Port Facility Cyber Security -...
Transcript of Port Facility Cyber Security -...
U. S. COAST GUARD
MAR'01 1
Port Facility Cyber Security
International Port Security Program
Cyber Security Assessment
U. S. COAST GUARD
Lesson Topics
• ISPS Code Requirement
• The Assessment Process
U. S. COAST GUARD
ISPS Code Requirements
What is the purpose of a Port Facility Security Assessment (PFSA)?
U. S. COAST GUARD
ISPS Code Requirements
Who is able to conduct a Port Facility Security Assessment under the ISPS Code?
U. S. COAST GUARD
ISPS Code Requirements
Who is responsible for reviewing and approving a Port Facility Security Assessment (PFSA) under the ISPS Code?
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.1: The port facility security assessment is an essential and integral part of the process of developing and updating the port facility security plan.
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.2: The port facility security assessment shall be carried out by the Contracting Government within whose territory the port facility is located. A Contracting Government may authorize a recognized security organization to carry out the port facility security assessment of a specific port facility located within its territory.
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.2.1: When the port facility security assessment has been carried out by a recognized security organization, the security assessment shall be reviewed and approved for compliance with this section by the Contracting Government within whose territory the port facility is located.
U. S. COAST GUARD
ISPS Code Requirements
• Responsible for PFSA
• May delegate to DA
CG
• May conduct PFSA or delegate to an RSO
DA • May conduct PFSA
• Must return to DA for approval
RSO
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.3: The persons carrying out the assessment shall have appropriate skills to evaluate the security of the port facility in accordance with this section, taking into account the guidance given in part B of this Code.
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.4: The port facility security assessments shall periodically be reviewed and updated, taking account of changing threats and/or minor changes in the port facility and shall always be reviewed and updated when major changes to the port facility take place.
U. S. COAST GUARD
ISPS Code Requirements
Does the ISPS Code require the PFSA to cover telecommunication systems, including computer systems and networks?
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part A Section 15.5: The port facility security assessment shall include, at least, the following elements:
• Identification and evaluation of important assets and infrastructure it is important to protect;
U. S. COAST GUARD
ISPS Code Requirements
• Identification of possible threats to the assets and infrastructure and the likelihood of their occurrence, in order to establish and prioritize security measures;
• Identification, selection and prioritization of counter measures and procedural changes and their level of effectiveness in reducing vulnerability; and
U. S. COAST GUARD
ISPS Code Requirements
• Identification of weaknesses, including human factors in the infrastructure, policies and procedures.
U. S. COAST GUARD
ISPS Code Requirements
ISPS Code Part B Section 15.3: A PFSA should address the following elements within a port facility:
• Physical security.
• Structural integrity.
• Personnel protection systems.
• Procedural policies.
U. S. COAST GUARD
ISPS Code Requirements
• Radio and telecommunication systems, including computer systems and networks.
• Relevant transportation infrastructure.
• Utilities.
• Other areas that may, if damaged or used for illicit observation, pose a risk to persons, property, or operations within the port facility.
U. S. COAST GUARD
The Assessment Process
U. S. COAST GUARD
Step 1: Identification of Assets
To properly identify and evaluate important assets and infrastructure, it will first be necessary to have an understanding of:
• How the different assets support the port's operational use;
U. S. COAST GUARD
Step 1: Identification of Assets
• The criticality of different areas within the port/port facility; and
• The systems that support or protect these critical assets or areas.
U. S. COAST GUARD
Step 1: Identification of Assets
From a cyber security perspective, the business critical and/or sensitive elements of a port are likely to include:
U. S. COAST GUARD
Step 1: Identification of Assets
1. Those assets that have been judged to have the potential to be used to significantly compromise the integrity of the port. Consideration should be given to:
a) Cabling routes and their containment (for example, ducts and trunking);
U. S. COAST GUARD
Step 1: Identification of Assets
b) Configuration, identification and use of control systems;
c) Critical permanent plant or machinery;
U. S. COAST GUARD
Step 1: Identification of Assets
d) Security or other control rooms, including guarding;
e) Security, alarm and access control systems, CCTV and video processing.
U. S. COAST GUARD
Step 1: Identification of Assets
2. Key spaces and facilities used by law enforcement and security service personnel operating in, or visiting, the port.
U. S. COAST GUARD
Step 1: Identification of Assets
3. Port data relating to the location, identification, technical specification and operation of business critical and sensitive assets.
U. S. COAST GUARD
Step 1: Identification of Assets
4. Port systems, wherever they are hosted, used for planning, scheduling and receipt of ships and cargo.
U. S. COAST GUARD
Step 1: Identification of Assets
5. Assets or systems upon which the business critical and/or sensitive elements are dependent for their normal operation and resilience.
U. S. COAST GUARD
The Assessment Process
U. S. COAST GUARD
Step 2: Identify Port Business Processes
The operation of a port/port facility will depend upon a set of business processes that rely upon port data for the safe, secure and efficient movement of cargo through the port and enable supporting processes such as asset management, resource scheduling, financial and business planning, procurement, and the human resource processes.
U. S. COAST GUARD
Step 2: Identify Port Business Processes
This information should be used to assess the criticality of assets and to understand the interdependencies of the data and systems within the overall business processes of the port. By so doing, the real impact of failure or compromise of individual components can be understood.
U. S. COAST GUARD
The Assessment Process
U. S. COAST GUARD
Step 3: Identify and Access Risks
The next step in the process is to identify and access risks.
U. S. COAST GUARD
Step 3: Identify and Access Risks
What elements make up Risk?
Threat Vulnerability Consequences
(Impact)
U. S. COAST GUARD
Step 3: Identify and Access Risks
The potential threats should have already been identified in the PSA and PFSA. However, it will be necessary to understand the degree to which individual threats and combinations of them may impact on the cyber security of the port and/or port facility.
U. S. COAST GUARD
Step 3: Identify and Access Risks
When considering threat scenarios and types of undesired events, the port/port facility operator should include incidents such as:
• Unauthorized access to sensitive port data (commercial, personal or security-related);
• Theft of sensitive port data;
• Deletion, unauthorized modification or corruption of port data;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Infection with malware;
• Loss of service from systems due to loss of connectivity or power;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Loss of service from systems due to software and hardware failures;
• Compromise of port security systems;
• Denial of service – externally hosted systems;
U. S. COAST GUARD
Step 3: Identify and Access Risks
The identification of vulnerabilities should include consideration of:
• The relationships between systems;
• The technical composition of systems in terms of hardware and software components and the builds or revisions that are being used;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Physical robustness of enclosures (for example, cabinets, ducts, trunking, etc.);
• The relationships between systems and associated business processes;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Reliance on automation of equipment;
• The level of resilience within the port/port facility, including the level of dependency of systems on infrastructure, for example, utilities;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Existing security measures and procedures, including the presence and permeability of any secure perimeter that prevents or limits access to the port, port facility and associated utilities, plant and machinery;
U. S. COAST GUARD
Step 3: Identify and Access Risks
• Any conflicting policies between safety and security measures and procedures;
• Any enforcement and personnel constraints; and
• Any deficiencies identified during daily operation, following incidents or alerts, the report of security concerns, the exercise of control measures, audits etc.
U. S. COAST GUARD
Step 3: Identify and Access Risks
The risk assessment should consider the nature of harm that could be caused to: personnel and other occupants or users of the port and its services; the port and port assets; and/or the benefits the port exists to deliver, be they societal, environmental and/ or commercial.
U. S. COAST GUARD
Step 3: Identify and Access Risks
The cyber security risk will depend on the likelihood that a threat actor can exploit one or more vulnerabilities and cause the nature of harm identified.
Throughout the process it will be essential for the port and port facility to liaise with each other to identify common risks, as well as where a risk in one may compromise the security of the other.
U. S. COAST GUARD
The Assessment Process
U. S. COAST GUARD
Step 4: Identify and Access Countermeasures
The next step in the assessment process is to identify and record possible mitigation or countermeasures for every cyber security vulnerability.
U. S. COAST GUARD
Step 4: Identify and Access Countermeasures
The assessment of each countermeasure should identify and record:
1. The cost of the countermeasure and its implementation.
2. Other impacts the countermeasure might have, for example, on asset or system usability and efficiency, business processes and port operations.
U. S. COAST GUARD
Step 4: Identify and Access Countermeasures
3. Wherever possible, to support the business justification for investment in the countermeasure:
a) The risk reduction that could be achieved; and
b) The predicted cost saving.
U. S. COAST GUARD
Step 4: Identify and Access Countermeasures
4. The potential for the countermeasure to create further vulnerabilities.
5. Whether the countermeasure delivers any other business benefits, for example:
a) Reduction of overall business risk; and
b) Aiding the development of efficient, robust and repeatable business processes.
U. S. COAST GUARD
The Assessment Process
U. S. COAST GUARD
Step 5: Review Acceptability of Overall Risk
The final step in the process is to review and evaluate the remaining risks.
U. S. COAST GUARD
Step 5: Review Acceptability of Overall Risk
• Was the port facility able to buy down risk to an acceptable level through the implementation of countermeasures?
• Who has the responsibility under the ISPS Code to determine what is an acceptable risk?
U. S. COAST GUARD
Summary
U. S. COAST GUARD
Cyber Security Seminar
U. S. COAST GUARD
Works Cited
Code of Practice Cyber Security for Ports and Port Systems
Authors: Hugh Boyes, Roy Isbell and Alexandra Luck
Published by: Institution of Engineering and Technology, London, United Kingdom
First published 2016