified with strong IDs.

.

Users
Access is limited by role, meaning that privileges to take actions on the ship are restricted to the minimum to get the job done.
certificate
Just-in-time (JIT) access instead of always-on connections to the ships. This means that each connection to a ship is establish at the same time as the authorization and is verified each time it is made – in a true Zero Trust fashion.
Priviledged-access-management
All the secrets (passwords) were managed centrally for risk mitigation.
Secure-file-transfer

PrivX OT is the centralized access gateway for the entire fleet. Any employee or third party gets access from any location to an individual ship in a uniform, controlled way.

Checklist
All connections are tracked produce a solid audit trail.
Cloud
Scalable cloud deployment ensures that the solution can expand as the fleet of ships increases.

PrivX PAM technology comes in different flavors

 

PAM for industrial automation and manufacturing businesses

PrivX OT Edition

 

Go beyond mere secure remote access (SRA) with a full-scale OT access management solution.

PrivX OT provides on- and off-site secure access to modern IT/OT targets in hybrid environments.

Learn more

PAM for managed hosts and multi-tenant environments

PrivX MSP Edition

 

Grant secure access for multiple roles to multi-tenant customer environments and managed hosts.

Demonstrate proper access governance to your customers with audit trails of all activities.

Learn more

passwordless and keyless access

Zero Trust, Just-in-Time Access Management


Manage encryption keys and passwords from a single pane of glass. Start small or go to
 enterprise scale.

Then, radically reduce the number of encryption keys and passwords to manage with credential-less authentication.

Zero Trust Suite