Circular No. 07/19 - 2018 Third Edition of BIMCO ... · 3/4/2019 · the Guidelines on Cyber...
Transcript of Circular No. 07/19 - 2018 Third Edition of BIMCO ... · 3/4/2019 · the Guidelines on Cyber...
-
Amer
ican
Clu
b C
ircul
ar N
o. 0
7/19
1
MARCH 4, 2019 CIRCULAR NO. 07/19 TO MEMBERS OF THE ASSOCIATION Dear Member: 2018 THIRD EDITION OF BIMCO GUIDELINES ON CYBER SECURITY ONBOARD SHIPS Members may already be aware of this new edition of the above-captioned maritime industry guide on cyber security. Importantly, this third edition of the BIMCO Guidelines now addresses the requirement to incorporate cyber protection as part of a ship’s safety management system (SMS). The Guidelines are attached, and are downloadable without charge at:
https://www.bimco.org/news/priority-news/20181207-industry-publishes-improved-cyber-guidelines It is hoped that this document will assist Members in their appraisal of cyber risk onboard their ships, including ship-to-shore interfaces, and in establishing a culture of cyber risk awareness within their organizations both ashore and afloat. Yours faithfully, Joseph E.M. Hughes, Chairman & CEO Shipowners Claims Bureau, Inc., Managers for THE AMERICAN CLUB
https://www.bimco.org/news/priority-news/20181207-industry-publishes-improved-cyber-guidelines
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS
Produced and supported byBIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL
v3
-
The Guidelines on Cyber Security Onboard ShipsVersion 3
Terms of use
The advice and information given in the Guidelines on Cyber Security Onboard Ships (the guidelines) is intended purely as guidance to be used at the user’s own risk. No warranties or representations are given, nor is any duty of care or responsibility accepted by the Authors, their membership or employees of any person, firm, corporation or organisation (who or which has been in any way concerned with the furnishing of information or data, or the compilation or any translation, publishing, or supply of the guidelines) for the accuracy of any information or advice given in the guidelines; or any omission from the guidelines or for any consequence whatsoever resulting directly or indirectly from compliance with, adoption of or reliance on guidance contained in the guidelines, even if caused by a failure to exercise reasonable care on the part of any of the aforementioned parties.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 CONTeNTS
Introduction ..................................................................................................................................... 1
1 Cyber security and safety management .......................................................................................... 31.1 DifferencesbetweenITandOTsystems .......................................................................................... 51.2 Plans and procedures ...................................................................................................................... 61.3 Relationshipbetweenshipmanagerandshipowner ...................................................................... 71.4 Therelationshipbetweentheshipownerandtheagent ................................................................ 71.5 Relationshipwithvendors ............................................................................................................... 82 Identifythreats ................................................................................................................................ 93 Identifyvulnerabilities ................................................................................................................... 133.1 Shiptoshoreinterface .................................................................................................................. 144 Assess risk exposure ...................................................................................................................... 164.1 Riskassessmentmadebythecompany ........................................................................................ 214.2 Third-partyriskassessments ......................................................................................................... 214.3 Risk assessment process ................................................................................................................ 225 Developprotectionanddetectionmeasures ................................................................................ 245.1 Defenceindepthandinbreadth ................................................................................................... 245.2 Technicalprotectionmeasures ...................................................................................................... 255.3 Proceduralprotectionmeasures ................................................................................................... 296 Establishcontingencyplans ........................................................................................................... 347 Respondtoandrecoverfromcybersecurityincidents ................................................................. 367.1 Effectiveresponse ......................................................................................................................... 367.2 Recoveryplan ................................................................................................................................ 377.3 Investigatingcyberincidents ......................................................................................................... 387.4 Losses arising from a cyber incident .............................................................................................. 38
Annex1 Targetsystems,equipmentandtechnologies ....................................................................... 40Annex2 Cyberriskmanagementandthesafetymanagementsystem .............................................. 42Annex3 Onboardnetworks ................................................................................................................ 46Annex 4 Glossary ................................................................................................................................ 50Annex5 Contributorstoversion3oftheguidelines .......................................................................... 53
Contents
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 1INTrOduCTION
Shipsareincreasinglyusingsystemsthatrelyondigitisation,digitalisation,integration,andautomation,whichcallforcyberriskmanagementonboard.Astechnologycontinuestodevelop,informationtechnology(IT)andoperationaltechnology(OT)onboardshipsarebeingnetworkedtogether–andmorefrequentlyconnectedtotheinternet.
Thisbringsthegreaterriskofunauthorisedaccessormaliciousattackstoships’systemsandnetworks.Risksmayalsooccurfrompersonnelaccessingsystemsonboard,forexamplebyintroducingmalwareviaremovablemedia.
Tomitigatethepotentialsafety,environmentalandcommercialconsequencesofacyberincident,agroupofinternationalshippingorganisations,withsupportfromawiderangeofstakeholders(pleaserefertoannex5formoredetails),haveparticipatedinthedevelopmentoftheseguidelines,whicharedesignedtoassistcompaniesinformulatingtheirownapproachestocyberriskmanagementonboardships.
Approachestocyberriskmanagementwillbecompany-andship-specificbutshouldbeguidedbytherequirementsofrelevantnational,internationalandflagstateregulations.Theseguidelinesprovidearisk-basedapproachtoidentifyingandrespondingtocyberthreats.Animportantaspectisthebenefitthatrelevantpersonnelwouldobtainfromtraininginidentifyingthetypicalmodusoperandiofcyberattacks.
In2017,theInternationalMaritimeOrganization(IMO)adoptedresolutionMSC.428(98)onMaritimeCyberRiskManagementinSafetyManagementSystem(SMS).TheResolutionstatedthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementinaccordancewiththeobjectivesandfunctionalrequirementsoftheISMCode.Itfurtherencouragesadministrationstoensurethatcyberrisksareappropriatelyaddressedinsafetymanagementsystemsnolaterthanthefirstannualverificationofthecompany’sDocumentofComplianceafter1January2021.Thesameyear,IMOdevelopedguidelines1thatprovidehigh-levelrecommendationsonmaritimecyberriskmanagementtosafeguardshippingfromcurrentandemergingcyberthreatsandvulnerabilities.AsalsohighlightedintheIMOguidelines,effectivecyberriskmanagementshouldstartattheseniormanagementlevel.Seniormanagementshouldembedacultureofcyberriskawarenessintoalllevelsanddepartmentsofanorganizationandensureaholisticandflexiblecyberriskmanagementregimethatisincontinuousoperationandconstantlyevaluatedthrougheffectivefeedbackmechanisms.
Thecommitmentofseniormanagementtocyberriskmanagementisacentralassumption,onwhichtheGuidelinesonCyberSecurityOnboardShipshavebeendeveloped.
TheGuidelinesonCyberSecurityOnboardShipsarealignedwithIMOresolutionMSC.428(98)andIMO’sguidelinesandprovidepracticalrecommendationsonmaritimecyberriskmanagementcoveringbothcybersecurityandcybersafety.(Seechapter1forthisdistinction).
Theaimofthisdocumentistoofferguidancetoshipownersandoperatorsonproceduresandactionstomaintainthesecurityofcybersystemsinthecompanyandonboardtheships.Theguidelinesarenotintendedtoprovideabasisfor,andshouldnotbeinterpretedas,callingforexternalauditingorvettingtheindividualcompany’sandship’sapproachtocyberriskmanagement.
LiketheIMOguidelines,theUSNationalInstituteofStandardsandTechnology(NIST)frameworkhasalsobeenaccountedforinthedevelopmentoftheseguidelines.TheNISTframeworkassistscompanieswiththeirriskassessmentsbyhelpingthemunderstand,manageandexpressthe1 MSC-FAL.1/Circ.3onGuidelinesonmaritimecyberriskmanagement
Introduction
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 2INTrOduCTION
potentialcyberriskthreatbothinternallyandexternally.Asaresultofthisassessment,a“profile”isdeveloped,whichcanhelptoidentifyandprioritiseactionsforreducingcyberrisks.Theprofilecanalsobeusedasatoolforaligningpolicy,businessandtechnologicalapproachestomanagetherisks.Sampleframeworkprofilesarepubliclyavailableformaritimebulkliquidtransfer,offshore,andpassengershipoperations2.TheseprofileswerecreatedbytheUnitedStatesCoastGuardandNIST’sNationalCybersecurityCenterofExcellencewithinputfromindustrystakeholders.Theprofilesareconsideredtobecomplimentarytotheseguidelinesandcanbeusedtogethertoassistindustryinassessing,prioritizing,andmitigatingtheircyberrisks.
2 TheNISTFrameworkProfilesformaritimebulkliquidtransfer,offshore,andpassengeroperationscanbeaccessedhere:http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles.
http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profileshttp://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 3Cyber SeCurITy ANd SAfeTy mANAGemeNT
Cyber security and safety management
Bothcybersecurityandcybersafetyareimportantbecauseoftheirpotentialeffectonpersonnel,theship,environment,companyandcargo.CybersecurityisconcernedwiththeprotectionofIT,OT,informationanddatafromunauthorisedaccess,manipulationanddisruption.CybersafetycoverstherisksfromthelossofavailabilityorintegrityofsafetycriticaldataandOT.
Cybersafetyincidentscanariseastheresultof:
acybersecurityincident,whichaffectstheavailabilityandintegrityofOT,forexamplecorruptionofchartdataheldinanElectronicChartDisplayandInformationSystem(ECDIS)
afailureoccurringduringsoftwaremaintenanceandpatching
lossoformanipulationofexternalsensordata,criticalfortheoperationofaship–thisincludesbutisnotlimitedtoGlobalNavigationSatelliteSystems(GNSS).
Whilstthecausesofacybersafetyincidentmaybedifferentfromacybersecurityincident,theeffectiveresponsetobothisbasedupontrainingandawareness.
1
Incident: Unrecognised virus in an ECDIS delays sailing
Anew-builddrybulkshipwasdelayedfromsailingforseveraldaysbecauseitsECDISwasinfectedbyavirus.Theshipwasdesignedforpaperlessnavigationandwasnotcarryingpapercharts.ThefailureoftheECDISappearedtobeatechnicaldisruptionandwasnotrecognizedasacyberissuebytheship’smasterandofficers.Aproducertechnicianwasrequiredtovisittheshipand,afterspendingasignificanttimeintroubleshooting,discoveredthatbothECDISnetworkswereinfectedwithavirus.TheviruswasquarantinedandtheECDIScomputerswererestored.Thesourceandmeansofinfectioninthiscaseareunknown.Thedelayinsailingandcostsinrepairstotalledinthehundredsofthousandsofdollars(US).
Cyberriskmanagementshould:
identifytherolesandresponsibilitiesofusers,keypersonnel,andmanagementbothashoreandon board
identifythesystems,assets,dataandcapabilities,whichifdisrupted,couldposeriskstotheship’soperationsandsafety
implementtechnicalandproceduralmeasurestoprotectagainstacyberincidentandensurecontinuityofoperations
implementactivitiestoprepareforandrespondtocyberincidents.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 4Cyber SeCurITy ANd SAfeTy mANAGemeNT
Someaspectsofcyberriskmanagementmayincludecommerciallysensitiveorconfidentialinformation.Companiesshould,therefore,considerprotectingthisinformationappropriately,andasfaraspossible,notincludesensitiveinformationintheirSafetyManagementSystem(SMS).
Development,implementation,andmaintenanceofacybersecuritymanagementprograminaccordancewiththeapproachinfigure1isnosmallundertaking.Itis,therefore,importantthatseniormanagementstaysengagedthroughouttheprocesstoensurethattheprotection,contingencyandresponseplanningarebalancedinrelationtothethreats,vulnerabilities,riskexposureandconsequencesofapotentialcyberincident.
Respond to and recover from cyber security incidents
Respond to and recover from cyber security incidents using the
contingency plan.Assess the impact of the
effectiveness of the response plan and re-assess threats and
vulnerabilities.
Understand the external cyber security threats to the ship.
Understand the internal cyber security threat posed by inappropriate use and
lack of awareness.
Identify threats
Identifyvulnerabilities
Develop inventories of onboard systems with direct and indirect
communications links.Understand the consequences of a
cyber security threat on these systems.
Understand the capabilities and limitations of existing protection measures.
Assess risk exposure
Determine the likelihood of vulnerabilities being exploited
by external threats.Determine the likelihood of
vulnerabilities being exposed by inappropriate use.
Determine the security and safety impact of any individual or
combination of vulnerabilities being exploited.
Reduce the likelihood of vulnerabilities being exploited through protection
measures.Reduce the potential impact
of a vulnerability being exploited.
Develop protection and
detection measures
Develop a prioritised contingency plan to mitigate any potential
identified cyber risk.
Establish contingency
plans
CYBER RISK MANAGEMENT
APPROACH
figure 1: Cyber risk management approach as set out in the guidelines
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 5Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.1 Differences between IT and OT systems
OTsystemscontrolthephysicalworldandITsystemsmanagedata.OTsystemsdifferfromtraditionalITsystems.OTishardwareandsoftwarethatdirectlymonitors/controlsphysicaldevicesandprocesses.ITcoversthespectrumoftechnologiesforinformationprocessing,includingsoftware,hardwareandcommunicationtechnologies.TraditionallyOTandIThavebeenseparated,butwiththeinternet,OTandITarecomingcloserashistoricallystand-alonesystemsarebecomingintegrated.DisruptionoftheoperationofOTsystemsmayimposesignificantrisktothesafetyofonboardpersonnel,cargo,damagetothemarineenvironment,andimpedetheship’soperation.TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
Category IT system OT systemPerformance requirements non-real-time
response must be consistent
lesscriticalemergencyinteraction
tightlyrestrictedaccesscontrolcanbeimplementedtothedegreenecessaryfor security
real-time
responseistime-critical
responsetohumanandanyotheremergencyinteractioniscritical
accesstoOTshouldbestrictlycontrolled,butshouldnothamperorinterferewithhuman-machineinteraction
Availability (reliability) requirements
responsessuchasrebootingareacceptable
availabilitydeficienciesmaybetolerated,dependingonthesystem’soperationalrequirements
responsessuchasrebootingmaynotbeacceptablebecauseofoperationalrequirements
availabilityrequirementsmaynecessitateback-upsystems
Risk management requirements
manage data
dataconfidentialityandintegrityisparamount
fault tolerance may be less important.
riskimpactsmaycausedelayof:ship’sclearance,commencementofloading/unloading,andcommercialandbusinessoperations
controlphysicalworld
safetyisparamount,followedbyprotectionoftheprocess
faulttoleranceisessential,evenmomentarydowntimemaynotbeacceptable
riskimpactsareregulatorynon-compliance,aswellasharmtothepersonnelonboard,theenvironment,equipmentand/orcargo
System operation systemsaredesignedforusewithcommonlyknownoperatingsystems
upgradesarestraightforwardwiththeavailabilityofautomateddeploymenttools
differingandpossiblyproprietaryoperatingsystems,oftenwithoutbuiltinsecuritycapabilities
softwarechangesmustbecarefullymade,usuallybysoftwarevendors,becauseofthespecializedcontrolalgorithmsandpossibleinvolvementofmodifiedhardwareandsoftware
Resource constraints systemsarespecifiedwithenoughresourcestosupporttheadditionofthird-partyapplicationssuchassecuritysolutions
systemsaredesignedtosupporttheintendedoperationalprocessandmaynothaveenoughmemoryandcomputingresourcestosupporttheadditionofsecuritycapabilities
Table 1: differences between OT and IT3
3 Basedontable2-1inNISTSpecialPublication800-82,Revision2.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 6Cyber SeCurITy ANd SAfeTy mANAGemeNT
TheremaybeimportantdifferencesbetweenwhohandlesthepurchaseandmanagementoftheOTsystemsversusITsystemsonaship.ITdepartmentsarenotusuallyinvolvedinthepurchaseofOTsystems.Thepurchaseofsuchsystemsshouldinvolveachiefengineer,whoknowsabouttheimpactontheonboardsystemsbutwillmostprobablyonlyhavelimitedknowledgeofsoftwareandcyberriskmanagement.Itis,therefore,importanttohaveadialoguewiththeITdepartmenttoensurethatcyberrisksareconsideredduringtheOTpurchasingprocess.OTsystemsshouldbeinventoriedwiththeITdepartment,soastoobtainanoverviewofpotentialchallengesandtohelpestablishthenecessarypolicyandproceduresforsoftwaremaintenance.
OtherindustrysectorshaveseenthebarrierremovedbetweenITandOT,withmanagementandprocurementstrategiesallhandledunderthesameregime.
1.2 Plans and procedures
IMOResolutionMSC.428(98)identifiescyberrisksasspecificthreats,whichcompaniesshouldtrytoaddressasfaraspossibleinthesamewayasanyotherriskthatmayaffectthesafeoperationofashipandprotectionoftheenvironment.Moreguidanceonhowtoincorporatecyberriskmanagementintothecompany’sSMScanbefoundinannex2oftheseguidelines.
Cyberriskmanagementshouldbeaninherentpartofthesafetyandsecuritycultureconducivetothesafeandefficientoperationoftheshipandbeconsideredatvariouslevelsofthecompany,includingseniormanagementashoreandonboardpersonnel.Inthecontextofaship’soperation,cyberincidentsareanticipatedtoresultinphysicaleffectsandpotentialsafetyand/orpollutionincidents.ThismeansthatthecompanyneedstoassessrisksarisingfromtheuseofITandOTonboardshipsandestablishappropriatesafeguardsagainstcyberincidents.CompanyplansandproceduresforcyberriskmanagementshouldbeincorporatedintoexistingsecurityandsafetyriskmanagementrequirementscontainedintheISMCodeandISPSCode.
TheobjectiveoftheSMSistoprovideasafeworkingenvironmentbyestablishingappropriatepracticesandproceduresbasedonanassessmentofallidentifiedriskstotheship,onboardpersonnelandtheenvironment.TheSMSshouldincludeinstructionsandprocedurestoensurethesafeoperationoftheshipandprotectionoftheenvironmentincompliancewithrelevantinternationalandflagstaterequirements.TheseinstructionsandproceduresshouldconsiderrisksarisingfromtheuseofITandOTonboard,takingintoaccountapplicablecodes,guidelinesandrecommendedstandards.
Whenincorporatingcyberriskmanagementintothecompany’sSMS,considerationshouldbegivenastowhether,inadditiontoagenericriskassessmentoftheshipsitoperates,aparticularshipneedsaspecificriskassessment.Thecompanyshouldconsidertheneedforaspecificriskassessmentbasedonwhetheraparticularshipisuniquewithintheirfleet.ThefactorstobeconsideredincludebutarenotlimitedtotheextenttowhichITandOTareusedonboard,thecomplexityofsystemintegrationandthenatureofoperations.
Inaccordancewithchapter8oftheISPSCode,theshipisobligedtoconductasecurityassessment,whichincludesidentificationandevaluationofkeyshipboardoperationsandtheassociatedpotentialthreats.AsrecommendedbyPartB,paragraph8.3.5oftheISPSCode,theassessmentshouldaddressradioandtelecommunicationsystems,includingcomputersystemsandnetworks.Therefore,theship’ssecurityplanmayneedtoincludeappropriatemeasuresforprotectingboththeequipmentandtheconnection.DuetothefastadoptionofsophisticatedanddigitalisedonboardOTsystems,considerationshouldbegiventoincludingtheseproceduresbyreferencetotheSMSinordertohelpensuretheship’ssecurityproceduresareasup-to-dateaspossible.
SystemslikeTankerManagementandSelfAssessment(TMSA)alsorequireplansandprocedurestobe implemented.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 7Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.3 Relationship between ship manager and shipowner
TheDocumentofComplianceholderisultimatelyresponsibleforensuringthemanagementofcyberrisksonboard.Iftheshipisunderthirdpartymanagement,thentheshipmanagerisadvisedtoreachanagreementwiththeshipowner.
Particularemphasisshouldbeplacedbybothpartiesonthesplitofresponsibilities,alignmentofpragmaticexpectations,agreementonspecificinstructionstothemanagerandpossibleparticipationinpurchasingdecisionsaswellasbudgetaryrequirements.
ApartfromISMrequirements,suchanagreementshouldtakeintoconsiderationadditionalapplicablelegislationliketheEUGeneralDataProtectionRegulation(GDPR)orspecificcyberregulationsinothercoastalstates.Managersandownersshouldconsiderusingtheseguidelinesasabaseforanopendiscussiononhowbesttoimplementanefficientcyberriskmanagementregime.
Agreementsoncyberriskmanagementshouldbeformalandwritten.
1.4 The relationship between the shipowner and the agent
Theimportanceofthisrelationshiphasplacedtheagent4asanamedstakeholder,interfacingcontinuouslyandsimultaneouslywithshipowners,operators,terminals,portservicesvendors,andportstatecontrolauthoritiesthroughtheexchangeofsensitive,financial,andportcoordinationinformation.Therelationshipgoesbeyondthatofavendor.Itcantakedifferentformsandespeciallyinthetramptrade,shipownersrequirealocalrepresentative(anindependentshipagent)toserveasanextensionofthecompany.
Coordinationoftheship’scallofportisahighlycomplextaskbeingsimultaneouslyglobalandlocal.Itcoversupdatesfromagents,coordinatinginformationwithallportvendors,portstatecontrol,handlingshipandcrewrequirements,andelectroniccommunicationbetweentheship,portandauthoritiesashore.Asoneexample,whichtouchescyberriskmanagement:OftenagentsarerequiredtobuildITsystems,whichuploadinformationreal-timeintoowner’smanagementinformationsystem.
Qualitystandardsforagentsareimportantbecauselikeallotherbusinesses,agentsarealsotargetedbycybercriminals.Cyber-enabledcrime,suchaselectronicwirefraudandfalseshipappointments,andcyberthreatssuchasransomwareandhacking,callformutualcyberstrategiesandcyber-enhancedrelationshipsbetweenownersandagentstomitigatesuchcyberrisks.
4 Thepartyrepresentingtheship’sownerand/orcharterer(thePrincipal)inport.Ifsoinstructed,theagentisresponsibletotheprincipalforarranging,togetherwiththeport,aberth,allrelevantportandhusbandryservices,tendingtotherequirementsofthemasterandcrew,clearingtheshipwiththeportandotherauthorities(includingpreparationandsubmissionofappropriatedocumentation)alongwithreleasingorreceivingcargoonbehalfoftheprincipal(source:ConventiononFacilitationofInternationalMaritimeTraffic(FALConvention).
5 Nothingintheseguidelinesshouldbetakenasrecommendingthepaymentofransom.
Incident: Ship agent and shipowner ransomware incident
Ashipownerreportedthatthecompany’sbusinessnetworkswereinfectedwithransomware,apparentlyfromanemailattachment.Thesourceoftheransomwarewasfromtwounwittingshipagents,inseparateports,andonseparateoccasions.Shipswerealsoaffectedbutthedamagewaslimitedtothebusinessnetworks,whilenavigationandshipoperationswereunaffected.Inonecase,theownerpaidtheransom5.
Theimportanceofthisincidentisthatharmonizedcybersecurityacrossrelationshipswithtrustedbusinesspartnersandproducersiscriticaltoallinthesupplychain.Individualeffortstofortifyone’sownbusinesscanbevaliantandwell-intendedbutcouldalsobeinsufficient.Principalsinthesupplychainshouldworktogethertomitigatecyberrisk.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 8Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.5 Relationship with vendors
Companiesshouldevaluateandincludethephysicalsecurityandcyberriskmanagementprocessesofserviceprovidersinsupplieragreementsandcontracts.Processesevaluatedduringsuppliervettingandincludedincontractrequirementsmayinclude:
securitymanagementincludingmanagementofsub-suppliers
manufacturing/operationalsecurity
softwareengineeringandarchitecture
asset and cyber incident management
personnel security
dataandinformationprotection.
Evaluationofserviceprovidersbeyondthefirsttiermaybechallengingespeciallyforcompanieswithalargenumberoftieronesuppliers.Thirdpartyprovidersthatarecollectingandmanagingsupplierriskmanagementdatamaybeanoptiontoconsider.
Lackofphysicaland/orcybersecurityatasupplierwithintheirproductsorinfrastructuremayresultinabreachofcorporateITsystemsorcorruptionofshipOT/ITsystems.
Companiesshouldevaluatethecyberriskmanagementprocessesforbothnewandexistingcontracts.Itisgoodpracticeforthecompanytodefinetheirownminimumsetofrequirementstomanagesupplychainor3rdpartyrisks.Asetofcyberriskrequirementsthatreflectthecompany’sexpectationsshouldbeclearandunambiguoustovendors.Thismayalsohelpprocurementpracticeswhendealingwithmultiplevendors.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 9IdeNTIfy ThreATS
Identify threats
Thecyberrisk6isspecifictothecompany,ship,operationand/ortrade.Whenassessingtherisk,companiesshouldconsideranyspecificaspectsoftheiroperationsthatmightincreasetheirvulnerabilitytocyberincidents.
Unlikeotherareasofsafetyandsecurity,wherehistoricevidenceisavailable,cyberriskmanagementismademorechallengingbytheabsenceofanydefinitiveinformationaboutincidentsandtheirimpact.Untilthisevidenceisobtained,thescaleandfrequencyofattackswillcontinuetobeunknown.
Experiencesintheshippingindustryandfromotherbusinesssectorssuchasfinancialinstitutions,publicadministrationandairtransporthaveshownthatsuccessfulcyberattacksmightresultinasignificantlossofservices.Assetscanalsocompromisesafety.
Therearemotivesfororganisationsandindividualstoexploitcybervulnerabilities.Thefollowingexamplesgivesomeindicationofthethreatsposedandthepotentialconsequencesforcompaniesandtheshipstheyoperate:
Group Motivation ObjectiveActivists (including disgruntled employees)
reputationaldamage
disruptionofoperations
destructionofdata
publicationofsensitivedata
mediaattention
denialofaccesstotheserviceorsystemtargeted
Criminals financialgain
commercial espionage
industrial espionage
selling stolen data
ransoming stolen data
ransoming system operability
arrangingfraudulenttransportationofcargo
gatheringintelligenceformoresophisticatedcrime,exactcargolocation,shiptransportationandhandlingplansetc
Opportunists thechallenge gettingthroughcybersecuritydefences
financialgain
States
State sponsored organisations
Terrorists
politicalgain
espionage
gainingknowledge
disruptiontoeconomiesandcriticalnationalinfrastructure
Table 2: motivation and objectives
Theabovegroupsareactiveandhavetheskillsandresourcestothreatenthesafetyandsecurityofshipsandacompany’sabilitytoconductitsbusiness.
2
6 ThetextinthischapterhasbeensummarisedfromCESG,CommonCyberAttacks:ReducingtheImpact.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 10IdeNTIfy ThreATS
Inaddition,thereisthepossibilitythatcompanypersonnel,onboardandashore,couldcompromisecybersystemsanddata.Ingeneral,thecompanyshouldrealisethatthismaybeunintentionalandcausedbyhumanerrorwhenoperatingandmanagingITandOTsystemsorfailuretorespecttechnicalandproceduralprotectionmeasures.Thereis,however,thepossibilitythatactionsmaybemaliciousandareadeliberateattemptbyadisgruntledemployeetodamagethecompanyandtheship.
Types of cyber attack
Ingeneral,therearetwocategoriesofcyberattacks,whichmayaffectcompaniesandships:
untargetedattacks,whereacompanyoraship’ssystemsanddataareoneofmanypotentialtargets
targetedattacks,whereacompanyoraship’ssystemsanddataaretheintendedtarget.
Untargetedattacksarelikelytousetoolsandtechniquesavailableontheinternet,whichcanbeusedtolocate,discoverandexploitwidespreadvulnerabilitiesthatmayalsoexistinacompanyandonboardaship.Examplesofsometoolsandtechniquesthatmaybeusedinthesecircumstancesinclude:
Malware–Malicioussoftwarewhichisdesignedtoaccessordamageacomputerwithouttheknowledgeoftheowner.Therearevarioustypesofmalwareincludingtrojans,ransomware,spyware,viruses,andworms.Ransomwareencryptsdataonsystemsuntilaransomhasbeenpaid.Malwaremayalsoexploitknowndeficienciesandproblemsinoutdated/unpatchedbusinesssoftware.Theterm“exploit”usuallyreferstotheuseofasoftwareorcode,whichisdesignedtotakeadvantageofandmanipulateaprobleminanothercomputersoftwareorhardware.Thisproblemcan,forexample,beacodebug,systemvulnerability,improperdesign,hardwaremalfunctionand/orerrorinprotocolimplementation.Thesevulnerabilitiesmaybeexploitedremotelyortriggeredlocally.Locally,apieceofmaliciouscodemayoftenbeexecutedbytheuser,sometimesvialinksdistributedinemailattachmentsorthroughmaliciouswebsites.
Phishing–Sendingemailstoalargenumberofpotentialtargetsaskingforparticularpiecesofsensitiveorconfidentialinformation.Suchanemailmayalsorequestthatapersonvisitsafakewebsiteusingahyperlinkincludedintheemail.
Water holing–Establishingafakewebsiteorcompromisingagenuinewebsitetoexploitvisitors.
Scanning–Attackinglargeportionsoftheinternetatrandom.
Targetedattacksmaybemoresophisticatedandusetoolsandtechniquesspecificallycreatedfortargetingacompanyorship.Examplesoftoolsandtechniques,whichmaybeusedinthesecircumstances,include:
Social engineering–Anon-technicaltechniqueusedbypotentialcyberattackerstomanipulateinsiderindividualsintobreakingsecurityprocedures,normally,butnotexclusively,throughinteractionviasocialmedia.
Brute force–Anattacktryingmanypasswordswiththehopeofeventuallyguessingcorrectly.Theattackersystematicallychecksallpossiblepasswordsuntilthecorrectoneisfound.
Denial of service (DoS)–Preventslegitimateandauthorisedusersfromaccessinginformation,usuallybyfloodinganetworkwithdata.Adistributeddenialofservice(DDoS)attacktakescontrolofmultiplecomputersand/orserverstoimplementaDoSattack.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 11IdeNTIfy ThreATS
Spear-phishing–Likephishingbuttheindividualsaretargetedwithpersonalemails,oftencontainingmalicioussoftwareorlinksthatautomaticallydownloadmalicioussoftware.
Subverting the supply chain–Attackingacompanyorshipbycompromisingequipment,softwareorsupportingservicesbeingdeliveredtothecompanyorship.
Theaboveexamplesarenotexhaustive.Othermethodsareevolvingsuchasimpersonatingalegitimateshore-basedemployeeinashippingcompanytoobtainvaluableinformation,whichcanbeusedforafurtherattack.Thepotentialnumberandsophisticationoftoolsandtechniquesusedincyberattackscontinuetoevolveandarelimitedonlybytheingenuityofthoseorganisationsandindividualsdevelopingthem.
Stages of a cyber attack
In2018,ittookonaverage140daysbetweentimeofinfectionofavictim’snetworkanddiscoveryofacyberattack.However,intrusioncangoundetectedforyears.Thisfigureisdownfrom205daysin2015andcontinuestodropbecausedetectionisgettingbetter7.Cyberattacksareconductedinstages.Thelengthoftimetoprepareacyberattackcanbedeterminedbythemotivationsandobjectivesoftheattacker,andtheresilienceoftechnicalandproceduralcyberriskcontrolsimplementedbythecompany,includingthoseonboarditsships.Whenconsideringtargetedcyberattacks,thegenerally-observedstagesofanattackare:
Survey/reconnaissance–Open/publicsourcesareusedtogaininformationaboutacompany,shiporseafarerinpreparationforacyberattack.Socialmedia,technicalforumsandhiddenpropertiesinwebsites,documentsandpublicationsmaybeusedtoidentifytechnical,proceduralandphysicalvulnerabilities.Theuseofopen/publicsourcesmaybecomplementedbymonitoring(analysing–sniffing)theactualdataflowingintoandfromacompanyoraship.
Delivery–Attackersmayattempttoaccessthecompany’sandship’ssystemsanddata.Thismaybedonefromeitherwithinthecompanyorshiporremotelythroughconnectivitywiththeinternet.Examplesofmethodsusedtoobtainaccessinclude:
• companyonlineservices,includingcargoorcontainertrackingsystems
• sendingemailscontainingmaliciousfilesorlinkstomaliciouswebsitestopersonnel
• providinginfectedremovablemedia,forexampleaspartofasoftwareupdatetoanonboardsystem
• creatingfalseormisleadingwebsites,whichencouragethedisclosureofuseraccountinformationbypersonnel.
Breach–Theextenttowhichanattackercanbreachacompany’sorship’ssystemwilldependonthesignificanceofthevulnerabilityfoundbyanattackerandthemethodchosentodeliveranattack.Itshouldbenotedthatabreachmightnotresultinanyobviouschangestothestatusoftheequipment.Dependingonthesignificanceofthebreach,anattackermaybeableto:
• makechangesthataffectthesystem’soperation,forexampleinterruptormanipulateinformationusedbynavigationequipment,oralteroperationallyimportantinformationsuchasloading lists
• gainaccesstocommerciallysensitivedatasuchascargomanifestsand/orcrewandpassenger/visitorlists
7 TheMicrosoftCybercrimeCenter.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 12IdeNTIfy ThreATS
• achievefullcontrolofasystem,forexampleamachinerymanagementsystem.
Pivot–Pivotingisthetechniqueofusinganinstancealreadyexploitedtobeableto“move”andperformotheractivities.Duringthisphaseofanattack,anattackerusesthefirstcompromisedsystemtoattackotherwiseinaccessiblesystems.Anattackerwillusuallytargetthemostvulnerablepartofthevictim’ssystemwiththelowestlevelofsecurity.Onceaccessisgainedthentheattackerwilltrytoexploittherestofthesystem.Usually,inthePivotphase,theattackermaytryto:
• uploadtools,exploitsandscriptsinthesystemtosupporttheattackerinthenewattackphase
• executeadiscoveryofneighboursystemswithscanningornetworkmappingtools
• installpermanenttoolsorakeyloggertokeepandmaintainaccesstothesystem
• executenewattacksonthesystem.
Themotivationandobjectivesoftheattackerwilldeterminewhateffecttheyhaveonthecompanyorshipsystemanddata.Anattackermayexploresystems,expandaccessand/orensurethattheyareabletoreturntothesysteminorderto:
accesscommerciallysensitiveorconfidentialdataaboutcargo,crew,visitorsandpassengers
manipulatecreworpassenger/visitorslists,cargomanifestsorloadinglists.Thismaysubsequentlybeusedtoallowthefraudulenttransportofillegalcargo,orfacilitatethefts
causecompletedenialofserviceonbusinesssystems
enableotherformsofcrimeforexamplepiracy,theftandfraud
disruptnormaloperationofthecompanyandshipsystems,forexamplebydeletingcriticalpre-arrivalordischargeinformationoroverloadingcompanysystems.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 13IdeNTIfy vulNerAbIlITIeS
Identify vulnerabilities3
Itisrecommendedthatashippingcompanyinitiallyperformsanassessmentofthepotentialthreatsthatmayrealisticallybefaced.Thisshouldbefollowedbyanassessmentofthesystemsandonboardprocedurestomaptheirrobustnesstohandlethecurrentlevelofthreat.Itmaybefacilitatedbyinternalexpertsorsupportedbyexternalexpertswithknowledgeofthemaritimeindustryanditskeyprocesses.Theresultshouldbeastrategycentredaroundthekeyrisks.
Stand-alonesystemswillbelessvulnerabletoexternalcyberattackscomparedtothoseattachedtouncontrollednetworksordirectlytotheinternet.Networkdesignandnetworksegregationwillbeexplainedinmoredetailinannex3.Careshouldbetakentounderstandhowcriticalshipboardsystemsmightbeconnectedtouncontrollednetworks.Whendoingso,thehumanelementshouldbetakenintoconsideration,asmanyincidentsareinitiatedbypersonnel’sactions.Onboardsystemscouldinclude:
Cargo management systems–Digitalsystemsusedfortheloading,managementandcontrolofcargo,includinghazardouscargo,mayinterfacewithavarietyofsystemsashore,includingports,marineterminals.Suchsystemsmayincludeshipment-trackingtoolsavailabletoshippersviatheinternet.However,thetrackingisusuallydoneviathecompany’ssystemsconnectedtotheshipandnotdirectlybetweentheshipperandtheship.Interfacesofthiskindmakecargomanagementsystemsanddataincargomanifestsandloadinglistsvulnerabletocyberattacks.
Bridge systems–Theincreasinguseofdigital,networknavigationsystems,withinterfacestoshoresidenetworksforupdateandprovisionofservices,makesuchsystemsvulnerabletocyberattacks.Bridgesystemsthatarenotconnectedtoothernetworksmaybeequallyvulnerable,asremovablemediaareoftenusedtoupdatesuchsystemsfromothercontrolledoruncontrollednetworks.Acyberincidentcanextendtoservicedenialormanipulationand,therefore,mayaffectallsystemsassociatedwithnavigation,includingECDIS,GNSS,AIS,VDRandRadar/ARPA.
Propulsion and machinery management and power control systems–Theuseofdigitalsystemstomonitorandcontrolonboardmachinery,propulsionandsteeringmakessuchsystemsvulnerabletocyberattacks.Thevulnerabilityofthesesystemscanincreasewhenusedinconjunctionwithremotecondition-basedmonitoringand/orareintegratedwithnavigationandcommunicationsequipmentonshipsusingintegratedbridgesystems.
Access control systems–Digitalsystemsusedtosupportaccesscontroltoensurephysicalsecurity
Incident: Crash of integrated navigation bridge at sea
Ashipwithanintegratednavigationbridgesufferedafailureofnearlyallnavigationsystemsatsea,inahightrafficareaandreducedvisibility.Theshiphadtonavigatebyoneradarandbackuppaperchartsfortwodaysbeforearrivinginportforrepairs.ThecauseofthefailureofallECDIScomputerswasdeterminedtobeattributedtotheoutdatedoperatingsystems.Duringthepreviousportcall,aproducertechnicalrepresentativeperformedanavigationsoftwareupdateontheship’snavigationcomputers.However,theoutdatedoperatingsystemswereincapableofrunningthesoftwareandcrashed.TheshipwasrequiredtoremaininportuntilnewECDIScomputerscouldbeinstalled,classificationsurveyorscouldattend,andanear-missnotificationhadbeenissuedasrequiredbythecompany.Thecostsofthedelayswereextensiveandincurredbytheshipowner.
Thisincidentemphasizesthatnotallcomputerfailuresarearesultofadeliberateattackandthatoutdatedsoftwareispronetofailure.Moreproactivesoftwaremaintenancetotheshipmayhavepreventedthisincidentfrom occurring.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 14IdeNTIfy vulNerAbIlITIeS
andsafetyofashipanditscargo,includingsurveillance,shipboardsecurityalarm,andelectronic“personnel-on-board”systemsarevulnerabletocyberattacks.
Passenger servicing and management systems–Digitalsystemsusedforpropertymanagement,boardingandaccesscontrolmayholdvaluablepassengerrelateddata.Intelligentdevices(tablets,handheldscannersetc.)arethemselvesanattackvectorasultimatelythecollecteddataispassedontoothersystems.
Passenger facing public networks–Fixedorwirelessnetworksconnectedtotheinternet,installedonboardforthebenefitofpassengers,forexampleguestentertainmentsystems,shouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.
Administrative and crew welfare systems–Onboardcomputernetworksusedforadministrationoftheshiporthewelfareofthecrewareparticularlyvulnerablewhenprovidinginternetaccessandemail.Thiscanbeexploitedbycyberattackerstogainaccesstoonboardsystemsanddata.Thesesystemsshouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.Softwareprovidedbyshipmanagementcompaniesorownersisalsoincludedinthiscategory.
Communication systems–Availabilityofinternetconnectivityviasatelliteand/orotherwirelesscommunicationcanincreasethevulnerabilityofships.Thecyberdefencemechanismsimplementedbytheserviceprovidershouldbecarefullyconsideredbutshouldnotbesolelyreliedupontosecureeveryshipboardsystemanddata.Includedinthesesystemsarecommunicationlinkstopublicauthoritiesfortransmissionofrequiredshipreportinginformation.Applicableauthenticationandaccesscontrolmanagementrequirementsbytheseauthoritiesshouldbestrictlycompliedwith.
Theabove-mentionedonboardsystemsconsistofpotentiallyvulnerableequipment,whichshouldbereviewedduringtheassessment.Moredetailcanbefoundinannex1oftheseguidelines.
3.1 Ship to shore interface
Shipsarebecomingmoreandmoreintegratedwithshoresideoperationsbecausedigitalcommunicationisbeingusedtoconductbusiness,manageoperations,andretaincontactwithheadoffice.Furthermore,criticalshipsystemsessentialtothesafetyofnavigation,powerandcargomanagementhavebecomeincreasinglydigitalisedandconnectedtotheinternettoperformawidevarietyoflegitimatefunctionssuchas:
engine performance monitoring
maintenance and spare parts management
cargo,loadingandunloading,crane,pumpmanagementandstowplanning
voyageperformancemonitoring.
Theabovelistprovidesexamplesofthisinterfaceandisnotexhaustive.Theabovesystemsprovidedata,whichmaybeofinteresttocybercriminalstoexploit.
Moderntechnologiescanaddvulnerabilitiestotheshipsespeciallyifthereareinsecuredesignsofnetworksanduncontrolledaccesstotheinternet.Additionally,shoresideandonboardpersonnelmaybeunawarehowsomeequipmentproducersmaintainremoteaccesstoshipboardequipmentanditsnetworksystem.Unknown,anduncoordinatedremoteaccesstoanoperatingshipshouldbetakenintoconsiderationasanimportantpartoftheriskassessment.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 15IdeNTIfy vulNerAbIlITIeS
Itisrecommendedthatcompaniesshouldfullyunderstandtheship’sOTandITsystemsandhowthesesystemsconnectandintegratewiththeshoreside,includingpublicauthorities,marineterminalsandstevedores.Thisrequiresanunderstandingofallcomputerbasedonboardsystemsandhowsafety,operations,andbusinesscanbecompromisedbyacyberincident.
Thefollowingshouldbeconsideredregardingproducersandthirdpartiesincludingcontractorsandserviceproviders:
1. Theproducer’sandserviceprovider’scyberriskmanagementawarenessandprocedures:Suchcompaniesmaylackcyberawarenesstrainingandgovernanceintheirownorganisationsandthismayrepresentmoresourcesofvulnerability,whichcouldresultincyberincidents.Thesecompaniesshouldhaveanupdatedcyberriskmanagementcompanypolicy,whichincludestrainingandgovernanceproceduresforaccessibleITandOTonboardsystems.
2. Thematurityofathird-party’scyberriskmanagementprocedures:Theshipownershouldquerytheinternalgovernanceofcybernetworksecurity,andseektoobtainacyberriskmanagementassurancewhenconsideringfuturecontractsandservices.Thisisparticularlyimportantwhencoveringnetworksecurityiftheshipistobeinterfacedwiththethird-partysuchasamarineterminalorstevedoringcompany.
Common vulnerabilities
Thefollowingarecommoncybervulnerabilities,whichmaybefoundonboardexistingships,andonsomenewbuildships:
obsoleteandunsupportedoperatingsystems
outdatedormissingantivirussoftwareandprotectionfrommalware
inadequatesecurityconfigurationsandbestpractices,includingineffectivenetworkmanagementandtheuseofdefaultadministratoraccountsandpasswords,
shipboardcomputernetworks,whichlackboundaryprotectionmeasuresandsegmentationofnetworks
safetycriticalequipmentorsystemsalwaysconnectedwiththeshoreside
inadequateaccesscontrolsforthirdpartiesincludingcontractorsandserviceproviders.
Incident: Navigation computer crash during pilotage
AshipwasundertheconductofapilotwhentheECDISandvoyageperformancecomputerscrashed.Apilotwasonthebridge.Thecomputerfailuresbrieflycreatedadistractiontothewatchofficers;however,thepilotandthemasterworkedtogethertofocusthebridgeteamonsafenavigationbyvisualmeansandradar.Whenthecomputerswererebooted,itwasapparentthattheoperatingsystemswereoutdatedandunsupported.Themasterreportedthatthesecomputerproblemswerefrequent(referredtotheissuesas“gremlins”)andthatrepeatedrequestsforservicingfromtheshipownerhadbeenignored.
Itisaclearcaseofhowsimpleservicingandattentiontotheshipbymanagementcanpreventmishaps.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 16ASSeSS rISk expOSure
Assess risk exposure4
Cyberriskassessmentshouldstartatseniormanagementlevelofacompany,insteadofbeingimmediatelydelegatedtotheshipsecurityofficerortheheadoftheITdepartment.Thereareseveralreasonsforthis.
1. Initiativestoheightencybersecurityandsafetymayatthesametimeaffectstandardbusinessproceduresandoperations,renderingthemmoretimeconsumingand/orcostly.Itis,therefore,aseniormanagementleveldecisiontoevaluateanddecideonriskmitigation.
2. Anumberofinitiatives,whichwouldimprovecyberriskmanagement,arerelatedtobusinessprocesses,training,thesafetyoftheshipandtheenvironmentandnottoITsystems,andthereforeneedtobeanchoredorganisationallyoutsidetheITdepartment.
3. Initiativeswhichheightencyberawarenessmaychangehowthecompanyinteractswithcustomers,suppliersandauthorities,andimposenewrequirementsontheco-operationbetweentheparties.Itisaseniormanagementleveldecisionwhetherandhowtodrivethesechangesinrelationships.
Thefollowingquestionsmaybeusedasabasisforariskassessmentwhenaddressingcyberrisksonboardships:
Whatassetsareatrisk?
Whatisthepotentialimpactofacyberincident?
Whohasthefinalresponsibilityforthecyberriskmanagement?
AretheOTsystemsandtheirworkingenvironmentprotectedfromtheinternet?
IsthereremoteaccesstotheOTsystems,andifsohowisitmonitoredandprotected?
AretheITsystemsprotectedandisremoteaccessbeingmonitoredandmanaged?
Whatcyberriskmanagementbestpracticesarebeingused?
WhatisthetraininglevelofthepersonneloperatingtheITandOTsystems?
Basedontheanswers,thecompanyshoulddelegateauthorityandallocatethebudgetneededtocarryoutafullriskassessmentanddevelopsolutionsthatarebestsuitedforthecompanyandtheoperationoftheirships.Thefollowingshouldbeaddressed:
identifysystemsthatareimportanttooperation,safetyandenvironmentalprotection
assignthepersonsresponsibleforsettingcyberpolicies,proceduresandenforcemonitoring
determinewheresecureremoteaccessshouldusemultipledefencelayersandwhereprotectionofnetworksshouldbedisconnectedfromtheinternet
identificationofneedsfortrainingofpersonnel.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 17ASSeSS rISk expOSure
Thelevelofcyberriskwillreflectthecircumstancesofthecompany,ship(itsoperationandtrade),theITandOTsystemsused,andtheinformationand/ordatastored.Themaritimeindustrypossessesarangeofcharacteristics,whichaffectitsvulnerabilitytocyberincidents:
thecybercontrolsalreadyimplementedbythecompanyonboarditsships
multiplestakeholdersareofteninvolvedintheoperationandcharteringofashippotentiallyresultinginlackofaccountabilityfortheITinfrastructure
theshipbeingonlineandhowitinterfaceswithotherpartsoftheglobalsupplychain
shipequipmentbeingremotelymonitored,egbytheproducers
business-critical,datasensitiveandcommerciallysensitiveinformationsharedwithshore-basedserviceproviders,includingmarineterminalsandstevedoresandalso,whereapplicable,publicauthorities
theavailabilityanduseofcomputer-controlledcriticalsystemsfortheship’ssafetyandforenvironmentalprotection.
Theseelementsshouldbeconsidered,andrelevantpartsincorporatedintothecompanycybersecuritypolicies,safetymanagementsystems,andshipsecurityplans.Usersoftheseguidelinesshouldrefertospecificnational,internationalandflagstateregulationsaswellasrelevantinternationalandindustrystandardsandbestpracticeswhendevelopingandimplementingcyberriskmanagement procedures.
ITandOTsystems,softwareandmaintenancecanbeoutsourcedtothird-partyserviceprovidersandthecompany,itself,maynotpossessawayofverifyingthelevelofsecuritysuppliedbytheseproviders.Somecompaniesusedifferentprovidersresponsibleforsoftwareandcybersecuritychecks.
Thegrowinguseofbigdata,smartshipsandthe“internetofthings”8willincreasetheamountofinformationavailabletocyberattackersandthepotentialattacksurfacetocybercriminals.Thismakestheneedforrobustapproachestocyberriskmanagementimportantbothnowandinthefuture.
Incident: Worm attack on maritime IT and OT
Ashipwasequippedwithapowermanagementsystemthatcouldbeconnectedtotheinternetforsoftwareupdatesandpatching,remotediagnostics,datacollection,andremoteoperation.Theshipwasbuiltrecently,butthissystemwasnotconnectedtotheinternetbydesign.
Thecompany’sITdepartmentmadethedecisiontovisittheshipandperformedvulnerabilityscanstodetermineifthesystemhadevidenceofinfectionandtodetermineifitwassafetoconnect.Theteamdiscoveredadormantwormthatcouldhaveactivateditselfoncethesystemwasconnectedtotheinternetandthiswouldhavehadsevereconsequences.Theincidentemphasizesthatevenairgappedsystemscanbecompromisedandunderlinesthevalueofproactivecyberriskmanagement.
Theshipowneradvisedtheproduceraboutthediscoveryandrequestedproceduresonhowtoerasetheworm.Theshipownerstatedthatbeforethediscovery,aservicetechnicianhadbeenaboardtheship.Itwasbelievedthattheinfectioncouldpotentiallyhavebeencausedbythetechnician.
ThewormspreadviaUSBdevicesintoarunningprocess,whichexecutesaprogramintothememory.Thisprogramwasdesignedtocommunicatewithitscommandandcontrolservertoreceiveitsnextsetofinstructions.Itcould
8 Lloyd’sRegister,QinetiqandUniversityofSouthampton,GlobalMarineTechnologyTrends2030.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 18ASSeSS rISk expOSure
evencreatefilesandfolders.
Thecompanyaskedcybersecurityprofessionalstoconductforensicanalysisandremediation.Itwasdeterminedthatallserversassociatedwiththeequipmentwereinfectedandthatthevirushadbeeninthesystemundiscoveredfor875days.Scanningtoolsremovedthevirus.Ananalysisprovedthattheserviceproviderwasindeedthesourceandthatthewormhadintroducedthemalwareintotheship’ssystemviaaUSBflashdriveduringasoftwareinstallation.
Analysisalsoprovedthatthiswormoperatedinthesystemmemoryandactivelycalledouttotheinternetfromtheserver.Sincethewormwasloadedintomemory,itcouldaffecttheperformanceoftheserverandsystemsconnectedtotheinternet.
Third-party access
Visitstoshipsbythirdpartiesrequiringaconnectiontooneormorecomputersonboardcanalsoresultinconnectingtheshiptoshore.Itiscommonfortechnicians,vendors,portofficials,marineterminalrepresentatives,agents,pilots,andothertechnicianstoboardtheshipandplugindevices,suchaslaptopsandtablets.Sometechniciansmayrequiretheuseofremovablemediatoupdatecomputers,downloaddataand/orperformothertasks.Ithasalsobeenknownforcustomsofficialsandportstatecontrolofficerstoboardashipandrequesttheuseofacomputerto“printofficialdocuments”afterhavinginsertedanunknownremovablemedia.
Sometimesthereisnocontrolastowhohasaccesstotheonboardsystems,egduringdrydocking,layupsorwhentakingoveraneworexistingship.Insuchcases,itisdifficulttoknowifmalicioussoftwarehasbeenleftintheonboardsystems.Itisrecommendedthatsensitivedataisremovedfromtheshipandreinstalledonreturningtotheship.Wherepossible,systemsshouldbescannedformalwarepriortouse.OTsystemsshouldbetestedtocheckthattheyarefunctioningcorrectly.
SomeITandOTsystemsareremotelyaccessibleandmayoperatewithacontinuousinternetconnectionforremotemonitoring,datacollection,maintenancefunctions,safetyandsecurity.Thesesystemscanbe“third-partysystems”,wherebythecontractormonitorsandmaintainsthesystemsfromaremoteaccess.Thesesystemscouldincludebothtwo-waydataflowandupload-only.Systemsandworkstationswithremotecontrol,accessorconfigurationfunctionscould,forexample,be:
bridgeandengineroomcomputersandworkstationsontheship’sadministrativenetwork
cargosuchascontainerswithreefertemperaturecontrolsystemsorspecialisedcargothataretracked remotely
stability decision support systems
hullstressmonitoringsystems
navigationalsystemsincludingElectronicNavigationChart(ENC)VoyageDataRecorder(VDR),dynamicpositioning(DP)
cargohandlingandstowage,engine,andcargomanagementandloadplanningsystems
safetyandsecuritynetworks,suchasCCTV(closedcircuittelevision)
specialisedsystemssuchasdrillingoperations,blowoutpreventers,subseainstallationsystems,EmergencyShutDown(ESD)forgastankers,submarinecableinstallationandrepair.
Theextentandnatureofconnectivityofequipmentshouldbeknownbytheshipowneroroperatorandconsideredasanimportantpartoftheriskassessment.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 19ASSeSS rISk expOSure
Impact assessment
Theconfidentiality,integrityandavailability(CIA)model9providesaframeworkforassessingtheimpactof:
unauthorisedaccesstoanddisclosureofinformationordataabouttheship,crew,cargoandpassengers
lossofintegrity,whichwouldmodifyordestroyinformationanddatarelatingtothesafeandefficientoperationandadministrationoftheship
lossofavailabilityduetothedestructionoftheinformationanddataand/orthedisruptiontoservices/operationofshipsystems.
Therelativeimportanceofconfidentiality,integrityandavailabilitydependsontheuseoftheinformationordata.Forexample,assessingthevulnerabilityofITsystemsrelatedtocommercialoperationsmayfocusonconfidentialityandintegrityratherthanavailability.Conversely,assessingthevulnerabilityofOTsystemsonboardships,particularlysafetycriticalsystems,mayfocusonavailabilityand/orintegrityinsteadofconfidentiality.
Potentialimpactscouldbesafety-related,operational,environmental-related,financial,reputationalandcompliance-related.Severalassessmentmethodologiesoffercriteriaandtechniquesthatcanhelpdefinethemagnitudeoftheimpactfromacyberattack10.
Potential impact Definition In practiceLow Thelossofconfidentiality,integrity,oravailability
couldbeexpectedtohavealimitedadverseeffectoncompanyandship,organisationalassets,orindividuals
Alimitedadverseeffectmeansthatasecuritybreachmight:(i)causeadegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)resultinminordamagetoorganisationalassets;(iii)resultinminorfinancialloss;or(iv)resultinminorharmtoindividuals.
Moderate Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasubstantialadverseeffectoncompanyandship,assetsorindividuals
Asubstantialadverseeffectmeansthatasecuritybreachmight:(i)causeasignificantdegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganisationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.
High Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectoncompanyandshipoperations,assets,environmentorindividuals.
Asevereorcatastrophicadverseeffectmeansthatasecuritybreachmight:(i)causeaseveredegradationinorlossofshipoperationtoanextentanddurationthattheorganisationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoenvironmentand/ororganisationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslife-threateninginjuries.
Table 3: potential impact levels when using the CIA model
WhenitcomestoOTsystems,anextradimensionmustbeaddedtotheCIAmodel.
9 FederalInformationProcessingStandards,Publication199,ComputerSecurityDivisionInformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,Gaithersburg,MD20899-8900.
10Methodologiesinclude,andarenotlimitedto,ISO/IEC27005:2018Informationtechnology–Securitytechniques–Informationsecurityriskmanagement,COSOEnterpriseRiskManagementFramework,andISO31000:2018Riskmanagement–Guidelines.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 20ASSeSS rISk expOSure
AriskassessmentofOTsystemsneedstobebasedonaninventoryoverviewofequipmentand/orcomputer-basedsystemsandamapofthenetworks’connections.Further,accesspointsandcommunicationdevicesshouldbepartofthisoverview.AstheimpactofanonboardOTsystem’scyberincidentmayincludephysicaleffects,riskassessmentsshouldinclude:
impactsonthesafetyofonboardpersonnel,theshipandcargo
physicalimpactonanOTsystem,includingtheenvironmentsurroundingitonboard;theeffectontheprocessthatisbeingcontrolledandthephysicaleffectontheOTsystemitself
theconsequencesforriskassessmentsofnon-digitalcontrolcomponentswithinanOTsystem.
TheimplementationofprotectionmeasuresbasedonriskassessmentsiswellestablishedonallshipsviatheISMcodeandtheship’sSMS.Safetyassessmentsareconcernedprimarilywiththephysicalworldbearinginmindthatthephysicalandthedigitalworldsarenowintertwined.Assessingthepotentialphysicaldamagefromacyberincidentshouldinclude:
1. howanincidentcouldmanipulatetheoperationofsensorsandactuatorstoimpactthephysicalenvironment
2. whatredundantcontrolsandmanualoverridingpossibilitiesexistintheOTsystemtopreventan incident
3. howaphysicalincidentcouldemerge.
4. howtoevaluatepotentialeffectstothephysicalprocessperformedbytheOTsystem.
Example
Ashipisequippedwithacomplexpowermanagementsystem.Itconsistsofswitchboardsandgeneratorscontrollingsystemsforautoloadsharing,powercontrolandautosynchronizing.Ontopofthepowermanagementsystem,asupervisorycontrolanddataacquisition(SCADA)systemprovidesoutputandmakesitpossibleforthecrewtocontrolthedistributionofonboardelectricpower.
Powermanagementisimportanttothesafetyofthecrew,ship,andcargo.Italsohasaclearenvironmentalandfinancialimpactaspowerisgeneratedbyuseoffueleitherbytheship’smainengine(shaftgenerator)and/orauxiliaryengines.Therefore,acyberincidentthatdisablesorcausesthepowermanagementsystemtomalfunctioncanplacetheoperationandsafetyoftheshipatrisk.Tolowertherisk,thecompanyshouldaddprotectionmeasuresthatminimizethepossibilityofsuchacyberincidenttakingplace.
TheSCADAsystemcontainsreal-timesensordata,whichisusedonboardforpowermanagement.Italsogeneratesdataaboutthepowerconsumption,whichisusedbytheshippingcompanyforadministrativepurposes.Todetermineifthepotentialimpactofdataandinformationisbeingbreached,theCIAmodelshouldbeused.Whendoingso,theshippingcompanyshoulddeterminethepotentialimpactofthemostsensitiveinformationstored,processedortransmittedbytheSCADAsystem.
UsingtheCIAmodel,theshippingcompanycanconcludethat:
losingconfidentialityofthesensordataacquiredbytheSCADAsystemwillhavealowimpactasthesensorsarepubliclydisplayedonboard.However,fromasafetypointofview,itisimportantthattheinformationtransmittedbythesensorscanbereliedupon.Therefore,thereisapotentialhighimpactfromalossofintegrity.Itwillalsobeasafetyissueiftheinformationcannotberead.So,thereisapotentialhighimpactfromalossofavailability.
alossofconfidentialityregardingthepowerconsumptioninformationbeingsenttotheshippingcompanyforstatisticalpurposesisassessedasapotentiallowimpact.Therewillalsobeapotentiallowimpactfromalossofintegrityandavailabilityasthedataisonlyusedforin-houseconsiderations.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 21ASSeSS rISk expOSure
Thefollowingtableshowstheresultoftheassessment.
SCADA system Confidentiality Integrity Availability Overall impact
Sensor data Low High High High
Statistical data Low Low Low Low
Table 4: result of CIA assessment of SCAdA system
Bring your own device (BYOD)
Itisrecognisedthatpersonnelmaybeallowedtobringtheirowndevices(BYOD)onboardtoaccesstheship’ssystemornetwork.Althoughthismaybebothbeneficialandeconomicalforships,itsignificantlyincreasesthelevelofvulnerabilitybecausethesedevicesmaybeunmanaged.PoliciesandproceduresshouldaddressthecontrolanduseofBYODs,aswellashowtoprotectvulnerabledata,byusingnetworksegregationforexample.
4.1 Risk assessment made by the company
Asmentionedabove,theriskassessmentprocessstartsbyassessingthesystemsonboard,inordertomaptheirrobustnesstohandlethecurrentlevelofcyberthreats.TheassessmentshouldassesstheITandOTsystemsonboard.Whenconductingtheassessment,thecompanyshouldconsidertheoutcomesoftheshipsecurityassessmentaswellasthefollowing:
1. identificationofexistingtechnicalandproceduralcontrolstoprotecttheonboardITandOTsystems
2. identificationofITandOTsystemsthatarevulnerableincludingthehumanfactor,andthepoliciesandproceduresgoverningtheuseofthesesystems.Theidentificationshouldincludesearchesforknownvulnerabilitiesrelevanttotheequipmentaswellasthecurrentlevelofpatchingandfirmwareupdates
3. identificationandevaluationofkeyshipboardoperationsthatarevulnerabletocyberattacks
4. identificationofpossiblecyberincidentsandtheirimpactonkeyshipboardoperations,andthelikelihoodoftheiroccurrencetoestablishandprioritiseprotectionmeasures.
Companiesmayconsultwiththeproducersandserviceprovidersofonboardequipmentandsystemstounderstandthetechnicalandproceduralcontrolsthatmayalreadybeinplacetoaddresscyberriskmanagement.Furthermore,anyidentifiedcybervulnerabilityinthefactorystandardconfigurationofacriticalsystemorcomponentshouldbedisclosedtofacilitatebetterprotectionoftheequipmentinthefuture.
4.2 Third-party risk assessments
Self-assessmentscanserveasagoodstartbutmaybecomplementedbythird-partyriskassessmentstodrilldeeperandidentifytherisksandthegapsthatmaynotbefoundduringtheself-assessment.PenetrationtestsofcriticalITandOTinfrastructurecanalsobeperformedtoidentifywhethertheactualdefencelevelmatchesthedesiredlevelsetforthinthecybersecuritystrategyforthecompany.SuchtestscanbeperformedbyexternalexpertssimulatingattacksusingbothIT-systems,social
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 22ASSeSS rISk expOSure
engineeringand,ifdesired,evenphysicalpenetrationofafacility’ssecurityperimeter.Thesetestsarereferredtoasactivetestsbecausetheyinvolveaccessingandinsertingsoftwareintoasystem.ThismayonlybeappropriateforITsystems.WhererisktoOTsystemsduringpenetrationtestingisunacceptable,passivetestingapproachesshouldbeconsidered.Passivemethodsrelyonscanningdatatransmittedbyasystemtoidentifyvulnerabilities.Ingeneral,noattemptismadetoactivelyaccessorinsertsoftwareintothesystem.
4.3 Risk assessment process
Phase 1: Pre-assessment activities
Priortostartingacyberriskassessmentonboard11,thefollowingactivitiesshouldbeperformed:
maptheship’skeyfunctionsandsystemsandtheirpotentialimpactlevels,forexampleusingtheCIAmodel,takingintoconsiderationtheoperationofOTsystems
identifymainproducersofcriticalshipboardITandOTequipment
reviewdetaileddocumentationofcriticalOTandITsystemsincludingtheirnetworkarchitecture,interfacesandinterconnections
identifycybersecuritypoints-of-contactwitheachoftheproducersandestablishaworkingrelationshipwiththem
reviewdetaileddocumentationontheship’smaintenanceandsupportoftheITandOTsystems
establishcontractualrequirementsandobligationsthattheshipowner/shipoperatormayhaveformaintenanceandsupportofshipboardnetworksandequipment
support,ifnecessary,theriskassessmentwithanexternalexperttodevelopdetailedplansandincludeproducersandserviceproviders.
Phase 2: Ship assessment
Thegoaloftheassessmentofaship’snetworkanditssystemsanddevicesistoidentifyanyvulnerabilitiesthatcouldcompromiseorresultineitherlossofconfidentiality,lossofintegrityorresultinalossofoperationoftheequipment,system,network,oreventheship.Thesevulnerabilitiesandweaknessescouldfallintooneofthefollowingcategories:
technicalsuchassoftwaredefectsoroutdatedorunpatchedsystems
designsuchasaccessmanagement,unmanagednetworkinterconnections
implementationerrorsforexamplemisconfiguredfirewalls
proceduralorotherusererrors.
Theactivitiesperformedduringanassessmentcouldincludereviewingtheconfigurationofallcomputers,servers,routers,andcybersecuritytechnologiesincludingfirewalls.ItcouldalsoincludereviewsofallavailablecybersecuritydocumentationandproceduresforconnectedITandOTsystemsanddevices.
11Basedonathird-partyriskassessmentmethoddescribedbyNCCGroup.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 23ASSeSS rISk expOSure
Anaspectofon-shipassessmentisinvolvementofcrewofalllevels;particularlythemaster,chiefengineerandfirstmate.ThisprocessassiststounderstandtheimplementationoftheITandOTsystemsonboard,andhowtheymayvaryfromstateddesigndocumentation,andalsotounderstandthelevelofcybertrainingdeliveredtotheship’screw.
Phase 3: Debrief and vulnerability review/reporting
Followingtheassessment,eachidentifiedvulnerabilityshouldbeevaluatedforitspotentialimpactandtheprobabilityofitsexploitation.Recommendedtechnicaland/orproceduralcorrectiveactionsshouldbeidentifiedforeachvulnerability.
Ideally,thecyberriskassessmentshouldinclude:
executivesummary–ahigh-levelsummaryofresults,recommendationsandtheoverallsecurityprofileoftheassessedship
technicalfindings–breakdownofdiscoveredvulnerabilities,theirprobabilityofexploitation,theresultingimpact,andappropriatetechnicalfixandmitigationadvice
prioritisedlistofactions–theprioritiesallocatedshouldreflecttheeffectivenessofthemeasure,thecost,theapplicability,etc.Itisimportantthatthislistshouldbeacompletelistofoptionsavailableandnotrepresentalistofservicesandproductsthethird-partyriskassessor,ifapplicable,wouldliketosell.
supplementarydata–asupplementcontainingthetechnicaldetailsofallkeyfindingsandcomprehensiveanalysisofcriticalflaws.Thissectionshouldalsoincludesampledatarecoveredduringthepenetrationtesting,ifany,ofcriticalorhigh-riskvulnerabilities
appendices–recordsofactivitiesconductedbythecyberriskassessmentteamandthetoolsusedduringtheengagement.
Considerationshouldbegivenastowhetherpartsofthecyberriskassessmentshouldbetreatedasconfidential.
Whilstcyberriskmanagementpoliciesandproceduresshouldbeincludedinthecompanysafetymanagementsystem,theseshouldnotcontaininformation,whichifmadeavailableoutsidethecompanycouldbecomeavulnerability.
Phase 4: Producer debrief
Oncetheshipownerhashadanopportunitytoreview,discussandassessthefindings,asubsetofthefindingsmayneedtobesenttotheproducersoftheaffectedsystems.Anyfindings,whichareapprovedbytheshipownerfordisclosuretotheproducers,couldbefurtheranalysedwithsupportfromexternalexperts,whoshouldworkwiththeproducer’scybersecuritypointofcontacttoensurethatafullriskandtechnicalunderstandingoftheproblemisachieved.Thissupportingactivityisintendedtoensurethatanyremediationplandevelopedbytheproduceriscomprehensiveinnatureandidentifiesthecorrectsolutiontoeliminatethevulnerabilities.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 24develOp prOTeCTION ANd deTeCTION meASureS
Develop protection and detection measures5
Theoutcomeofthecompany’sriskassessmentandsubsequentcybersecuritystrategyshouldbeareductioninrisktobeaslowasreasonablypracticable.Atatechnicallevel,thiswouldincludethenecessaryactionstobeimplementedtoestablishandmaintainanagreedlevelofcybersecurity.
Itisimportanttoidentifyhowtomanagecybersecurityonboardandtodelegateresponsibilitiestothemaster,responsibleofficersandwhenappropriatethecompanysecurityofficer.
5.1 Defence in depth and in breadth
Itisimportanttoprotectcriticalsystemsanddatawithmultiplelayersofprotectionmeasures,whichtakeintoaccounttheroleofpersonnel,proceduresandtechnologyto:
increasetheprobabilitythatacyberincidentisdetected
increasetheeffortandresourcesrequiredtoprotectinformation,dataortheavailabilityofITandOTsystems.
ConnectedOTsystemsonboardshouldrequiremorethanonetechnicaland/orproceduralprotectionmeasure.Perimeterdefencessuchasfirewallsareimportantforpreventingunwelcomedentryintothesystems,butthismaynotbesufficienttocopewithinsiderthreats.
Thisdefenceindepthapproachencouragesacombinationof:
physicalsecurityoftheshipinaccordancewiththeshipsecurityplan(SSP)
protectionofnetworks,includingeffectivesegmentation
intrusiondetection
periodicvulnerabilityscanningandtesting
softwarewhitelisting
access and user controls
appropriateproceduresregardingtheuseofremovablemediaandpasswordpolicies
personnel’sawarenessoftheriskandfamiliaritywithappropriateprocedures.
Companypoliciesandproceduresshouldhelpensurethatcybersecurityisconsideredwithintheoverallapproachtosafetyandsecurityriskmanagement.Thecomplexityandpotentialpersistenceofcyberthreatsmeansthata“defenceindepth”approachshouldbeconsidered.Equipmentanddataprotectedbylayersofprotectionmeasuresaremoreresilienttocyberattacks.
Whendevelopingintegrationbetweensystems,atrustboundarymodelshouldbeconsidered,wherebysystemsaregroupedintothosebetweenwhichtrustisimplicit(forexampleuserworkstations),andthosebetweenwhichtrustshouldbeexplicit(betweenbridgecomputersandcorporatenetworks).Forlargeorcomplexnetworks,threatmodellingshouldbeconsideredasan
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 25develOp prOTeCTION ANd deTeCTION meASureS
activitytounderstandwheretechnicalcontrolsshouldbeimplementedbetweensystemsinordertosupportadefenceinbreadthapproach.
However,onboardshipswherelevelsofintegrationbetweenITandOTsystemsmaybehigh,defenceindepthonlyworksiftechnicalandproceduralprotectionmeasuresareappliedinlayersacrossallvulnerableandintegratedsystems.Thisis“defenceinbreadth”anditisusedtopreventanyvulnerabilitiesinonesystembeingusedtocircumventprotectionmeasuresofanothersystem.
Cyberriskprotectionmeasuresmaybeeithertechnicalorproceduralinnature,withtechnicalcontrolsimplementedtoenforceproceduralcontrols;acombinationapproachusingappropriatemeasuresprovidesthemosteffectivelevelofprotection.
Defenceindepthanddefenceinbreadtharecomplementaryapproaches,which,whenimplementedtogether,providethefoundationofaholisticresponsetothemanagementofcyberrisks.
Cyberriskprotectionmeasuresmaybetechnicalandfocusedonensuringthatonboardsystemsaredesignedandconfiguredtoberesilienttocyberattacks.Protectionmeasuresmayalsobeproceduralandshouldbecoveredbycompanypolicies,safetymanagementprocedures,securityproceduresandaccess controls.
Considerationneedstobegiventoimplementingtechnicalcontrolsthatarepracticalandcosteffective,particularlyonexistingships.
Implementationofcybersecuritycontrolsshouldbeprioritised,focusingfirstonthosemeasures,orcombinationsofmeasures,whichofferthegreatestbenefit.
5.2 Technical protection measures
TheCentreforInternetSecurity(CIS)providesguidanceonmeasures12thatcanbeusedtoaddresscybersecurityvulnerabilities.TheprotectionmeasuresarealistofCriticalSecurityControls(CSC)thatareprioritisedandvettedtohelpensurethattheyprovideaneffectiveapproachforcompaniestoassessandimprovetheirdefences.TheCSCsincludebothtechnicalandproceduralaspects.
ThebelowmentionedexamplesofCSCshavebeenselectedasparticularlyrelevanttoequipmentanddataonboardships13. Limitation to and control of network ports, protocols and services
Accessliststonetworksystemscanbeusedtoimplementthecompany’ssecuritypolicy.Thishelpsensurethatonlyappropriatetrafficwillbeallowedviaacontrollednetworkorsubnet,basedonthecontrolpolicyofthatnetworkorsubnet.
Itisrecommendedthatroutersaresecuredagainstattacksandunusedportsshouldbeclosedtopreventunauthorisedaccesstosystemsordata.
Configuration of network devices such as firewalls, routers and switches
Itshouldbedeterminedwhichsystemsshouldbeattachedtocontrolledoruncontrolled14networks.Controllednetworksaredesignedtopreventanysecurityrisksfromconnecteddevicesbyuseof
12 CIS,CriticalSecurityControlsforEffectiveCyberSecurity,availableatwww.cisecurity.org/critical-controls.cfm.13 StephensonHarwood(2015),CyberRisk.14 InaccordancewithEC61162-460:2015:Maritimenavigationandradiocommunicationequipmentandsystems-Digitalinterfaces-Part460:Multipletalkersandmultiplelisteners-Ethernetinterconnection-Safetyandsecurity.
https://www.cisecurity.org/controls/
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 26develOp prOTeCTION ANd deTeCTION meASureS
firewalls,securitygateways,routersandswitches.Uncontrollednetworksmayposerisksduetolackofdatatrafficcontrolandshouldbeisolatedfromcontrollednetworks,asdirectinternetconnectionmakesthemhighlypronetoinfiltrationbymalware.Forexample:
networksthatarecriticaltotheoperationofashipitself,shouldbecontrolled.Itisimportantthatthesesystemshaveahighlevelofsecurity
networksthatprovidesupplierswithremoteaccesstonavigationandotherOTsystems’softwareonboard,shouldalsobecontrolled.Thesenetworksmaybenecessarytoallowsupplierstouploadsystemupgradesorperformremoteservicing.Shoresideexternalaccesspointsofsuchconnectionsshouldbesecuredtopreventunauthorisedaccess
cargostowage,loadplanningandmanagementsystemsshouldbecontrolled.So,shouldthosesystemsthatperformmandatoryshipreportingtopublicauthorities
othernetworks,suchasguestaccessnetworks,maybeuncontrolled,forinstancethoserelatedtopassengerrecreationalactivitiesorprivateinternetaccessforcrew.Normally,anywirelessnetworkshouldbeconsidereduncontrolled.
Effectivesegregationofsystems,basedonnecessaryaccessandtrustlevels,isoneofthemostsuccessfulstrategiesforthepreventionofcyberincidents.Effectivelysegregatednetworkscansignificantlyimpedeanattacker’saccesstoaship’ssystemsandisoneofthemosteffectivetechniquesforpreventingthespreadofmalware.Onboardnetworksshouldbepartitionedbyfirewallstocreatesafezones.Thefewercommunicationslinksanddevicesinazone,themoresecurethesystemsanddataareinthatzone.Confidentialandsafetycriticalsystemsshouldbeinthemostprotectedzone.Seeannex3oftheseguidelinesformoreinformationonshipboardnetworksandalsorefertoISO/IEC62443. Physical security
Physicalsecurity15isacentralaspectofcyberriskmanagementandaneffectivedefenceindepthstrategyreliesonensuringthattechnicalcontrolscannotbecircumventedthroughtrivialtechnicalmeans.AreascontainingsensitiveOTorITcontrolcomponentsshouldbesecurelylocked,securityandsafetycriticalequipmentandcablerunsshouldbeprotectedfromunauthorisedaccess,andphysicalaccesstosensitiveuserequipment(suchasexposedUSBportsonbridgesystems)shouldbesecured.
Detection, blocking and alerts
Identifyingintrusionsandinfectionsisacentralpartofthecontrolprocedures.Abaselineofnetworkoperationsandexpecteddataflowsforusersandsystemsshouldbeestablishedandmanaged,sothatcyberincidentalertthresholdscanbeestablished.Keytothiswillbethedefinitionofrolesandresponsibilitiesfordetectiontohelpensureaccountability.Additionally,acompanymaychoosetoincorporateanIntrusionDetectionSystem(IDS)oranIntrusionPreventionSystem(IPS)intothenetworkoraspartofthefirewall.Someoftheirmainfunctionsincludeidentifyingthreats/maliciousactivityandcode,andthenlogging,reportingandattemptingtoblocktheactivity.FurtherdetailsconcerningIDSandIPScanbefoundinannex3oftheseguidelines.Ithelpstoensurethatdedicatedonboardpersonnelcanunderstandthealertsandtheirimplications.Incidentsdetectedshouldbedirectedtoanindividualorserviceprovider,whoisresponsibleforactingonthistypeofalert.
15 SeealsotheISPSCode.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 27develOp prOTeCTION ANd deTeCTION meASureS
Satellite and radio communication
Cybersecurityoftheradioandsatelliteconnectionshouldbeconsideredincollaborationwiththeserviceprovider.Inthisconnection,thespecificationofthesatellitelinkshouldbeconsideredwhenestablishingtherequirementsforonboardnetworkprotection.
Whenestablishinganuplinkconnectionforaship’snavigationandcontrolsystemstoshore-basedserviceproviders,considerationshouldbegivenonhowtopreventillegitimateconnectionsgainingaccesstotheonboardsystems.
Theaccessinterconnectisthedistributionpartner’sresponsibility.Thefinalroutingofusertrafficfromtheinternetaccesspointtoitsultimatedestinationonboard(“lastmile”)istheresponsibilityoftheshipowner.Usertrafficisroutedthroughthecommunicationequipmentforonwardtransmissiononboard.Attheaccesspointforthistraffic,itisnecessarytoprovidedatasecurity,firewallingandadedicated“last-mile”connection.
WhenusingaVirtualPrivateNetwork(VPN),thedatatrafficshouldbeencryptedtoanacceptableinternationalstandard.Furthermore,afirewallinfrontoftheserversandcomputersconnectedtothenetworks(ashoreoronboard)shouldbedeployed.Thedistributionpartnershouldadviseontheroutingandtypeofconnectionmostsuitedforspecifictraffic.Onshorefiltering(inspection/blocking)oftrafficisalsoamatterbetweenashipownerandthedistributionpartner.Bothonshorefilteringoftrafficandfirewalls/securityinspection/blockinggatewaysontheshipareneededandsupplementeachothertoachieveasufficientlevelofprotection.
Producersofsatellitecommunicationterminalsandothercommunicationequipmentmayprovidemanagementinterfaceswithsecuritycontrolsoftwarethatareaccessibleoverthenetwork.Thisisprimarilyprovidedintheformofweb-baseduserinterfaces.Protectionofsuchinterfacesshouldbeconsideredwhenassessingthesecurityofaship’sinstallation.
Wireless access control
Wirelessaccesstonetworksontheshipshouldbelimitedtoappropriateauthoriseddevicesandsecuredusingastrongencryptionkey,whichischangedregularly.Thefollowingcanbeconsideredforcontrollingwirelessaccess:
theuseofenterpriseauthenticationsystemsusingasymmetricencryptionandisolatingnetworkswithappropriatewirelessdedicatedaccesspoints(e.g.guestnetworksisolatedfromadministrativenetworks)
theadoptionofsystems,suchaswirelessIPS,thatcaninterceptnon-authorizedwirelessaccesspointsorroguedevices
theprotectionofthephysicalinterconnectionbetweenwirelessaccessdevicesandthenetwork,suchasnetworkplugs,networkracks,etc.)toavoidunauthorizedaccessbyroguedevices.
Malware detection
Scanningsoftwarethatcanautomaticallydetectandaddressthepresenceofmalwareinsystemsonboardshouldberegularlyupdated.
Asageneralguideline,onboardcomputersshouldbeprotectedtothesamelevelasofficecomputersashore.Anti-virusandanti-malwaresoftwareshouldbeinstalled,maintainedandupdatedonall
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 28develOp prOTeCTION ANd deTeCTION meASureS
personalwork-relatedcomputersonboard.Thiswillreducetheriskofthesecomputersactingasattackvectorstowardsserversandothercomputersontheship’snetwork.Howregularlythescanningsoftwarewillbeupdatedmustbetakenintoconsiderationwhendecidingwhethertorelyonthesedefencemethods.
Secure configuration for hardware and software
Onlyseniorofficersshouldbegivenadministratorprofiles,sothattheycancontrolthesetupanddisablingofnormaluserprofiles.Userprofilesshouldberestrictedtoonlyallowthecomputers,workstationsorserverstobeusedforthepurposes,forwhichtheyarerequired.Userprofilesshouldnotallowtheusertoalterthesystemsorinstallandexecutenewprograms. Email and web browser protection
Emailcommunicationbetweenshipandshoreisavitalpartofaship’soperation.Appropriateemailandwebbrowserprotectionservesto:
protectshoresideandonboardpersonnelfrompotentialsocialengineering
preventemailbeingusedasamethodofobtainingsensitiveinformation
ensurethattheexchangeofsensitiveinformationviaemailorbyvoiceisappropriatelyprotectedtoensureconfidentialityandintegrityofdata,egencryptionprotection
preventwebbrowsersandemailclientsfromexecutingmaliciousscripts.
Somebestpracticesforsafeemailtransferare:emailasziporencryptedfilewhennecessary,disablehyperlinksonemailsystem,avoidusinggenericemailaddressesandensurethesystemhasconfigureduseraccounts.
Data recovery capability
Datarecoverycapabilityistheabilitytorestoreasystemand/ordatafromasecurecopyorimage,therebyallowingtherestorationofacleansystem.Essentialinformationandsoftware-adequatebackupfacilitiesshouldbeavailabletohelpensurerecoveryfollowingacyberincident.
Retentionperiodsandrestorescenariosshouldbeestablishedtoprioritisewhichcriticalsystemsneedquickrestorecapabilitiestoreducetheimpact.Systemsthathavehighdataavailabilityrequirementsshouldbemaderesilient.OTsystems,whicharevitaltothesafenavigationandoperationoftheship,shouldhavebackupsystemstoenabletheshiptoquicklyandsafelyregainnavigationalandoperationalcapabilitiesafteracyberincident.Moredetailsonrecoverycanbefoundinchapter7oftheseguidelines.
Application software security (patch management)
Safetyandsecurityupdatesshouldbeprovidedtoonboardsystems.Ordinarysecuritypatchesshouldbeincludedintheperiodicmaintenancecycle.CriticalpatchesshouldbeevaluatedintermsofoperationalimpactontheOTsystems.Theseupdatesorpatchesshouldbeappliedcorrectlyandinatimelymannertoensurethatanyflawsinasystemareaddressedbeforetheyareexploitedbyacyberattack.Ifacriticalpatchcannotbeinstalled,alternativemeasuresshouldbeevaluatedtohelpimplementvirtualpatchingtechniques.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 29develOp prOTeCTION ANd deTeCTION meASureS
5.3 Procedural protection measures
Proceduralcontrolsarefocusedonhowpersonnelusetheonboardsystems.Plansandproceduresthatcontainsensitiveinformationshouldbekeptconfidentialandhandledaccordingtocompanypolicies.Examplesforproceduralactionscanbe: Training and awareness
Trainingandawarenessarethekeysupportingelementstoaneffectiveapproachtocyberriskmanagementasdescribedintheseguidelinesandsummarisedinfigure1.
Theinternalcyberthreatshouldbetakenintoaccount.PersonnelhaveakeyroleinprotectingITandOTsystemsbutcanalsobecareless,forexamplebyusingremovablemediatotransferdatabetweensystemswithouttakingprecautionsagainstthetransferofmalware.Trainingandawarenessshouldbetailoredtotheappropriatelevelsfor:
onboardpersonnelincludingthemaster,officersandcrew
shoresidepersonnel,whosupportthemanagement,loadingandoperationoftheship.
Theseguidelinesassumethatothermajorstakeholdersinthesupplychain,suchascharterers,classificationsocietiesandserviceproviders,willcarryouttheirownbest-practicecybersecurityprotectionandtraining.Itisadvisableforownersandoperatorstoascertainthestatusofcybersecuritypreparednessoftheirthird-partyproviders,includingmarineterminalsandstevedores,aspartoftheirsourcingproceduresforsuchservices.
Anawarenessprogrammeshouldbeinplaceforallonboardpersonnel,coveringatleastthefollowing:
risksrelatedtoemailsandhowtobehaveinasafemanner.Examplesarephishingattackswheretheuserclicksonalinktoamalicioussite
risksrelatedtointernetusage,includingsocialmedia,chatforumsandcloud-basedfilestoragewheredatamovementislesscontrolledandmonitored
risksrelatedtotheuseofowndevices.Thesedevicesmaybemissingsecuritypatchesandcontrols,suchasanti-virus,andmaytransfertherisktotheenvironment,towhichtheyareconnected
risksrelatedtoinstallingandmaintainingsoftwareoncompanyhardwareusinginfectedhardware(removablemedia)orsoftware(infectedpackage)
risksrelatedtopoorsoftwareanddatasecuritypractices,wherenoanti-viruschecksorauthenticityverificationsareperformed
safeguardinguserinformation,passwordsanddigitalcertificates
cyberrisksinrelationtothephysicalpresenceofnon-companypersonnel,eg,wherethird-partytechniciansarelefttoworkonequipmentwithoutsupervision
detectingsuspiciousactivityordevicesandhowtoreportapossiblecyberincident.Examplesofthisarestrangeconnectionsthatarenotnormallyseenorsomeoneplugginginanunknowndeviceontheshipnetwork
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 30develOp prOTeCTION ANd deTeCTION meASureS
awarenessoftheconsequencesorimpactofcyberincidentstothesafetyandoperationsoftheship
understandinghowtoimplementpreventativemaintenanceroutinessuchasanti-virusandanti-malware,patching,backups,andincident-responseplanningandtesting
proceduresforprotectionagainstrisksfromserviceproviders’removablemediabeforeconnectingtotheship’ssystems.
Inaddition,personnelneedtobemadeawarethatthepresenceofanti-malwaresoftwaredoesnotremovetherequirementforrobustsecurityprocedures,forexamplecontrollingtheuseofallremovablemedia.
Further,applicablepersonnelshouldknowthesignswhenacomputerhasbeencompromised.Thismayincludethefollowing:
anunresponsiveorslowtorespondsystem
unexpectedpasswordchangesorauthorisedusersbeinglockedoutofasystem
unexpectederrorsinprograms,includingfailuretoruncorrectlyorprogramsrunningunexpectedly
unexpectedorsuddenchangesinavailablediskspaceormemory
emails being returned unexpectedly
unexpectednetworkconnectivitydifficulties
frequentsystemcrashes
abnormalharddriveorprocessoractivity
unexpectedchangestobrowser,softwareorusersettings,includingpermissions.
And,nominatedpersonnelshouldbeabletounderstandreportsfromIDSsystems,ifused.Thislistisnotcomprehensiveandisintendedtoraiseawarenessofpotentialsigns,whichshouldbetreatedaspossible cyber incidents.
Access for visitors
Visitorssuchasauthorities,technicians,agents,portandterminalofficials,andownerrepresentativesshouldberestrictedwithregardtocomputeraccesswhilstonboard.UnauthorisedaccesstosensitiveOTnetworkcomputersshouldbeprohibited.Ifaccesstoanetworkbyavisitorisrequiredandallowed,thenitshouldberestrictedintermsofuserprivileges.Accesstocertainnetworksformaintenancereasonsshouldbeapprovedandco-ordinatedfollowingappropriateproceduresasoutlinedbythecompany/shipoperator. Ifavisitorrequirescomputerandprinteraccess,anindependentcomputer,whichisair-gappedfromallcontrollednetworks,shouldbeused.Toavoidunauthorisedaccess,removablemediablockersshouldbeusedonallotherphysicallyaccessiblecomputersandnetworkports.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 31develOp prOTeCTION ANd deTeCTION meASureS
Upgrades and software maintenance
Hardwareorsoftwarethatisnolongersupportedbyitsproducerorsoftwaredeveloperwillnotreceiveupdatestoaddresspotentialvulnerabilities.Forthisreason,theuseofhardwareandsoftware,whichisnolongersupported,shouldbecarefullyevaluatedbythecompanyaspartofthecyber risk assessment.
Relevanthardwareandsoftwareinstallationsonboardshouldbeupdatedtohelpmaintainasufficientlevelofsecurity.Proceduresfortimelyupdatingofsoftwaremayneedtobeputinplacetakingintoaccounttheshiptype,speedofinternetconnectivity,seatime,etc.Softwareincludescomputeroperatingsystems,whichshouldalsobekeptuptodate.
Additionally,anumberofrouters,switchesandfirewalls,andvariousOTdeviceswillberunningtheirownfirmware,whichmayrequireregularupdatesandsoshouldbeaddressedintheproceduralrequirements.
Effectivemaintenanceofsoftwaredependsontheidentification,planningandexecutionofmeasuresnecessarytosupportmaintenanceactivitiesthroughoutthefullsoftwarelifecycle.Anindustrystandard16tohelpensuresafeandsecuresoftwaremaintenancehasbeendeveloped.Itspecifiesrequirementsforallstakeholdersinvolvedinsoftwaremaintenanceofshipboardequipmentandassociatedintegratedsystems.Thestandardcoversonboard,onshoreandremotesoftwaremaintenance.
Anti-virus and anti-malware tool updates
Inorderforscanningsoftwaretoolstodetectanddealwithmalware,theyneedtobeupdated.Proceduralrequirementsshouldbeestablishedtoensureupdatesaredistributedtoshipsonatimelybasisandthatallrelevantcomputersonboardareupdated. Remote access
PolicyandproceduresshouldbeestablishedforcontroloverremoteaccesstoonboardITandOTsystems.Clearguidelinesshouldestablishwhohaspermissiontoaccess,whentheycanaccess,andwhattheycanaccess.Anyproceduresforremoteaccessshouldincludecloseco-ordinationwiththeship’smasterandotherkeyseniorshippersonnel.
AllremoteaccessoccurrencesshouldberecordedforreviewincaseofadisruptiontoanITorOTsystem.Systems,whichrequireremoteaccess,shouldbeclearlydefined,monitoredandreviewedperiodically.
16 See:IndustrystandardonsoftwaremaintenanceofshipboardequipmentbyBIMCOandCIRM(ComitéInternationalRadio-Maritime).
Incident: Bunker surveyor’s access to a ship’s administrative network
Adrybulkshipinporth