Cyber security resilience management for ships and mobile offshore units in operation
|Publication Date:||1 September 2016|
In this RP cyber security threats to onshore and vessel systems are considered within the following categories:
- Unintentional infections / non-targeted threats:
- Software infections stemming from malicious malware or ransomware: Spreading via unsuspecting and insufficiently trained users in combination with unsecured internet access or insufficiently protected use of portable storage devices like USB sticks, the infection thrives through automated replications aimed at infecting as many systems as possible. These non-targeted threats typically exploit known vulnerabilities in standard systems and networks.
- Unintentional weaknesses in software: Typically stemming from misconfiguration of equipment and software as well as from software design or updates containing undetected weaknesses due to insufficient verification and validation of the software.
- Intended / targeted threats:
- External attackers: Hackers, "hacktivists" as well as criminal attackers, employing a wide range of attack techniques and malicious software infections. These include phishing, social engineering, and exploitation of weaknesses in control systems, user authentication or lack of network segregation.
- Insider threats: Originating from disgruntled employees or from employees that intend to sell or otherwise misuse data or system access. Their ability to circumvent physical access controls and their in depth knowledge of the systems makes them particularly difficult to defend against.
To counter this wide range of threats, a comprehensive response is required, with Cyber Security responsibilities to be shared by different participants of the value chain: Owners of the vessel or offshore assets, users of the different systems, respective suppliers as well as ship managers and the operators themselves. Within these organisations:
- Senior Management carries the overall responsibility and establishes the risk management policies
- IT and industrial automation management personnel are responsible for establishing the required operational procedures, securing assets, operational systems and information.
- Fleet management / crew / on shore staff should comply with these policies/procedures,
ASSESSMENT: A systematic assessment is the foundation of cyber security improvements. Due to the potentially substantial cost of conducting detailed assessments across all systems, data sets and organisational units, this RP recommends three different assessment levels, each serving a different need and using tailored methodologies.
- High level assessment: Senior management needs to quickly obtain an overview of the cyber security status of their organisation. This high level overview will focus on technical aspects, awareness, policies and enforcement mechanisms. The results will provide first indications of where to focus.
- Focused assessment: To assess the cyber security of specific systems and data sets, a focused assessment approach is recommended. This recommended assessment builds on the safety management methodologies developed in the offshore and maritime industries and focuses on barriers that help prevent possible cyber security incidents as well as on those that help reduce the undesired consequences of such incidents. Both types of barriers need to be identified, evaluated and then assessed for their resilience. The approach can be easily picked up by staff with basic IT and industrial automation control systems knowledge and understanding of risk management methodologies.
- Comprehensive, in depth assessment: To generate a comprehensive picture of the total cyber security risk of an organisation, an in depth assessment is recommended. In depth assessments build on the requirements of the ISO/IEC 27001 (ref. /7/) standard as well as on other standards that are widely accepted such as the "BSI Grundschutz" (ref. /14/, /15/) or the "IEC-62443-3-3" (ref. /22/) requirements. The in depth assessment is based on a detailed inventory of the IT and automated control related processes. It is then recommended to determine the consequence of successful attacks for each of these concerning confidentiality, integrity, availability and authenticity security properties and rate their respective importance. Combining consequence with likelihood of an attack (measured by the ease of access) then leads to a detailed cyber security risk assessment.
IMPROVEMENT: Most of the activities required to improve cyber security can be directly derived from the above described assessments. They will typically fall into the following categories:
- Awareness and competence building: The vast majority of cyber security incidents are related to the human element. Increasing awareness about how certain behaviours can be exploited by external attackers or malware is critical, as is building competence on how to react in cases of cyber security breaches. Company specific requirements need to be understood and policies adhered to.
- Technical improvements: Technical solutions can provide solid barriers against attacks - be it from the inor the outside. These solutions typically include hardened firewalls, authentication concepts and network segregation as well as more secure software design and implementation. They need to be scaled to meet specific cyber security requirements of a particular organisation.
- Management system including organisational set-up, clarification of responsibilities and related processes: Requirement standards like ISO/IEC 27001 form a good basis for continuing improvement efforts, and are recommended to be implemented by more cyber security mature organisations and those with a higher risk exposure. They need to be tailored to the company's specific operations. Organisational aspects of enhancing cyber security need to be considered.
VERIFICATION and VALIDATION: In order to obtain assurance of the achieved cyber security and to demonstrate compliance and progress towards external stakeholders and the company's board, cyber security resilience can be validated and verified. Two different approaches are recommended:
- Verification and testing of technical and procedural controls protecting the deployed systems or data sets. These tests can be conducted at system level, or at component level.
- Certification of the Information Security Management System (ISMS) to the international standard ISO/ IEC 27001.
Cyber security resilience has many aspects in common with general quality management systems. Due to the changing nature of the risk picture, cyber security policies need to be implemented into operational procedures, communicated and audited within a continuous improvement Plan-Do-Check-Act (PDCA) cycle which complements the maritime and offshore industries' safety and security culture. Organisations following the approach proposed by this RP will find that managing cyber security is similar to managing other challenges, making cyber security part of a continuing effort to protect the company's assets, systems, data and operations to secure compliance with the requirements of regulators such as the ISM and ISPS codes and on board procedures.