-
Amer
ican
Clu
b C
ircul
ar N
o. 0
7/19
1
MARCH 4, 2019 CIRCULAR NO. 07/19 TO MEMBERS OF THE ASSOCIATION
Dear Member: 2018 THIRD EDITION OF BIMCO GUIDELINES ON CYBER
SECURITY ONBOARD SHIPS Members may already be aware of this new
edition of the above-captioned maritime industry guide on cyber
security. Importantly, this third edition of the BIMCO Guidelines
now addresses the requirement to incorporate cyber protection as
part of a ship’s safety management system (SMS). The Guidelines are
attached, and are downloadable without charge at:
https://www.bimco.org/news/priority-news/20181207-industry-publishes-improved-cyber-guidelines
It is hoped that this document will assist Members in their
appraisal of cyber risk onboard their ships, including
ship-to-shore interfaces, and in establishing a culture of cyber
risk awareness within their organizations both ashore and afloat.
Yours faithfully, Joseph E.M. Hughes, Chairman & CEO Shipowners
Claims Bureau, Inc., Managers for THE AMERICAN CLUB
https://www.bimco.org/news/priority-news/20181207-industry-publishes-improved-cyber-guidelines
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS
Produced and supported byBIMCO, CLIA, ICS, INTERCARGO,
INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING
COUNCIL
v3
-
The Guidelines on Cyber Security Onboard ShipsVersion 3
Terms of use
The advice and information given in the Guidelines on Cyber
Security Onboard Ships (the guidelines) is intended purely as
guidance to be used at the user’s own risk. No warranties or
representations are given, nor is any duty of care or
responsibility accepted by the Authors, their membership or
employees of any person, firm, corporation or organisation (who or
which has been in any way concerned with the furnishing of
information or data, or the compilation or any translation,
publishing, or supply of the guidelines) for the accuracy of any
information or advice given in the guidelines; or any omission from
the guidelines or for any consequence whatsoever resulting directly
or indirectly from compliance with, adoption of or reliance on
guidance contained in the guidelines, even if caused by a failure
to exercise reasonable care on the part of any of the
aforementioned parties.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 CONTeNTS
Introduction
.....................................................................................................................................
1
1 Cyber security and safety management
..........................................................................................
31.1 DifferencesbetweenITandOTsystems
..........................................................................................
51.2 Plans and procedures
......................................................................................................................
61.3 Relationshipbetweenshipmanagerandshipowner
......................................................................
71.4 Therelationshipbetweentheshipownerandtheagent
................................................................
71.5 Relationshipwithvendors
...............................................................................................................
82 Identifythreats
................................................................................................................................
93 Identifyvulnerabilities
...................................................................................................................
133.1 Shiptoshoreinterface
..................................................................................................................
144 Assess risk exposure
......................................................................................................................
164.1 Riskassessmentmadebythecompany
........................................................................................
214.2 Third-partyriskassessments
.........................................................................................................
214.3 Risk assessment process
................................................................................................................
225 Developprotectionanddetectionmeasures
................................................................................
245.1 Defenceindepthandinbreadth
...................................................................................................
245.2 Technicalprotectionmeasures
......................................................................................................
255.3 Proceduralprotectionmeasures
...................................................................................................
296 Establishcontingencyplans
...........................................................................................................
347 Respondtoandrecoverfromcybersecurityincidents
.................................................................
367.1 Effectiveresponse
.........................................................................................................................
367.2 Recoveryplan
................................................................................................................................
377.3 Investigatingcyberincidents
.........................................................................................................
387.4 Losses arising from a cyber incident
..............................................................................................
38
Annex1 Targetsystems,equipmentandtechnologies
.......................................................................
40Annex2 Cyberriskmanagementandthesafetymanagementsystem
.............................................. 42Annex3
Onboardnetworks
................................................................................................................
46Annex 4 Glossary
................................................................................................................................
50Annex5 Contributorstoversion3oftheguidelines
..........................................................................
53
Contents
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3
1INTrOduCTION
Shipsareincreasinglyusingsystemsthatrelyondigitisation,digitalisation,integration,andautomation,whichcallforcyberriskmanagementonboard.Astechnologycontinuestodevelop,informationtechnology(IT)andoperationaltechnology(OT)onboardshipsarebeingnetworkedtogether–andmorefrequentlyconnectedtotheinternet.
Thisbringsthegreaterriskofunauthorisedaccessormaliciousattackstoships’systemsandnetworks.Risksmayalsooccurfrompersonnelaccessingsystemsonboard,forexamplebyintroducingmalwareviaremovablemedia.
Tomitigatethepotentialsafety,environmentalandcommercialconsequencesofacyberincident,agroupofinternationalshippingorganisations,withsupportfromawiderangeofstakeholders(pleaserefertoannex5formoredetails),haveparticipatedinthedevelopmentoftheseguidelines,whicharedesignedtoassistcompaniesinformulatingtheirownapproachestocyberriskmanagementonboardships.
Approachestocyberriskmanagementwillbecompany-andship-specificbutshouldbeguidedbytherequirementsofrelevantnational,internationalandflagstateregulations.Theseguidelinesprovidearisk-basedapproachtoidentifyingandrespondingtocyberthreats.Animportantaspectisthebenefitthatrelevantpersonnelwouldobtainfromtraininginidentifyingthetypicalmodusoperandiofcyberattacks.
In2017,theInternationalMaritimeOrganization(IMO)adoptedresolutionMSC.428(98)onMaritimeCyberRiskManagementinSafetyManagementSystem(SMS).TheResolutionstatedthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementinaccordancewiththeobjectivesandfunctionalrequirementsoftheISMCode.Itfurtherencouragesadministrationstoensurethatcyberrisksareappropriatelyaddressedinsafetymanagementsystemsnolaterthanthefirstannualverificationofthecompany’sDocumentofComplianceafter1January2021.Thesameyear,IMOdevelopedguidelines1thatprovidehigh-levelrecommendationsonmaritimecyberriskmanagementtosafeguardshippingfromcurrentandemergingcyberthreatsandvulnerabilities.AsalsohighlightedintheIMOguidelines,effectivecyberriskmanagementshouldstartattheseniormanagementlevel.Seniormanagementshouldembedacultureofcyberriskawarenessintoalllevelsanddepartmentsofanorganizationandensureaholisticandflexiblecyberriskmanagementregimethatisincontinuousoperationandconstantlyevaluatedthrougheffectivefeedbackmechanisms.
Thecommitmentofseniormanagementtocyberriskmanagementisacentralassumption,onwhichtheGuidelinesonCyberSecurityOnboardShipshavebeendeveloped.
TheGuidelinesonCyberSecurityOnboardShipsarealignedwithIMOresolutionMSC.428(98)andIMO’sguidelinesandprovidepracticalrecommendationsonmaritimecyberriskmanagementcoveringbothcybersecurityandcybersafety.(Seechapter1forthisdistinction).
Theaimofthisdocumentistoofferguidancetoshipownersandoperatorsonproceduresandactionstomaintainthesecurityofcybersystemsinthecompanyandonboardtheships.Theguidelinesarenotintendedtoprovideabasisfor,andshouldnotbeinterpretedas,callingforexternalauditingorvettingtheindividualcompany’sandship’sapproachtocyberriskmanagement.
LiketheIMOguidelines,theUSNationalInstituteofStandardsandTechnology(NIST)frameworkhasalsobeenaccountedforinthedevelopmentoftheseguidelines.TheNISTframeworkassistscompanieswiththeirriskassessmentsbyhelpingthemunderstand,manageandexpressthe1
MSC-FAL.1/Circ.3onGuidelinesonmaritimecyberriskmanagement
Introduction
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3
2INTrOduCTION
potentialcyberriskthreatbothinternallyandexternally.Asaresultofthisassessment,a“profile”isdeveloped,whichcanhelptoidentifyandprioritiseactionsforreducingcyberrisks.Theprofilecanalsobeusedasatoolforaligningpolicy,businessandtechnologicalapproachestomanagetherisks.Sampleframeworkprofilesarepubliclyavailableformaritimebulkliquidtransfer,offshore,andpassengershipoperations2.TheseprofileswerecreatedbytheUnitedStatesCoastGuardandNIST’sNationalCybersecurityCenterofExcellencewithinputfromindustrystakeholders.Theprofilesareconsideredtobecomplimentarytotheseguidelinesandcanbeusedtogethertoassistindustryinassessing,prioritizing,andmitigatingtheircyberrisks.
2
TheNISTFrameworkProfilesformaritimebulkliquidtransfer,offshore,andpassengeroperationscanbeaccessedhere:http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles.
http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profileshttp://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 3Cyber
SeCurITy ANd SAfeTy mANAGemeNT
Cyber security and safety management
Bothcybersecurityandcybersafetyareimportantbecauseoftheirpotentialeffectonpersonnel,theship,environment,companyandcargo.CybersecurityisconcernedwiththeprotectionofIT,OT,informationanddatafromunauthorisedaccess,manipulationanddisruption.CybersafetycoverstherisksfromthelossofavailabilityorintegrityofsafetycriticaldataandOT.
Cybersafetyincidentscanariseastheresultof:
acybersecurityincident,whichaffectstheavailabilityandintegrityofOT,forexamplecorruptionofchartdataheldinanElectronicChartDisplayandInformationSystem(ECDIS)
afailureoccurringduringsoftwaremaintenanceandpatching
lossoformanipulationofexternalsensordata,criticalfortheoperationofaship–thisincludesbutisnotlimitedtoGlobalNavigationSatelliteSystems(GNSS).
Whilstthecausesofacybersafetyincidentmaybedifferentfromacybersecurityincident,theeffectiveresponsetobothisbasedupontrainingandawareness.
1
Incident: Unrecognised virus in an ECDIS delays sailing
Anew-builddrybulkshipwasdelayedfromsailingforseveraldaysbecauseitsECDISwasinfectedbyavirus.Theshipwasdesignedforpaperlessnavigationandwasnotcarryingpapercharts.ThefailureoftheECDISappearedtobeatechnicaldisruptionandwasnotrecognizedasacyberissuebytheship’smasterandofficers.Aproducertechnicianwasrequiredtovisittheshipand,afterspendingasignificanttimeintroubleshooting,discoveredthatbothECDISnetworkswereinfectedwithavirus.TheviruswasquarantinedandtheECDIScomputerswererestored.Thesourceandmeansofinfectioninthiscaseareunknown.Thedelayinsailingandcostsinrepairstotalledinthehundredsofthousandsofdollars(US).
Cyberriskmanagementshould:
identifytherolesandresponsibilitiesofusers,keypersonnel,andmanagementbothashoreandon
board
identifythesystems,assets,dataandcapabilities,whichifdisrupted,couldposeriskstotheship’soperationsandsafety
implementtechnicalandproceduralmeasurestoprotectagainstacyberincidentandensurecontinuityofoperations
implementactivitiestoprepareforandrespondtocyberincidents.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 4Cyber
SeCurITy ANd SAfeTy mANAGemeNT
Someaspectsofcyberriskmanagementmayincludecommerciallysensitiveorconfidentialinformation.Companiesshould,therefore,considerprotectingthisinformationappropriately,andasfaraspossible,notincludesensitiveinformationintheirSafetyManagementSystem(SMS).
Development,implementation,andmaintenanceofacybersecuritymanagementprograminaccordancewiththeapproachinfigure1isnosmallundertaking.Itis,therefore,importantthatseniormanagementstaysengagedthroughouttheprocesstoensurethattheprotection,contingencyandresponseplanningarebalancedinrelationtothethreats,vulnerabilities,riskexposureandconsequencesofapotentialcyberincident.
Respond to and recover from cyber security incidents
Respond to and recover from cyber security incidents using
the
contingency plan.Assess the impact of the
effectiveness of the response plan and re-assess threats and
vulnerabilities.
Understand the external cyber security threats to the ship.
Understand the internal cyber security threat posed by
inappropriate use and
lack of awareness.
Identify threats
Identifyvulnerabilities
Develop inventories of onboard systems with direct and
indirect
communications links.Understand the consequences of a
cyber security threat on these systems.
Understand the capabilities and limitations of existing
protection measures.
Assess risk exposure
Determine the likelihood of vulnerabilities being exploited
by external threats.Determine the likelihood of
vulnerabilities being exposed by inappropriate use.
Determine the security and safety impact of any individual
or
combination of vulnerabilities being exploited.
Reduce the likelihood of vulnerabilities being exploited through
protection
measures.Reduce the potential impact
of a vulnerability being exploited.
Develop protection and
detection measures
Develop a prioritised contingency plan to mitigate any
potential
identified cyber risk.
Establish contingency
plans
CYBER RISK MANAGEMENT
APPROACH
figure 1: Cyber risk management approach as set out in the
guidelines
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 5Cyber
SeCurITy ANd SAfeTy mANAGemeNT
1.1 Differences between IT and OT systems
OTsystemscontrolthephysicalworldandITsystemsmanagedata.OTsystemsdifferfromtraditionalITsystems.OTishardwareandsoftwarethatdirectlymonitors/controlsphysicaldevicesandprocesses.ITcoversthespectrumoftechnologiesforinformationprocessing,includingsoftware,hardwareandcommunicationtechnologies.TraditionallyOTandIThavebeenseparated,butwiththeinternet,OTandITarecomingcloserashistoricallystand-alonesystemsarebecomingintegrated.DisruptionoftheoperationofOTsystemsmayimposesignificantrisktothesafetyofonboardpersonnel,cargo,damagetothemarineenvironment,andimpedetheship’soperation.TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
Category IT system OT systemPerformance requirements
non-real-time
response must be consistent
lesscriticalemergencyinteraction
tightlyrestrictedaccesscontrolcanbeimplementedtothedegreenecessaryfor
security
real-time
responseistime-critical
responsetohumanandanyotheremergencyinteractioniscritical
accesstoOTshouldbestrictlycontrolled,butshouldnothamperorinterferewithhuman-machineinteraction
Availability (reliability) requirements
responsessuchasrebootingareacceptable
availabilitydeficienciesmaybetolerated,dependingonthesystem’soperationalrequirements
responsessuchasrebootingmaynotbeacceptablebecauseofoperationalrequirements
availabilityrequirementsmaynecessitateback-upsystems
Risk management requirements
manage data
dataconfidentialityandintegrityisparamount
fault tolerance may be less important.
riskimpactsmaycausedelayof:ship’sclearance,commencementofloading/unloading,andcommercialandbusinessoperations
controlphysicalworld
safetyisparamount,followedbyprotectionoftheprocess
faulttoleranceisessential,evenmomentarydowntimemaynotbeacceptable
riskimpactsareregulatorynon-compliance,aswellasharmtothepersonnelonboard,theenvironment,equipmentand/orcargo
System operation
systemsaredesignedforusewithcommonlyknownoperatingsystems
upgradesarestraightforwardwiththeavailabilityofautomateddeploymenttools
differingandpossiblyproprietaryoperatingsystems,oftenwithoutbuiltinsecuritycapabilities
softwarechangesmustbecarefullymade,usuallybysoftwarevendors,becauseofthespecializedcontrolalgorithmsandpossibleinvolvementofmodifiedhardwareandsoftware
Resource constraints
systemsarespecifiedwithenoughresourcestosupporttheadditionofthird-partyapplicationssuchassecuritysolutions
systemsaredesignedtosupporttheintendedoperationalprocessandmaynothaveenoughmemoryandcomputingresourcestosupporttheadditionofsecuritycapabilities
Table 1: differences between OT and IT3
3 Basedontable2-1inNISTSpecialPublication800-82,Revision2.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 6Cyber
SeCurITy ANd SAfeTy mANAGemeNT
TheremaybeimportantdifferencesbetweenwhohandlesthepurchaseandmanagementoftheOTsystemsversusITsystemsonaship.ITdepartmentsarenotusuallyinvolvedinthepurchaseofOTsystems.Thepurchaseofsuchsystemsshouldinvolveachiefengineer,whoknowsabouttheimpactontheonboardsystemsbutwillmostprobablyonlyhavelimitedknowledgeofsoftwareandcyberriskmanagement.Itis,therefore,importanttohaveadialoguewiththeITdepartmenttoensurethatcyberrisksareconsideredduringtheOTpurchasingprocess.OTsystemsshouldbeinventoriedwiththeITdepartment,soastoobtainanoverviewofpotentialchallengesandtohelpestablishthenecessarypolicyandproceduresforsoftwaremaintenance.
OtherindustrysectorshaveseenthebarrierremovedbetweenITandOT,withmanagementandprocurementstrategiesallhandledunderthesameregime.
1.2 Plans and procedures
IMOResolutionMSC.428(98)identifiescyberrisksasspecificthreats,whichcompaniesshouldtrytoaddressasfaraspossibleinthesamewayasanyotherriskthatmayaffectthesafeoperationofashipandprotectionoftheenvironment.Moreguidanceonhowtoincorporatecyberriskmanagementintothecompany’sSMScanbefoundinannex2oftheseguidelines.
Cyberriskmanagementshouldbeaninherentpartofthesafetyandsecuritycultureconducivetothesafeandefficientoperationoftheshipandbeconsideredatvariouslevelsofthecompany,includingseniormanagementashoreandonboardpersonnel.Inthecontextofaship’soperation,cyberincidentsareanticipatedtoresultinphysicaleffectsandpotentialsafetyand/orpollutionincidents.ThismeansthatthecompanyneedstoassessrisksarisingfromtheuseofITandOTonboardshipsandestablishappropriatesafeguardsagainstcyberincidents.CompanyplansandproceduresforcyberriskmanagementshouldbeincorporatedintoexistingsecurityandsafetyriskmanagementrequirementscontainedintheISMCodeandISPSCode.
TheobjectiveoftheSMSistoprovideasafeworkingenvironmentbyestablishingappropriatepracticesandproceduresbasedonanassessmentofallidentifiedriskstotheship,onboardpersonnelandtheenvironment.TheSMSshouldincludeinstructionsandprocedurestoensurethesafeoperationoftheshipandprotectionoftheenvironmentincompliancewithrelevantinternationalandflagstaterequirements.TheseinstructionsandproceduresshouldconsiderrisksarisingfromtheuseofITandOTonboard,takingintoaccountapplicablecodes,guidelinesandrecommendedstandards.
Whenincorporatingcyberriskmanagementintothecompany’sSMS,considerationshouldbegivenastowhether,inadditiontoagenericriskassessmentoftheshipsitoperates,aparticularshipneedsaspecificriskassessment.Thecompanyshouldconsidertheneedforaspecificriskassessmentbasedonwhetheraparticularshipisuniquewithintheirfleet.ThefactorstobeconsideredincludebutarenotlimitedtotheextenttowhichITandOTareusedonboard,thecomplexityofsystemintegrationandthenatureofoperations.
Inaccordancewithchapter8oftheISPSCode,theshipisobligedtoconductasecurityassessment,whichincludesidentificationandevaluationofkeyshipboardoperationsandtheassociatedpotentialthreats.AsrecommendedbyPartB,paragraph8.3.5oftheISPSCode,theassessmentshouldaddressradioandtelecommunicationsystems,includingcomputersystemsandnetworks.Therefore,theship’ssecurityplanmayneedtoincludeappropriatemeasuresforprotectingboththeequipmentandtheconnection.DuetothefastadoptionofsophisticatedanddigitalisedonboardOTsystems,considerationshouldbegiventoincludingtheseproceduresbyreferencetotheSMSinordertohelpensuretheship’ssecurityproceduresareasup-to-dateaspossible.
SystemslikeTankerManagementandSelfAssessment(TMSA)alsorequireplansandprocedurestobe
implemented.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 7Cyber
SeCurITy ANd SAfeTy mANAGemeNT
1.3 Relationship between ship manager and shipowner
TheDocumentofComplianceholderisultimatelyresponsibleforensuringthemanagementofcyberrisksonboard.Iftheshipisunderthirdpartymanagement,thentheshipmanagerisadvisedtoreachanagreementwiththeshipowner.
Particularemphasisshouldbeplacedbybothpartiesonthesplitofresponsibilities,alignmentofpragmaticexpectations,agreementonspecificinstructionstothemanagerandpossibleparticipationinpurchasingdecisionsaswellasbudgetaryrequirements.
ApartfromISMrequirements,suchanagreementshouldtakeintoconsiderationadditionalapplicablelegislationliketheEUGeneralDataProtectionRegulation(GDPR)orspecificcyberregulationsinothercoastalstates.Managersandownersshouldconsiderusingtheseguidelinesasabaseforanopendiscussiononhowbesttoimplementanefficientcyberriskmanagementregime.
Agreementsoncyberriskmanagementshouldbeformalandwritten.
1.4 The relationship between the shipowner and the agent
Theimportanceofthisrelationshiphasplacedtheagent4asanamedstakeholder,interfacingcontinuouslyandsimultaneouslywithshipowners,operators,terminals,portservicesvendors,andportstatecontrolauthoritiesthroughtheexchangeofsensitive,financial,andportcoordinationinformation.Therelationshipgoesbeyondthatofavendor.Itcantakedifferentformsandespeciallyinthetramptrade,shipownersrequirealocalrepresentative(anindependentshipagent)toserveasanextensionofthecompany.
Coordinationoftheship’scallofportisahighlycomplextaskbeingsimultaneouslyglobalandlocal.Itcoversupdatesfromagents,coordinatinginformationwithallportvendors,portstatecontrol,handlingshipandcrewrequirements,andelectroniccommunicationbetweentheship,portandauthoritiesashore.Asoneexample,whichtouchescyberriskmanagement:OftenagentsarerequiredtobuildITsystems,whichuploadinformationreal-timeintoowner’smanagementinformationsystem.
Qualitystandardsforagentsareimportantbecauselikeallotherbusinesses,agentsarealsotargetedbycybercriminals.Cyber-enabledcrime,suchaselectronicwirefraudandfalseshipappointments,andcyberthreatssuchasransomwareandhacking,callformutualcyberstrategiesandcyber-enhancedrelationshipsbetweenownersandagentstomitigatesuchcyberrisks.
4
Thepartyrepresentingtheship’sownerand/orcharterer(thePrincipal)inport.Ifsoinstructed,theagentisresponsibletotheprincipalforarranging,togetherwiththeport,aberth,allrelevantportandhusbandryservices,tendingtotherequirementsofthemasterandcrew,clearingtheshipwiththeportandotherauthorities(includingpreparationandsubmissionofappropriatedocumentation)alongwithreleasingorreceivingcargoonbehalfoftheprincipal(source:ConventiononFacilitationofInternationalMaritimeTraffic(FALConvention).
5
Nothingintheseguidelinesshouldbetakenasrecommendingthepaymentofransom.
Incident: Ship agent and shipowner ransomware incident
Ashipownerreportedthatthecompany’sbusinessnetworkswereinfectedwithransomware,apparentlyfromanemailattachment.Thesourceoftheransomwarewasfromtwounwittingshipagents,inseparateports,andonseparateoccasions.Shipswerealsoaffectedbutthedamagewaslimitedtothebusinessnetworks,whilenavigationandshipoperationswereunaffected.Inonecase,theownerpaidtheransom5.
Theimportanceofthisincidentisthatharmonizedcybersecurityacrossrelationshipswithtrustedbusinesspartnersandproducersiscriticaltoallinthesupplychain.Individualeffortstofortifyone’sownbusinesscanbevaliantandwell-intendedbutcouldalsobeinsufficient.Principalsinthesupplychainshouldworktogethertomitigatecyberrisk.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 8Cyber
SeCurITy ANd SAfeTy mANAGemeNT
1.5 Relationship with vendors
Companiesshouldevaluateandincludethephysicalsecurityandcyberriskmanagementprocessesofserviceprovidersinsupplieragreementsandcontracts.Processesevaluatedduringsuppliervettingandincludedincontractrequirementsmayinclude:
securitymanagementincludingmanagementofsub-suppliers
manufacturing/operationalsecurity
softwareengineeringandarchitecture
asset and cyber incident management
personnel security
dataandinformationprotection.
Evaluationofserviceprovidersbeyondthefirsttiermaybechallengingespeciallyforcompanieswithalargenumberoftieronesuppliers.Thirdpartyprovidersthatarecollectingandmanagingsupplierriskmanagementdatamaybeanoptiontoconsider.
Lackofphysicaland/orcybersecurityatasupplierwithintheirproductsorinfrastructuremayresultinabreachofcorporateITsystemsorcorruptionofshipOT/ITsystems.
Companiesshouldevaluatethecyberriskmanagementprocessesforbothnewandexistingcontracts.Itisgoodpracticeforthecompanytodefinetheirownminimumsetofrequirementstomanagesupplychainor3rdpartyrisks.Asetofcyberriskrequirementsthatreflectthecompany’sexpectationsshouldbeclearandunambiguoustovendors.Thismayalsohelpprocurementpracticeswhendealingwithmultiplevendors.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 9IdeNTIfy
ThreATS
Identify threats
Thecyberrisk6isspecifictothecompany,ship,operationand/ortrade.Whenassessingtherisk,companiesshouldconsideranyspecificaspectsoftheiroperationsthatmightincreasetheirvulnerabilitytocyberincidents.
Unlikeotherareasofsafetyandsecurity,wherehistoricevidenceisavailable,cyberriskmanagementismademorechallengingbytheabsenceofanydefinitiveinformationaboutincidentsandtheirimpact.Untilthisevidenceisobtained,thescaleandfrequencyofattackswillcontinuetobeunknown.
Experiencesintheshippingindustryandfromotherbusinesssectorssuchasfinancialinstitutions,publicadministrationandairtransporthaveshownthatsuccessfulcyberattacksmightresultinasignificantlossofservices.Assetscanalsocompromisesafety.
Therearemotivesfororganisationsandindividualstoexploitcybervulnerabilities.Thefollowingexamplesgivesomeindicationofthethreatsposedandthepotentialconsequencesforcompaniesandtheshipstheyoperate:
Group Motivation ObjectiveActivists (including disgruntled
employees)
reputationaldamage
disruptionofoperations
destructionofdata
publicationofsensitivedata
mediaattention
denialofaccesstotheserviceorsystemtargeted
Criminals financialgain
commercial espionage
industrial espionage
selling stolen data
ransoming stolen data
ransoming system operability
arrangingfraudulenttransportationofcargo
gatheringintelligenceformoresophisticatedcrime,exactcargolocation,shiptransportationandhandlingplansetc
Opportunists thechallenge
gettingthroughcybersecuritydefences
financialgain
States
State sponsored organisations
Terrorists
politicalgain
espionage
gainingknowledge
disruptiontoeconomiesandcriticalnationalinfrastructure
Table 2: motivation and objectives
Theabovegroupsareactiveandhavetheskillsandresourcestothreatenthesafetyandsecurityofshipsandacompany’sabilitytoconductitsbusiness.
2
6
ThetextinthischapterhasbeensummarisedfromCESG,CommonCyberAttacks:ReducingtheImpact.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 10IdeNTIfy
ThreATS
Inaddition,thereisthepossibilitythatcompanypersonnel,onboardandashore,couldcompromisecybersystemsanddata.Ingeneral,thecompanyshouldrealisethatthismaybeunintentionalandcausedbyhumanerrorwhenoperatingandmanagingITandOTsystemsorfailuretorespecttechnicalandproceduralprotectionmeasures.Thereis,however,thepossibilitythatactionsmaybemaliciousandareadeliberateattemptbyadisgruntledemployeetodamagethecompanyandtheship.
Types of cyber attack
Ingeneral,therearetwocategoriesofcyberattacks,whichmayaffectcompaniesandships:
untargetedattacks,whereacompanyoraship’ssystemsanddataareoneofmanypotentialtargets
targetedattacks,whereacompanyoraship’ssystemsanddataaretheintendedtarget.
Untargetedattacksarelikelytousetoolsandtechniquesavailableontheinternet,whichcanbeusedtolocate,discoverandexploitwidespreadvulnerabilitiesthatmayalsoexistinacompanyandonboardaship.Examplesofsometoolsandtechniquesthatmaybeusedinthesecircumstancesinclude:
Malware–Malicioussoftwarewhichisdesignedtoaccessordamageacomputerwithouttheknowledgeoftheowner.Therearevarioustypesofmalwareincludingtrojans,ransomware,spyware,viruses,andworms.Ransomwareencryptsdataonsystemsuntilaransomhasbeenpaid.Malwaremayalsoexploitknowndeficienciesandproblemsinoutdated/unpatchedbusinesssoftware.Theterm“exploit”usuallyreferstotheuseofasoftwareorcode,whichisdesignedtotakeadvantageofandmanipulateaprobleminanothercomputersoftwareorhardware.Thisproblemcan,forexample,beacodebug,systemvulnerability,improperdesign,hardwaremalfunctionand/orerrorinprotocolimplementation.Thesevulnerabilitiesmaybeexploitedremotelyortriggeredlocally.Locally,apieceofmaliciouscodemayoftenbeexecutedbytheuser,sometimesvialinksdistributedinemailattachmentsorthroughmaliciouswebsites.
Phishing–Sendingemailstoalargenumberofpotentialtargetsaskingforparticularpiecesofsensitiveorconfidentialinformation.Suchanemailmayalsorequestthatapersonvisitsafakewebsiteusingahyperlinkincludedintheemail.
Water
holing–Establishingafakewebsiteorcompromisingagenuinewebsitetoexploitvisitors.
Scanning–Attackinglargeportionsoftheinternetatrandom.
Targetedattacksmaybemoresophisticatedandusetoolsandtechniquesspecificallycreatedfortargetingacompanyorship.Examplesoftoolsandtechniques,whichmaybeusedinthesecircumstances,include:
Social
engineering–Anon-technicaltechniqueusedbypotentialcyberattackerstomanipulateinsiderindividualsintobreakingsecurityprocedures,normally,butnotexclusively,throughinteractionviasocialmedia.
Brute
force–Anattacktryingmanypasswordswiththehopeofeventuallyguessingcorrectly.Theattackersystematicallychecksallpossiblepasswordsuntilthecorrectoneisfound.
Denial of service
(DoS)–Preventslegitimateandauthorisedusersfromaccessinginformation,usuallybyfloodinganetworkwithdata.Adistributeddenialofservice(DDoS)attacktakescontrolofmultiplecomputersand/orserverstoimplementaDoSattack.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 11IdeNTIfy
ThreATS
Spear-phishing–Likephishingbuttheindividualsaretargetedwithpersonalemails,oftencontainingmalicioussoftwareorlinksthatautomaticallydownloadmalicioussoftware.
Subverting the supply
chain–Attackingacompanyorshipbycompromisingequipment,softwareorsupportingservicesbeingdeliveredtothecompanyorship.
Theaboveexamplesarenotexhaustive.Othermethodsareevolvingsuchasimpersonatingalegitimateshore-basedemployeeinashippingcompanytoobtainvaluableinformation,whichcanbeusedforafurtherattack.Thepotentialnumberandsophisticationoftoolsandtechniquesusedincyberattackscontinuetoevolveandarelimitedonlybytheingenuityofthoseorganisationsandindividualsdevelopingthem.
Stages of a cyber attack
In2018,ittookonaverage140daysbetweentimeofinfectionofavictim’snetworkanddiscoveryofacyberattack.However,intrusioncangoundetectedforyears.Thisfigureisdownfrom205daysin2015andcontinuestodropbecausedetectionisgettingbetter7.Cyberattacksareconductedinstages.Thelengthoftimetoprepareacyberattackcanbedeterminedbythemotivationsandobjectivesoftheattacker,andtheresilienceoftechnicalandproceduralcyberriskcontrolsimplementedbythecompany,includingthoseonboarditsships.Whenconsideringtargetedcyberattacks,thegenerally-observedstagesofanattackare:
Survey/reconnaissance–Open/publicsourcesareusedtogaininformationaboutacompany,shiporseafarerinpreparationforacyberattack.Socialmedia,technicalforumsandhiddenpropertiesinwebsites,documentsandpublicationsmaybeusedtoidentifytechnical,proceduralandphysicalvulnerabilities.Theuseofopen/publicsourcesmaybecomplementedbymonitoring(analysing–sniffing)theactualdataflowingintoandfromacompanyoraship.
Delivery–Attackersmayattempttoaccessthecompany’sandship’ssystemsanddata.Thismaybedonefromeitherwithinthecompanyorshiporremotelythroughconnectivitywiththeinternet.Examplesofmethodsusedtoobtainaccessinclude:
•
companyonlineservices,includingcargoorcontainertrackingsystems
•
sendingemailscontainingmaliciousfilesorlinkstomaliciouswebsitestopersonnel
•
providinginfectedremovablemedia,forexampleaspartofasoftwareupdatetoanonboardsystem
•
creatingfalseormisleadingwebsites,whichencouragethedisclosureofuseraccountinformationbypersonnel.
Breach–Theextenttowhichanattackercanbreachacompany’sorship’ssystemwilldependonthesignificanceofthevulnerabilityfoundbyanattackerandthemethodchosentodeliveranattack.Itshouldbenotedthatabreachmightnotresultinanyobviouschangestothestatusoftheequipment.Dependingonthesignificanceofthebreach,anattackermaybeableto:
•
makechangesthataffectthesystem’soperation,forexampleinterruptormanipulateinformationusedbynavigationequipment,oralteroperationallyimportantinformationsuchasloading
lists
•
gainaccesstocommerciallysensitivedatasuchascargomanifestsand/orcrewandpassenger/visitorlists
7 TheMicrosoftCybercrimeCenter.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 12IdeNTIfy
ThreATS
•
achievefullcontrolofasystem,forexampleamachinerymanagementsystem.
Pivot–Pivotingisthetechniqueofusinganinstancealreadyexploitedtobeableto“move”andperformotheractivities.Duringthisphaseofanattack,anattackerusesthefirstcompromisedsystemtoattackotherwiseinaccessiblesystems.Anattackerwillusuallytargetthemostvulnerablepartofthevictim’ssystemwiththelowestlevelofsecurity.Onceaccessisgainedthentheattackerwilltrytoexploittherestofthesystem.Usually,inthePivotphase,theattackermaytryto:
•
uploadtools,exploitsandscriptsinthesystemtosupporttheattackerinthenewattackphase
•
executeadiscoveryofneighboursystemswithscanningornetworkmappingtools
•
installpermanenttoolsorakeyloggertokeepandmaintainaccesstothesystem
• executenewattacksonthesystem.
Themotivationandobjectivesoftheattackerwilldeterminewhateffecttheyhaveonthecompanyorshipsystemanddata.Anattackermayexploresystems,expandaccessand/orensurethattheyareabletoreturntothesysteminorderto:
accesscommerciallysensitiveorconfidentialdataaboutcargo,crew,visitorsandpassengers
manipulatecreworpassenger/visitorslists,cargomanifestsorloadinglists.Thismaysubsequentlybeusedtoallowthefraudulenttransportofillegalcargo,orfacilitatethefts
causecompletedenialofserviceonbusinesssystems
enableotherformsofcrimeforexamplepiracy,theftandfraud
disruptnormaloperationofthecompanyandshipsystems,forexamplebydeletingcriticalpre-arrivalordischargeinformationoroverloadingcompanysystems.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 13IdeNTIfy
vulNerAbIlITIeS
Identify vulnerabilities3
Itisrecommendedthatashippingcompanyinitiallyperformsanassessmentofthepotentialthreatsthatmayrealisticallybefaced.Thisshouldbefollowedbyanassessmentofthesystemsandonboardprocedurestomaptheirrobustnesstohandlethecurrentlevelofthreat.Itmaybefacilitatedbyinternalexpertsorsupportedbyexternalexpertswithknowledgeofthemaritimeindustryanditskeyprocesses.Theresultshouldbeastrategycentredaroundthekeyrisks.
Stand-alonesystemswillbelessvulnerabletoexternalcyberattackscomparedtothoseattachedtouncontrollednetworksordirectlytotheinternet.Networkdesignandnetworksegregationwillbeexplainedinmoredetailinannex3.Careshouldbetakentounderstandhowcriticalshipboardsystemsmightbeconnectedtouncontrollednetworks.Whendoingso,thehumanelementshouldbetakenintoconsideration,asmanyincidentsareinitiatedbypersonnel’sactions.Onboardsystemscouldinclude:
Cargo management
systems–Digitalsystemsusedfortheloading,managementandcontrolofcargo,includinghazardouscargo,mayinterfacewithavarietyofsystemsashore,includingports,marineterminals.Suchsystemsmayincludeshipment-trackingtoolsavailabletoshippersviatheinternet.However,thetrackingisusuallydoneviathecompany’ssystemsconnectedtotheshipandnotdirectlybetweentheshipperandtheship.Interfacesofthiskindmakecargomanagementsystemsanddataincargomanifestsandloadinglistsvulnerabletocyberattacks.
Bridge
systems–Theincreasinguseofdigital,networknavigationsystems,withinterfacestoshoresidenetworksforupdateandprovisionofservices,makesuchsystemsvulnerabletocyberattacks.Bridgesystemsthatarenotconnectedtoothernetworksmaybeequallyvulnerable,asremovablemediaareoftenusedtoupdatesuchsystemsfromothercontrolledoruncontrollednetworks.Acyberincidentcanextendtoservicedenialormanipulationand,therefore,mayaffectallsystemsassociatedwithnavigation,includingECDIS,GNSS,AIS,VDRandRadar/ARPA.
Propulsion and machinery management and power control
systems–Theuseofdigitalsystemstomonitorandcontrolonboardmachinery,propulsionandsteeringmakessuchsystemsvulnerabletocyberattacks.Thevulnerabilityofthesesystemscanincreasewhenusedinconjunctionwithremotecondition-basedmonitoringand/orareintegratedwithnavigationandcommunicationsequipmentonshipsusingintegratedbridgesystems.
Access control
systems–Digitalsystemsusedtosupportaccesscontroltoensurephysicalsecurity
Incident: Crash of integrated navigation bridge at sea
Ashipwithanintegratednavigationbridgesufferedafailureofnearlyallnavigationsystemsatsea,inahightrafficareaandreducedvisibility.Theshiphadtonavigatebyoneradarandbackuppaperchartsfortwodaysbeforearrivinginportforrepairs.ThecauseofthefailureofallECDIScomputerswasdeterminedtobeattributedtotheoutdatedoperatingsystems.Duringthepreviousportcall,aproducertechnicalrepresentativeperformedanavigationsoftwareupdateontheship’snavigationcomputers.However,theoutdatedoperatingsystemswereincapableofrunningthesoftwareandcrashed.TheshipwasrequiredtoremaininportuntilnewECDIScomputerscouldbeinstalled,classificationsurveyorscouldattend,andanear-missnotificationhadbeenissuedasrequiredbythecompany.Thecostsofthedelayswereextensiveandincurredbytheshipowner.
Thisincidentemphasizesthatnotallcomputerfailuresarearesultofadeliberateattackandthatoutdatedsoftwareispronetofailure.Moreproactivesoftwaremaintenancetotheshipmayhavepreventedthisincidentfrom
occurring.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 14IdeNTIfy
vulNerAbIlITIeS
andsafetyofashipanditscargo,includingsurveillance,shipboardsecurityalarm,andelectronic“personnel-on-board”systemsarevulnerabletocyberattacks.
Passenger servicing and management
systems–Digitalsystemsusedforpropertymanagement,boardingandaccesscontrolmayholdvaluablepassengerrelateddata.Intelligentdevices(tablets,handheldscannersetc.)arethemselvesanattackvectorasultimatelythecollecteddataispassedontoothersystems.
Passenger facing public
networks–Fixedorwirelessnetworksconnectedtotheinternet,installedonboardforthebenefitofpassengers,forexampleguestentertainmentsystems,shouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.
Administrative and crew welfare
systems–Onboardcomputernetworksusedforadministrationoftheshiporthewelfareofthecrewareparticularlyvulnerablewhenprovidinginternetaccessandemail.Thiscanbeexploitedbycyberattackerstogainaccesstoonboardsystemsanddata.Thesesystemsshouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.Softwareprovidedbyshipmanagementcompaniesorownersisalsoincludedinthiscategory.
Communication
systems–Availabilityofinternetconnectivityviasatelliteand/orotherwirelesscommunicationcanincreasethevulnerabilityofships.Thecyberdefencemechanismsimplementedbytheserviceprovidershouldbecarefullyconsideredbutshouldnotbesolelyreliedupontosecureeveryshipboardsystemanddata.Includedinthesesystemsarecommunicationlinkstopublicauthoritiesfortransmissionofrequiredshipreportinginformation.Applicableauthenticationandaccesscontrolmanagementrequirementsbytheseauthoritiesshouldbestrictlycompliedwith.
Theabove-mentionedonboardsystemsconsistofpotentiallyvulnerableequipment,whichshouldbereviewedduringtheassessment.Moredetailcanbefoundinannex1oftheseguidelines.
3.1 Ship to shore interface
Shipsarebecomingmoreandmoreintegratedwithshoresideoperationsbecausedigitalcommunicationisbeingusedtoconductbusiness,manageoperations,andretaincontactwithheadoffice.Furthermore,criticalshipsystemsessentialtothesafetyofnavigation,powerandcargomanagementhavebecomeincreasinglydigitalisedandconnectedtotheinternettoperformawidevarietyoflegitimatefunctionssuchas:
engine performance monitoring
maintenance and spare parts management
cargo,loadingandunloading,crane,pumpmanagementandstowplanning
voyageperformancemonitoring.
Theabovelistprovidesexamplesofthisinterfaceandisnotexhaustive.Theabovesystemsprovidedata,whichmaybeofinteresttocybercriminalstoexploit.
Moderntechnologiescanaddvulnerabilitiestotheshipsespeciallyifthereareinsecuredesignsofnetworksanduncontrolledaccesstotheinternet.Additionally,shoresideandonboardpersonnelmaybeunawarehowsomeequipmentproducersmaintainremoteaccesstoshipboardequipmentanditsnetworksystem.Unknown,anduncoordinatedremoteaccesstoanoperatingshipshouldbetakenintoconsiderationasanimportantpartoftheriskassessment.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 15IdeNTIfy
vulNerAbIlITIeS
Itisrecommendedthatcompaniesshouldfullyunderstandtheship’sOTandITsystemsandhowthesesystemsconnectandintegratewiththeshoreside,includingpublicauthorities,marineterminalsandstevedores.Thisrequiresanunderstandingofallcomputerbasedonboardsystemsandhowsafety,operations,andbusinesscanbecompromisedbyacyberincident.
Thefollowingshouldbeconsideredregardingproducersandthirdpartiesincludingcontractorsandserviceproviders:
1.
Theproducer’sandserviceprovider’scyberriskmanagementawarenessandprocedures:Suchcompaniesmaylackcyberawarenesstrainingandgovernanceintheirownorganisationsandthismayrepresentmoresourcesofvulnerability,whichcouldresultincyberincidents.Thesecompaniesshouldhaveanupdatedcyberriskmanagementcompanypolicy,whichincludestrainingandgovernanceproceduresforaccessibleITandOTonboardsystems.
2.
Thematurityofathird-party’scyberriskmanagementprocedures:Theshipownershouldquerytheinternalgovernanceofcybernetworksecurity,andseektoobtainacyberriskmanagementassurancewhenconsideringfuturecontractsandservices.Thisisparticularlyimportantwhencoveringnetworksecurityiftheshipistobeinterfacedwiththethird-partysuchasamarineterminalorstevedoringcompany.
Common vulnerabilities
Thefollowingarecommoncybervulnerabilities,whichmaybefoundonboardexistingships,andonsomenewbuildships:
obsoleteandunsupportedoperatingsystems
outdatedormissingantivirussoftwareandprotectionfrommalware
inadequatesecurityconfigurationsandbestpractices,includingineffectivenetworkmanagementandtheuseofdefaultadministratoraccountsandpasswords,
shipboardcomputernetworks,whichlackboundaryprotectionmeasuresandsegmentationofnetworks
safetycriticalequipmentorsystemsalwaysconnectedwiththeshoreside
inadequateaccesscontrolsforthirdpartiesincludingcontractorsandserviceproviders.
Incident: Navigation computer crash during pilotage
AshipwasundertheconductofapilotwhentheECDISandvoyageperformancecomputerscrashed.Apilotwasonthebridge.Thecomputerfailuresbrieflycreatedadistractiontothewatchofficers;however,thepilotandthemasterworkedtogethertofocusthebridgeteamonsafenavigationbyvisualmeansandradar.Whenthecomputerswererebooted,itwasapparentthattheoperatingsystemswereoutdatedandunsupported.Themasterreportedthatthesecomputerproblemswerefrequent(referredtotheissuesas“gremlins”)andthatrepeatedrequestsforservicingfromtheshipownerhadbeenignored.
Itisaclearcaseofhowsimpleservicingandattentiontotheshipbymanagementcanpreventmishaps.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 16ASSeSS rISk
expOSure
Assess risk exposure4
Cyberriskassessmentshouldstartatseniormanagementlevelofacompany,insteadofbeingimmediatelydelegatedtotheshipsecurityofficerortheheadoftheITdepartment.Thereareseveralreasonsforthis.
1.
Initiativestoheightencybersecurityandsafetymayatthesametimeaffectstandardbusinessproceduresandoperations,renderingthemmoretimeconsumingand/orcostly.Itis,therefore,aseniormanagementleveldecisiontoevaluateanddecideonriskmitigation.
2.
Anumberofinitiatives,whichwouldimprovecyberriskmanagement,arerelatedtobusinessprocesses,training,thesafetyoftheshipandtheenvironmentandnottoITsystems,andthereforeneedtobeanchoredorganisationallyoutsidetheITdepartment.
3.
Initiativeswhichheightencyberawarenessmaychangehowthecompanyinteractswithcustomers,suppliersandauthorities,andimposenewrequirementsontheco-operationbetweentheparties.Itisaseniormanagementleveldecisionwhetherandhowtodrivethesechangesinrelationships.
Thefollowingquestionsmaybeusedasabasisforariskassessmentwhenaddressingcyberrisksonboardships:
Whatassetsareatrisk?
Whatisthepotentialimpactofacyberincident?
Whohasthefinalresponsibilityforthecyberriskmanagement?
AretheOTsystemsandtheirworkingenvironmentprotectedfromtheinternet?
IsthereremoteaccesstotheOTsystems,andifsohowisitmonitoredandprotected?
AretheITsystemsprotectedandisremoteaccessbeingmonitoredandmanaged?
Whatcyberriskmanagementbestpracticesarebeingused?
WhatisthetraininglevelofthepersonneloperatingtheITandOTsystems?
Basedontheanswers,thecompanyshoulddelegateauthorityandallocatethebudgetneededtocarryoutafullriskassessmentanddevelopsolutionsthatarebestsuitedforthecompanyandtheoperationoftheirships.Thefollowingshouldbeaddressed:
identifysystemsthatareimportanttooperation,safetyandenvironmentalprotection
assignthepersonsresponsibleforsettingcyberpolicies,proceduresandenforcemonitoring
determinewheresecureremoteaccessshouldusemultipledefencelayersandwhereprotectionofnetworksshouldbedisconnectedfromtheinternet
identificationofneedsfortrainingofpersonnel.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 17ASSeSS rISk
expOSure
Thelevelofcyberriskwillreflectthecircumstancesofthecompany,ship(itsoperationandtrade),theITandOTsystemsused,andtheinformationand/ordatastored.Themaritimeindustrypossessesarangeofcharacteristics,whichaffectitsvulnerabilitytocyberincidents:
thecybercontrolsalreadyimplementedbythecompanyonboarditsships
multiplestakeholdersareofteninvolvedintheoperationandcharteringofashippotentiallyresultinginlackofaccountabilityfortheITinfrastructure
theshipbeingonlineandhowitinterfaceswithotherpartsoftheglobalsupplychain
shipequipmentbeingremotelymonitored,egbytheproducers
business-critical,datasensitiveandcommerciallysensitiveinformationsharedwithshore-basedserviceproviders,includingmarineterminalsandstevedoresandalso,whereapplicable,publicauthorities
theavailabilityanduseofcomputer-controlledcriticalsystemsfortheship’ssafetyandforenvironmentalprotection.
Theseelementsshouldbeconsidered,andrelevantpartsincorporatedintothecompanycybersecuritypolicies,safetymanagementsystems,andshipsecurityplans.Usersoftheseguidelinesshouldrefertospecificnational,internationalandflagstateregulationsaswellasrelevantinternationalandindustrystandardsandbestpracticeswhendevelopingandimplementingcyberriskmanagement
procedures.
ITandOTsystems,softwareandmaintenancecanbeoutsourcedtothird-partyserviceprovidersandthecompany,itself,maynotpossessawayofverifyingthelevelofsecuritysuppliedbytheseproviders.Somecompaniesusedifferentprovidersresponsibleforsoftwareandcybersecuritychecks.
Thegrowinguseofbigdata,smartshipsandthe“internetofthings”8willincreasetheamountofinformationavailabletocyberattackersandthepotentialattacksurfacetocybercriminals.Thismakestheneedforrobustapproachestocyberriskmanagementimportantbothnowandinthefuture.
Incident: Worm attack on maritime IT and OT
Ashipwasequippedwithapowermanagementsystemthatcouldbeconnectedtotheinternetforsoftwareupdatesandpatching,remotediagnostics,datacollection,andremoteoperation.Theshipwasbuiltrecently,butthissystemwasnotconnectedtotheinternetbydesign.
Thecompany’sITdepartmentmadethedecisiontovisittheshipandperformedvulnerabilityscanstodetermineifthesystemhadevidenceofinfectionandtodetermineifitwassafetoconnect.Theteamdiscoveredadormantwormthatcouldhaveactivateditselfoncethesystemwasconnectedtotheinternetandthiswouldhavehadsevereconsequences.Theincidentemphasizesthatevenairgappedsystemscanbecompromisedandunderlinesthevalueofproactivecyberriskmanagement.
Theshipowneradvisedtheproduceraboutthediscoveryandrequestedproceduresonhowtoerasetheworm.Theshipownerstatedthatbeforethediscovery,aservicetechnicianhadbeenaboardtheship.Itwasbelievedthattheinfectioncouldpotentiallyhavebeencausedbythetechnician.
ThewormspreadviaUSBdevicesintoarunningprocess,whichexecutesaprogramintothememory.Thisprogramwasdesignedtocommunicatewithitscommandandcontrolservertoreceiveitsnextsetofinstructions.Itcould
8
Lloyd’sRegister,QinetiqandUniversityofSouthampton,GlobalMarineTechnologyTrends2030.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 18ASSeSS rISk
expOSure
evencreatefilesandfolders.
Thecompanyaskedcybersecurityprofessionalstoconductforensicanalysisandremediation.Itwasdeterminedthatallserversassociatedwiththeequipmentwereinfectedandthatthevirushadbeeninthesystemundiscoveredfor875days.Scanningtoolsremovedthevirus.Ananalysisprovedthattheserviceproviderwasindeedthesourceandthatthewormhadintroducedthemalwareintotheship’ssystemviaaUSBflashdriveduringasoftwareinstallation.
Analysisalsoprovedthatthiswormoperatedinthesystemmemoryandactivelycalledouttotheinternetfromtheserver.Sincethewormwasloadedintomemory,itcouldaffecttheperformanceoftheserverandsystemsconnectedtotheinternet.
Third-party access
Visitstoshipsbythirdpartiesrequiringaconnectiontooneormorecomputersonboardcanalsoresultinconnectingtheshiptoshore.Itiscommonfortechnicians,vendors,portofficials,marineterminalrepresentatives,agents,pilots,andothertechnicianstoboardtheshipandplugindevices,suchaslaptopsandtablets.Sometechniciansmayrequiretheuseofremovablemediatoupdatecomputers,downloaddataand/orperformothertasks.Ithasalsobeenknownforcustomsofficialsandportstatecontrolofficerstoboardashipandrequesttheuseofacomputerto“printofficialdocuments”afterhavinginsertedanunknownremovablemedia.
Sometimesthereisnocontrolastowhohasaccesstotheonboardsystems,egduringdrydocking,layupsorwhentakingoveraneworexistingship.Insuchcases,itisdifficulttoknowifmalicioussoftwarehasbeenleftintheonboardsystems.Itisrecommendedthatsensitivedataisremovedfromtheshipandreinstalledonreturningtotheship.Wherepossible,systemsshouldbescannedformalwarepriortouse.OTsystemsshouldbetestedtocheckthattheyarefunctioningcorrectly.
SomeITandOTsystemsareremotelyaccessibleandmayoperatewithacontinuousinternetconnectionforremotemonitoring,datacollection,maintenancefunctions,safetyandsecurity.Thesesystemscanbe“third-partysystems”,wherebythecontractormonitorsandmaintainsthesystemsfromaremoteaccess.Thesesystemscouldincludebothtwo-waydataflowandupload-only.Systemsandworkstationswithremotecontrol,accessorconfigurationfunctionscould,forexample,be:
bridgeandengineroomcomputersandworkstationsontheship’sadministrativenetwork
cargosuchascontainerswithreefertemperaturecontrolsystemsorspecialisedcargothataretracked
remotely
stability decision support systems
hullstressmonitoringsystems
navigationalsystemsincludingElectronicNavigationChart(ENC)VoyageDataRecorder(VDR),dynamicpositioning(DP)
cargohandlingandstowage,engine,andcargomanagementandloadplanningsystems
safetyandsecuritynetworks,suchasCCTV(closedcircuittelevision)
specialisedsystemssuchasdrillingoperations,blowoutpreventers,subseainstallationsystems,EmergencyShutDown(ESD)forgastankers,submarinecableinstallationandrepair.
Theextentandnatureofconnectivityofequipmentshouldbeknownbytheshipowneroroperatorandconsideredasanimportantpartoftheriskassessment.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 19ASSeSS rISk
expOSure
Impact assessment
Theconfidentiality,integrityandavailability(CIA)model9providesaframeworkforassessingtheimpactof:
unauthorisedaccesstoanddisclosureofinformationordataabouttheship,crew,cargoandpassengers
lossofintegrity,whichwouldmodifyordestroyinformationanddatarelatingtothesafeandefficientoperationandadministrationoftheship
lossofavailabilityduetothedestructionoftheinformationanddataand/orthedisruptiontoservices/operationofshipsystems.
Therelativeimportanceofconfidentiality,integrityandavailabilitydependsontheuseoftheinformationordata.Forexample,assessingthevulnerabilityofITsystemsrelatedtocommercialoperationsmayfocusonconfidentialityandintegrityratherthanavailability.Conversely,assessingthevulnerabilityofOTsystemsonboardships,particularlysafetycriticalsystems,mayfocusonavailabilityand/orintegrityinsteadofconfidentiality.
Potentialimpactscouldbesafety-related,operational,environmental-related,financial,reputationalandcompliance-related.Severalassessmentmethodologiesoffercriteriaandtechniquesthatcanhelpdefinethemagnitudeoftheimpactfromacyberattack10.
Potential impact Definition In practiceLow
Thelossofconfidentiality,integrity,oravailability
couldbeexpectedtohavealimitedadverseeffectoncompanyandship,organisationalassets,orindividuals
Alimitedadverseeffectmeansthatasecuritybreachmight:(i)causeadegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)resultinminordamagetoorganisationalassets;(iii)resultinminorfinancialloss;or(iv)resultinminorharmtoindividuals.
Moderate
Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasubstantialadverseeffectoncompanyandship,assetsorindividuals
Asubstantialadverseeffectmeansthatasecuritybreachmight:(i)causeasignificantdegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganisationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.
High
Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectoncompanyandshipoperations,assets,environmentorindividuals.
Asevereorcatastrophicadverseeffectmeansthatasecuritybreachmight:(i)causeaseveredegradationinorlossofshipoperationtoanextentanddurationthattheorganisationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoenvironmentand/ororganisationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslife-threateninginjuries.
Table 3: potential impact levels when using the CIA model
WhenitcomestoOTsystems,anextradimensionmustbeaddedtotheCIAmodel.
9
FederalInformationProcessingStandards,Publication199,ComputerSecurityDivisionInformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,Gaithersburg,MD20899-8900.
10Methodologiesinclude,andarenotlimitedto,ISO/IEC27005:2018Informationtechnology–Securitytechniques–Informationsecurityriskmanagement,COSOEnterpriseRiskManagementFramework,andISO31000:2018Riskmanagement–Guidelines.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 20ASSeSS rISk
expOSure
AriskassessmentofOTsystemsneedstobebasedonaninventoryoverviewofequipmentand/orcomputer-basedsystemsandamapofthenetworks’connections.Further,accesspointsandcommunicationdevicesshouldbepartofthisoverview.AstheimpactofanonboardOTsystem’scyberincidentmayincludephysicaleffects,riskassessmentsshouldinclude:
impactsonthesafetyofonboardpersonnel,theshipandcargo
physicalimpactonanOTsystem,includingtheenvironmentsurroundingitonboard;theeffectontheprocessthatisbeingcontrolledandthephysicaleffectontheOTsystemitself
theconsequencesforriskassessmentsofnon-digitalcontrolcomponentswithinanOTsystem.
TheimplementationofprotectionmeasuresbasedonriskassessmentsiswellestablishedonallshipsviatheISMcodeandtheship’sSMS.Safetyassessmentsareconcernedprimarilywiththephysicalworldbearinginmindthatthephysicalandthedigitalworldsarenowintertwined.Assessingthepotentialphysicaldamagefromacyberincidentshouldinclude:
1.
howanincidentcouldmanipulatetheoperationofsensorsandactuatorstoimpactthephysicalenvironment
2.
whatredundantcontrolsandmanualoverridingpossibilitiesexistintheOTsystemtopreventan
incident
3. howaphysicalincidentcouldemerge.
4.
howtoevaluatepotentialeffectstothephysicalprocessperformedbytheOTsystem.
Example
Ashipisequippedwithacomplexpowermanagementsystem.Itconsistsofswitchboardsandgeneratorscontrollingsystemsforautoloadsharing,powercontrolandautosynchronizing.Ontopofthepowermanagementsystem,asupervisorycontrolanddataacquisition(SCADA)systemprovidesoutputandmakesitpossibleforthecrewtocontrolthedistributionofonboardelectricpower.
Powermanagementisimportanttothesafetyofthecrew,ship,andcargo.Italsohasaclearenvironmentalandfinancialimpactaspowerisgeneratedbyuseoffueleitherbytheship’smainengine(shaftgenerator)and/orauxiliaryengines.Therefore,acyberincidentthatdisablesorcausesthepowermanagementsystemtomalfunctioncanplacetheoperationandsafetyoftheshipatrisk.Tolowertherisk,thecompanyshouldaddprotectionmeasuresthatminimizethepossibilityofsuchacyberincidenttakingplace.
TheSCADAsystemcontainsreal-timesensordata,whichisusedonboardforpowermanagement.Italsogeneratesdataaboutthepowerconsumption,whichisusedbytheshippingcompanyforadministrativepurposes.Todetermineifthepotentialimpactofdataandinformationisbeingbreached,theCIAmodelshouldbeused.Whendoingso,theshippingcompanyshoulddeterminethepotentialimpactofthemostsensitiveinformationstored,processedortransmittedbytheSCADAsystem.
UsingtheCIAmodel,theshippingcompanycanconcludethat:
losingconfidentialityofthesensordataacquiredbytheSCADAsystemwillhavealowimpactasthesensorsarepubliclydisplayedonboard.However,fromasafetypointofview,itisimportantthattheinformationtransmittedbythesensorscanbereliedupon.Therefore,thereisapotentialhighimpactfromalossofintegrity.Itwillalsobeasafetyissueiftheinformationcannotberead.So,thereisapotentialhighimpactfromalossofavailability.
alossofconfidentialityregardingthepowerconsumptioninformationbeingsenttotheshippingcompanyforstatisticalpurposesisassessedasapotentiallowimpact.Therewillalsobeapotentiallowimpactfromalossofintegrityandavailabilityasthedataisonlyusedforin-houseconsiderations.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 21ASSeSS rISk
expOSure
Thefollowingtableshowstheresultoftheassessment.
SCADA system Confidentiality Integrity Availability Overall
impact
Sensor data Low High High High
Statistical data Low Low Low Low
Table 4: result of CIA assessment of SCAdA system
Bring your own device (BYOD)
Itisrecognisedthatpersonnelmaybeallowedtobringtheirowndevices(BYOD)onboardtoaccesstheship’ssystemornetwork.Althoughthismaybebothbeneficialandeconomicalforships,itsignificantlyincreasesthelevelofvulnerabilitybecausethesedevicesmaybeunmanaged.PoliciesandproceduresshouldaddressthecontrolanduseofBYODs,aswellashowtoprotectvulnerabledata,byusingnetworksegregationforexample.
4.1 Risk assessment made by the company
Asmentionedabove,theriskassessmentprocessstartsbyassessingthesystemsonboard,inordertomaptheirrobustnesstohandlethecurrentlevelofcyberthreats.TheassessmentshouldassesstheITandOTsystemsonboard.Whenconductingtheassessment,thecompanyshouldconsidertheoutcomesoftheshipsecurityassessmentaswellasthefollowing:
1.
identificationofexistingtechnicalandproceduralcontrolstoprotecttheonboardITandOTsystems
2.
identificationofITandOTsystemsthatarevulnerableincludingthehumanfactor,andthepoliciesandproceduresgoverningtheuseofthesesystems.Theidentificationshouldincludesearchesforknownvulnerabilitiesrelevanttotheequipmentaswellasthecurrentlevelofpatchingandfirmwareupdates
3.
identificationandevaluationofkeyshipboardoperationsthatarevulnerabletocyberattacks
4.
identificationofpossiblecyberincidentsandtheirimpactonkeyshipboardoperations,andthelikelihoodoftheiroccurrencetoestablishandprioritiseprotectionmeasures.
Companiesmayconsultwiththeproducersandserviceprovidersofonboardequipmentandsystemstounderstandthetechnicalandproceduralcontrolsthatmayalreadybeinplacetoaddresscyberriskmanagement.Furthermore,anyidentifiedcybervulnerabilityinthefactorystandardconfigurationofacriticalsystemorcomponentshouldbedisclosedtofacilitatebetterprotectionoftheequipmentinthefuture.
4.2 Third-party risk assessments
Self-assessmentscanserveasagoodstartbutmaybecomplementedbythird-partyriskassessmentstodrilldeeperandidentifytherisksandthegapsthatmaynotbefoundduringtheself-assessment.PenetrationtestsofcriticalITandOTinfrastructurecanalsobeperformedtoidentifywhethertheactualdefencelevelmatchesthedesiredlevelsetforthinthecybersecuritystrategyforthecompany.SuchtestscanbeperformedbyexternalexpertssimulatingattacksusingbothIT-systems,social
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 22ASSeSS rISk
expOSure
engineeringand,ifdesired,evenphysicalpenetrationofafacility’ssecurityperimeter.Thesetestsarereferredtoasactivetestsbecausetheyinvolveaccessingandinsertingsoftwareintoasystem.ThismayonlybeappropriateforITsystems.WhererisktoOTsystemsduringpenetrationtestingisunacceptable,passivetestingapproachesshouldbeconsidered.Passivemethodsrelyonscanningdatatransmittedbyasystemtoidentifyvulnerabilities.Ingeneral,noattemptismadetoactivelyaccessorinsertsoftwareintothesystem.
4.3 Risk assessment process
Phase 1: Pre-assessment activities
Priortostartingacyberriskassessmentonboard11,thefollowingactivitiesshouldbeperformed:
maptheship’skeyfunctionsandsystemsandtheirpotentialimpactlevels,forexampleusingtheCIAmodel,takingintoconsiderationtheoperationofOTsystems
identifymainproducersofcriticalshipboardITandOTequipment
reviewdetaileddocumentationofcriticalOTandITsystemsincludingtheirnetworkarchitecture,interfacesandinterconnections
identifycybersecuritypoints-of-contactwitheachoftheproducersandestablishaworkingrelationshipwiththem
reviewdetaileddocumentationontheship’smaintenanceandsupportoftheITandOTsystems
establishcontractualrequirementsandobligationsthattheshipowner/shipoperatormayhaveformaintenanceandsupportofshipboardnetworksandequipment
support,ifnecessary,theriskassessmentwithanexternalexperttodevelopdetailedplansandincludeproducersandserviceproviders.
Phase 2: Ship assessment
Thegoaloftheassessmentofaship’snetworkanditssystemsanddevicesistoidentifyanyvulnerabilitiesthatcouldcompromiseorresultineitherlossofconfidentiality,lossofintegrityorresultinalossofoperationoftheequipment,system,network,oreventheship.Thesevulnerabilitiesandweaknessescouldfallintooneofthefollowingcategories:
technicalsuchassoftwaredefectsoroutdatedorunpatchedsystems
designsuchasaccessmanagement,unmanagednetworkinterconnections
implementationerrorsforexamplemisconfiguredfirewalls
proceduralorotherusererrors.
Theactivitiesperformedduringanassessmentcouldincludereviewingtheconfigurationofallcomputers,servers,routers,andcybersecuritytechnologiesincludingfirewalls.ItcouldalsoincludereviewsofallavailablecybersecuritydocumentationandproceduresforconnectedITandOTsystemsanddevices.
11Basedonathird-partyriskassessmentmethoddescribedbyNCCGroup.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 23ASSeSS rISk
expOSure
Anaspectofon-shipassessmentisinvolvementofcrewofalllevels;particularlythemaster,chiefengineerandfirstmate.ThisprocessassiststounderstandtheimplementationoftheITandOTsystemsonboard,andhowtheymayvaryfromstateddesigndocumentation,andalsotounderstandthelevelofcybertrainingdeliveredtotheship’screw.
Phase 3: Debrief and vulnerability review/reporting
Followingtheassessment,eachidentifiedvulnerabilityshouldbeevaluatedforitspotentialimpactandtheprobabilityofitsexploitation.Recommendedtechnicaland/orproceduralcorrectiveactionsshouldbeidentifiedforeachvulnerability.
Ideally,thecyberriskassessmentshouldinclude:
executivesummary–ahigh-levelsummaryofresults,recommendationsandtheoverallsecurityprofileoftheassessedship
technicalfindings–breakdownofdiscoveredvulnerabilities,theirprobabilityofexploitation,theresultingimpact,andappropriatetechnicalfixandmitigationadvice
prioritisedlistofactions–theprioritiesallocatedshouldreflecttheeffectivenessofthemeasure,thecost,theapplicability,etc.Itisimportantthatthislistshouldbeacompletelistofoptionsavailableandnotrepresentalistofservicesandproductsthethird-partyriskassessor,ifapplicable,wouldliketosell.
supplementarydata–asupplementcontainingthetechnicaldetailsofallkeyfindingsandcomprehensiveanalysisofcriticalflaws.Thissectionshouldalsoincludesampledatarecoveredduringthepenetrationtesting,ifany,ofcriticalorhigh-riskvulnerabilities
appendices–recordsofactivitiesconductedbythecyberriskassessmentteamandthetoolsusedduringtheengagement.
Considerationshouldbegivenastowhetherpartsofthecyberriskassessmentshouldbetreatedasconfidential.
Whilstcyberriskmanagementpoliciesandproceduresshouldbeincludedinthecompanysafetymanagementsystem,theseshouldnotcontaininformation,whichifmadeavailableoutsidethecompanycouldbecomeavulnerability.
Phase 4: Producer debrief
Oncetheshipownerhashadanopportunitytoreview,discussandassessthefindings,asubsetofthefindingsmayneedtobesenttotheproducersoftheaffectedsystems.Anyfindings,whichareapprovedbytheshipownerfordisclosuretotheproducers,couldbefurtheranalysedwithsupportfromexternalexperts,whoshouldworkwiththeproducer’scybersecuritypointofcontacttoensurethatafullriskandtechnicalunderstandingoftheproblemisachieved.Thissupportingactivityisintendedtoensurethatanyremediationplandevelopedbytheproduceriscomprehensiveinnatureandidentifiesthecorrectsolutiontoeliminatethevulnerabilities.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 24develOp
prOTeCTION ANd deTeCTION meASureS
Develop protection and detection measures5
Theoutcomeofthecompany’sriskassessmentandsubsequentcybersecuritystrategyshouldbeareductioninrisktobeaslowasreasonablypracticable.Atatechnicallevel,thiswouldincludethenecessaryactionstobeimplementedtoestablishandmaintainanagreedlevelofcybersecurity.
Itisimportanttoidentifyhowtomanagecybersecurityonboardandtodelegateresponsibilitiestothemaster,responsibleofficersandwhenappropriatethecompanysecurityofficer.
5.1 Defence in depth and in breadth
Itisimportanttoprotectcriticalsystemsanddatawithmultiplelayersofprotectionmeasures,whichtakeintoaccounttheroleofpersonnel,proceduresandtechnologyto:
increasetheprobabilitythatacyberincidentisdetected
increasetheeffortandresourcesrequiredtoprotectinformation,dataortheavailabilityofITandOTsystems.
ConnectedOTsystemsonboardshouldrequiremorethanonetechnicaland/orproceduralprotectionmeasure.Perimeterdefencessuchasfirewallsareimportantforpreventingunwelcomedentryintothesystems,butthismaynotbesufficienttocopewithinsiderthreats.
Thisdefenceindepthapproachencouragesacombinationof:
physicalsecurityoftheshipinaccordancewiththeshipsecurityplan(SSP)
protectionofnetworks,includingeffectivesegmentation
intrusiondetection
periodicvulnerabilityscanningandtesting
softwarewhitelisting
access and user controls
appropriateproceduresregardingtheuseofremovablemediaandpasswordpolicies
personnel’sawarenessoftheriskandfamiliaritywithappropriateprocedures.
Companypoliciesandproceduresshouldhelpensurethatcybersecurityisconsideredwithintheoverallapproachtosafetyandsecurityriskmanagement.Thecomplexityandpotentialpersistenceofcyberthreatsmeansthata“defenceindepth”approachshouldbeconsidered.Equipmentanddataprotectedbylayersofprotectionmeasuresaremoreresilienttocyberattacks.
Whendevelopingintegrationbetweensystems,atrustboundarymodelshouldbeconsidered,wherebysystemsaregroupedintothosebetweenwhichtrustisimplicit(forexampleuserworkstations),andthosebetweenwhichtrustshouldbeexplicit(betweenbridgecomputersandcorporatenetworks).Forlargeorcomplexnetworks,threatmodellingshouldbeconsideredasan
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 25develOp
prOTeCTION ANd deTeCTION meASureS
activitytounderstandwheretechnicalcontrolsshouldbeimplementedbetweensystemsinordertosupportadefenceinbreadthapproach.
However,onboardshipswherelevelsofintegrationbetweenITandOTsystemsmaybehigh,defenceindepthonlyworksiftechnicalandproceduralprotectionmeasuresareappliedinlayersacrossallvulnerableandintegratedsystems.Thisis“defenceinbreadth”anditisusedtopreventanyvulnerabilitiesinonesystembeingusedtocircumventprotectionmeasuresofanothersystem.
Cyberriskprotectionmeasuresmaybeeithertechnicalorproceduralinnature,withtechnicalcontrolsimplementedtoenforceproceduralcontrols;acombinationapproachusingappropriatemeasuresprovidesthemosteffectivelevelofprotection.
Defenceindepthanddefenceinbreadtharecomplementaryapproaches,which,whenimplementedtogether,providethefoundationofaholisticresponsetothemanagementofcyberrisks.
Cyberriskprotectionmeasuresmaybetechnicalandfocusedonensuringthatonboardsystemsaredesignedandconfiguredtoberesilienttocyberattacks.Protectionmeasuresmayalsobeproceduralandshouldbecoveredbycompanypolicies,safetymanagementprocedures,securityproceduresandaccess
controls.
Considerationneedstobegiventoimplementingtechnicalcontrolsthatarepracticalandcosteffective,particularlyonexistingships.
Implementationofcybersecuritycontrolsshouldbeprioritised,focusingfirstonthosemeasures,orcombinationsofmeasures,whichofferthegreatestbenefit.
5.2 Technical protection measures
TheCentreforInternetSecurity(CIS)providesguidanceonmeasures12thatcanbeusedtoaddresscybersecurityvulnerabilities.TheprotectionmeasuresarealistofCriticalSecurityControls(CSC)thatareprioritisedandvettedtohelpensurethattheyprovideaneffectiveapproachforcompaniestoassessandimprovetheirdefences.TheCSCsincludebothtechnicalandproceduralaspects.
ThebelowmentionedexamplesofCSCshavebeenselectedasparticularlyrelevanttoequipmentanddataonboardships13. Limitation
to and control of network ports, protocols and services
Accessliststonetworksystemscanbeusedtoimplementthecompany’ssecuritypolicy.Thishelpsensurethatonlyappropriatetrafficwillbeallowedviaacontrollednetworkorsubnet,basedonthecontrolpolicyofthatnetworkorsubnet.
Itisrecommendedthatroutersaresecuredagainstattacksandunusedportsshouldbeclosedtopreventunauthorisedaccesstosystemsordata.
Configuration of network devices such as firewalls, routers and
switches
Itshouldbedeterminedwhichsystemsshouldbeattachedtocontrolledoruncontrolled14networks.Controllednetworksaredesignedtopreventanysecurityrisksfromconnecteddevicesbyuseof
12
CIS,CriticalSecurityControlsforEffectiveCyberSecurity,availableatwww.cisecurity.org/critical-controls.cfm.13
StephensonHarwood(2015),CyberRisk.14
InaccordancewithEC61162-460:2015:Maritimenavigationandradiocommunicationequipmentandsystems-Digitalinterfaces-Part460:Multipletalkersandmultiplelisteners-Ethernetinterconnection-Safetyandsecurity.
https://www.cisecurity.org/controls/
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 26develOp
prOTeCTION ANd deTeCTION meASureS
firewalls,securitygateways,routersandswitches.Uncontrollednetworksmayposerisksduetolackofdatatrafficcontrolandshouldbeisolatedfromcontrollednetworks,asdirectinternetconnectionmakesthemhighlypronetoinfiltrationbymalware.Forexample:
networksthatarecriticaltotheoperationofashipitself,shouldbecontrolled.Itisimportantthatthesesystemshaveahighlevelofsecurity
networksthatprovidesupplierswithremoteaccesstonavigationandotherOTsystems’softwareonboard,shouldalsobecontrolled.Thesenetworksmaybenecessarytoallowsupplierstouploadsystemupgradesorperformremoteservicing.Shoresideexternalaccesspointsofsuchconnectionsshouldbesecuredtopreventunauthorisedaccess
cargostowage,loadplanningandmanagementsystemsshouldbecontrolled.So,shouldthosesystemsthatperformmandatoryshipreportingtopublicauthorities
othernetworks,suchasguestaccessnetworks,maybeuncontrolled,forinstancethoserelatedtopassengerrecreationalactivitiesorprivateinternetaccessforcrew.Normally,anywirelessnetworkshouldbeconsidereduncontrolled.
Effectivesegregationofsystems,basedonnecessaryaccessandtrustlevels,isoneofthemostsuccessfulstrategiesforthepreventionofcyberincidents.Effectivelysegregatednetworkscansignificantlyimpedeanattacker’saccesstoaship’ssystemsandisoneofthemosteffectivetechniquesforpreventingthespreadofmalware.Onboardnetworksshouldbepartitionedbyfirewallstocreatesafezones.Thefewercommunicationslinksanddevicesinazone,themoresecurethesystemsanddataareinthatzone.Confidentialandsafetycriticalsystemsshouldbeinthemostprotectedzone.Seeannex3oftheseguidelinesformoreinformationonshipboardnetworksandalsorefertoISO/IEC62443. Physical
security
Physicalsecurity15isacentralaspectofcyberriskmanagementandaneffectivedefenceindepthstrategyreliesonensuringthattechnicalcontrolscannotbecircumventedthroughtrivialtechnicalmeans.AreascontainingsensitiveOTorITcontrolcomponentsshouldbesecurelylocked,securityandsafetycriticalequipmentandcablerunsshouldbeprotectedfromunauthorisedaccess,andphysicalaccesstosensitiveuserequipment(suchasexposedUSBportsonbridgesystems)shouldbesecured.
Detection, blocking and alerts
Identifyingintrusionsandinfectionsisacentralpartofthecontrolprocedures.Abaselineofnetworkoperationsandexpecteddataflowsforusersandsystemsshouldbeestablishedandmanaged,sothatcyberincidentalertthresholdscanbeestablished.Keytothiswillbethedefinitionofrolesandresponsibilitiesfordetectiontohelpensureaccountability.Additionally,acompanymaychoosetoincorporateanIntrusionDetectionSystem(IDS)oranIntrusionPreventionSystem(IPS)intothenetworkoraspartofthefirewall.Someoftheirmainfunctionsincludeidentifyingthreats/maliciousactivityandcode,andthenlogging,reportingandattemptingtoblocktheactivity.FurtherdetailsconcerningIDSandIPScanbefoundinannex3oftheseguidelines.Ithelpstoensurethatdedicatedonboardpersonnelcanunderstandthealertsandtheirimplications.Incidentsdetectedshouldbedirectedtoanindividualorserviceprovider,whoisresponsibleforactingonthistypeofalert.
15 SeealsotheISPSCode.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 27develOp
prOTeCTION ANd deTeCTION meASureS
Satellite and radio communication
Cybersecurityoftheradioandsatelliteconnectionshouldbeconsideredincollaborationwiththeserviceprovider.Inthisconnection,thespecificationofthesatellitelinkshouldbeconsideredwhenestablishingtherequirementsforonboardnetworkprotection.
Whenestablishinganuplinkconnectionforaship’snavigationandcontrolsystemstoshore-basedserviceproviders,considerationshouldbegivenonhowtopreventillegitimateconnectionsgainingaccesstotheonboardsystems.
Theaccessinterconnectisthedistributionpartner’sresponsibility.Thefinalroutingofusertrafficfromtheinternetaccesspointtoitsultimatedestinationonboard(“lastmile”)istheresponsibilityoftheshipowner.Usertrafficisroutedthroughthecommunicationequipmentforonwardtransmissiononboard.Attheaccesspointforthistraffic,itisnecessarytoprovidedatasecurity,firewallingandadedicated“last-mile”connection.
WhenusingaVirtualPrivateNetwork(VPN),thedatatrafficshouldbeencryptedtoanacceptableinternationalstandard.Furthermore,afirewallinfrontoftheserversandcomputersconnectedtothenetworks(ashoreoronboard)shouldbedeployed.Thedistributionpartnershouldadviseontheroutingandtypeofconnectionmostsuitedforspecifictraffic.Onshorefiltering(inspection/blocking)oftrafficisalsoamatterbetweenashipownerandthedistributionpartner.Bothonshorefilteringoftrafficandfirewalls/securityinspection/blockinggatewaysontheshipareneededandsupplementeachothertoachieveasufficientlevelofprotection.
Producersofsatellitecommunicationterminalsandothercommunicationequipmentmayprovidemanagementinterfaceswithsecuritycontrolsoftwarethatareaccessibleoverthenetwork.Thisisprimarilyprovidedintheformofweb-baseduserinterfaces.Protectionofsuchinterfacesshouldbeconsideredwhenassessingthesecurityofaship’sinstallation.
Wireless access control
Wirelessaccesstonetworksontheshipshouldbelimitedtoappropriateauthoriseddevicesandsecuredusingastrongencryptionkey,whichischangedregularly.Thefollowingcanbeconsideredforcontrollingwirelessaccess:
theuseofenterpriseauthenticationsystemsusingasymmetricencryptionandisolatingnetworkswithappropriatewirelessdedicatedaccesspoints(e.g.guestnetworksisolatedfromadministrativenetworks)
theadoptionofsystems,suchaswirelessIPS,thatcaninterceptnon-authorizedwirelessaccesspointsorroguedevices
theprotectionofthephysicalinterconnectionbetweenwirelessaccessdevicesandthenetwork,suchasnetworkplugs,networkracks,etc.)toavoidunauthorizedaccessbyroguedevices.
Malware detection
Scanningsoftwarethatcanautomaticallydetectandaddressthepresenceofmalwareinsystemsonboardshouldberegularlyupdated.
Asageneralguideline,onboardcomputersshouldbeprotectedtothesamelevelasofficecomputersashore.Anti-virusandanti-malwaresoftwareshouldbeinstalled,maintainedandupdatedonall
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 28develOp
prOTeCTION ANd deTeCTION meASureS
personalwork-relatedcomputersonboard.Thiswillreducetheriskofthesecomputersactingasattackvectorstowardsserversandothercomputersontheship’snetwork.Howregularlythescanningsoftwarewillbeupdatedmustbetakenintoconsiderationwhendecidingwhethertorelyonthesedefencemethods.
Secure configuration for hardware and software
Onlyseniorofficersshouldbegivenadministratorprofiles,sothattheycancontrolthesetupanddisablingofnormaluserprofiles.Userprofilesshouldberestrictedtoonlyallowthecomputers,workstationsorserverstobeusedforthepurposes,forwhichtheyarerequired.Userprofilesshouldnotallowtheusertoalterthesystemsorinstallandexecutenewprograms. Email
and web browser protection
Emailcommunicationbetweenshipandshoreisavitalpartofaship’soperation.Appropriateemailandwebbrowserprotectionservesto:
protectshoresideandonboardpersonnelfrompotentialsocialengineering
preventemailbeingusedasamethodofobtainingsensitiveinformation
ensurethattheexchangeofsensitiveinformationviaemailorbyvoiceisappropriatelyprotectedtoensureconfidentialityandintegrityofdata,egencryptionprotection
preventwebbrowsersandemailclientsfromexecutingmaliciousscripts.
Somebestpracticesforsafeemailtransferare:emailasziporencryptedfilewhennecessary,disablehyperlinksonemailsystem,avoidusinggenericemailaddressesandensurethesystemhasconfigureduseraccounts.
Data recovery capability
Datarecoverycapabilityistheabilitytorestoreasystemand/ordatafromasecurecopyorimage,therebyallowingtherestorationofacleansystem.Essentialinformationandsoftware-adequatebackupfacilitiesshouldbeavailabletohelpensurerecoveryfollowingacyberincident.
Retentionperiodsandrestorescenariosshouldbeestablishedtoprioritisewhichcriticalsystemsneedquickrestorecapabilitiestoreducetheimpact.Systemsthathavehighdataavailabilityrequirementsshouldbemaderesilient.OTsystems,whicharevitaltothesafenavigationandoperationoftheship,shouldhavebackupsystemstoenabletheshiptoquicklyandsafelyregainnavigationalandoperationalcapabilitiesafteracyberincident.Moredetailsonrecoverycanbefoundinchapter7oftheseguidelines.
Application software security (patch management)
Safetyandsecurityupdatesshouldbeprovidedtoonboardsystems.Ordinarysecuritypatchesshouldbeincludedintheperiodicmaintenancecycle.CriticalpatchesshouldbeevaluatedintermsofoperationalimpactontheOTsystems.Theseupdatesorpatchesshouldbeappliedcorrectlyandinatimelymannertoensurethatanyflawsinasystemareaddressedbeforetheyareexploitedbyacyberattack.Ifacriticalpatchcannotbeinstalled,alternativemeasuresshouldbeevaluatedtohelpimplementvirtualpatchingtechniques.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 29develOp
prOTeCTION ANd deTeCTION meASureS
5.3 Procedural protection measures
Proceduralcontrolsarefocusedonhowpersonnelusetheonboardsystems.Plansandproceduresthatcontainsensitiveinformationshouldbekeptconfidentialandhandledaccordingtocompanypolicies.Examplesforproceduralactionscanbe: Training
and awareness
Trainingandawarenessarethekeysupportingelementstoaneffectiveapproachtocyberriskmanagementasdescribedintheseguidelinesandsummarisedinfigure1.
Theinternalcyberthreatshouldbetakenintoaccount.PersonnelhaveakeyroleinprotectingITandOTsystemsbutcanalsobecareless,forexamplebyusingremovablemediatotransferdatabetweensystemswithouttakingprecautionsagainstthetransferofmalware.Trainingandawarenessshouldbetailoredtotheappropriatelevelsfor:
onboardpersonnelincludingthemaster,officersandcrew
shoresidepersonnel,whosupportthemanagement,loadingandoperationoftheship.
Theseguidelinesassumethatothermajorstakeholdersinthesupplychain,suchascharterers,classificationsocietiesandserviceproviders,willcarryouttheirownbest-practicecybersecurityprotectionandtraining.Itisadvisableforownersandoperatorstoascertainthestatusofcybersecuritypreparednessoftheirthird-partyproviders,includingmarineterminalsandstevedores,aspartoftheirsourcingproceduresforsuchservices.
Anawarenessprogrammeshouldbeinplaceforallonboardpersonnel,coveringatleastthefollowing:
risksrelatedtoemailsandhowtobehaveinasafemanner.Examplesarephishingattackswheretheuserclicksonalinktoamalicioussite
risksrelatedtointernetusage,includingsocialmedia,chatforumsandcloud-basedfilestoragewheredatamovementislesscontrolledandmonitored
risksrelatedtotheuseofowndevices.Thesedevicesmaybemissingsecuritypatchesandcontrols,suchasanti-virus,andmaytransfertherisktotheenvironment,towhichtheyareconnected
risksrelatedtoinstallingandmaintainingsoftwareoncompanyhardwareusinginfectedhardware(removablemedia)orsoftware(infectedpackage)
risksrelatedtopoorsoftwareanddatasecuritypractices,wherenoanti-viruschecksorauthenticityverificationsareperformed
safeguardinguserinformation,passwordsanddigitalcertificates
cyberrisksinrelationtothephysicalpresenceofnon-companypersonnel,eg,wherethird-partytechniciansarelefttoworkonequipmentwithoutsupervision
detectingsuspiciousactivityordevicesandhowtoreportapossiblecyberincident.Examplesofthisarestrangeconnectionsthatarenotnormallyseenorsomeoneplugginginanunknowndeviceontheshipnetwork
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 30develOp
prOTeCTION ANd deTeCTION meASureS
awarenessoftheconsequencesorimpactofcyberincidentstothesafetyandoperationsoftheship
understandinghowtoimplementpreventativemaintenanceroutinessuchasanti-virusandanti-malware,patching,backups,andincident-responseplanningandtesting
proceduresforprotectionagainstrisksfromserviceproviders’removablemediabeforeconnectingtotheship’ssystems.
Inaddition,personnelneedtobemadeawarethatthepresenceofanti-malwaresoftwaredoesnotremovetherequirementforrobustsecurityprocedures,forexamplecontrollingtheuseofallremovablemedia.
Further,applicablepersonnelshouldknowthesignswhenacomputerhasbeencompromised.Thismayincludethefollowing:
anunresponsiveorslowtorespondsystem
unexpectedpasswordchangesorauthorisedusersbeinglockedoutofasystem
unexpectederrorsinprograms,includingfailuretoruncorrectlyorprogramsrunningunexpectedly
unexpectedorsuddenchangesinavailablediskspaceormemory
emails being returned unexpectedly
unexpectednetworkconnectivitydifficulties
frequentsystemcrashes
abnormalharddriveorprocessoractivity
unexpectedchangestobrowser,softwareorusersettings,includingpermissions.
And,nominatedpersonnelshouldbeabletounderstandreportsfromIDSsystems,ifused.Thislistisnotcomprehensiveandisintendedtoraiseawarenessofpotentialsigns,whichshouldbetreatedaspossible
cyber incidents.
Access for visitors
Visitorssuchasauthorities,technicians,agents,portandterminalofficials,andownerrepresentativesshouldberestrictedwithregardtocomputeraccesswhilstonboard.UnauthorisedaccesstosensitiveOTnetworkcomputersshouldbeprohibited.Ifaccesstoanetworkbyavisitorisrequiredandallowed,thenitshouldberestrictedintermsofuserprivileges.Accesstocertainnetworksformaintenancereasonsshouldbeapprovedandco-ordinatedfollowingappropriateproceduresasoutlinedbythecompany/shipoperator.
Ifavisitorrequirescomputerandprinteraccess,anindependentcomputer,whichisair-gappedfromallcontrollednetworks,shouldbeused.Toavoidunauthorisedaccess,removablemediablockersshouldbeusedonallotherphysicallyaccessiblecomputersandnetworkports.
-
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 31develOp
prOTeCTION ANd deTeCTION meASureS
Upgrades and software maintenance
Hardwareorsoftwarethatisnolongersupportedbyitsproducerorsoftwaredeveloperwillnotreceiveupdatestoaddresspotentialvulnerabilities.Forthisreason,theuseofhardwareandsoftware,whichisnolongersupported,shouldbecarefullyevaluatedbythecompanyaspartofthecyber
risk assessment.
Relevanthardwareandsoftwareinstallationsonboardshouldbeupdatedtohelpmaintainasufficientlevelofsecurity.Proceduresfortimelyupdatingofsoftwaremayneedtobeputinplacetakingintoaccounttheshiptype,speedofinternetconnectivity,seatime,etc.Softwareincludescomputeroperatingsystems,whichshouldalsobekeptuptodate.
Additionally,anumberofrouters,switchesandfirewalls,andvariousOTdeviceswillberunningtheirownfirmware,whichmayrequireregularupdatesandsoshouldbeaddressedintheproceduralrequirements.
Effectivemaintenanceofsoftwaredependsontheidentification,planningandexecutionofmeasuresnecessarytosupportmaintenanceactivitiesthroughoutthefullsoftwarelifecycle.Anindustrystandard16tohelpensuresafeandsecuresoftwaremaintenancehasbeendeveloped.Itspecifiesrequirementsforallstakeholdersinvolvedinsoftwaremaintenanceofshipboardequipmentandassociatedintegratedsystems.Thestandardcoversonboard,onshoreandremotesoftwaremaintenance.
Anti-virus and anti-malware tool updates
Inorderforscanningsoftwaretoolstodetectanddealwithmalware,theyneedtobeupdated.Proceduralrequirementsshouldbeestablishedtoensureupdatesaredistributedtoshipsonatimelybasisandthatallrelevantcomputersonboardareupdated. Remote
access
PolicyandproceduresshouldbeestablishedforcontroloverremoteaccesstoonboardITandOTsystems.Clearguidelinesshouldestablishwhohaspermissiontoaccess,whentheycanaccess,andwhattheycanaccess.Anyproceduresforremoteaccessshouldincludecloseco-ordinationwiththeship’smasterandotherkeyseniorshippersonnel.
AllremoteaccessoccurrencesshouldberecordedforreviewincaseofadisruptiontoanITorOTsystem.Systems,whichrequireremoteaccess,shouldbeclearlydefined,monitoredandreviewedperiodically.
16
See:IndustrystandardonsoftwaremaintenanceofshipboardequipmentbyBIMCOandCIRM(ComitéInternationalRadio-Maritime).
Incident: Bunker surveyor’s access to a ship’s administrative
network
Adrybulkshipinporth