View
3
Download
0
Category
Preview:
Citation preview
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS
Produced and supported byBIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, INTERTANKO, IUMI, OCIMF and WORLD SHIPPING COUNCIL
v3
The Guidelines on Cyber Security Onboard ShipsVersion 3
Terms of use
The advice and information given in the Guidelines on Cyber Security Onboard Ships (the guidelines) is intended purely as guidance to be used at the user’s own risk. No warranties or representations are given, nor is any duty of care or responsibility accepted by the Authors, their membership or employees of any person, firm, corporation or organisation (who or which has been in any way concerned with the furnishing of information or data, or the compilation or any translation, publishing, or supply of the guidelines) for the accuracy of any information or advice given in the guidelines; or any omission from the guidelines or for any consequence whatsoever resulting directly or indirectly from compliance with, adoption of or reliance on guidance contained in the guidelines, even if caused by a failure to exercise reasonable care on the part of any of the aforementioned parties.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 CONTeNTS
Introduction ..................................................................................................................................... 1
1 Cyber security and safety management .......................................................................................... 31.1 DifferencesbetweenITandOTsystems .......................................................................................... 51.2 Plans and procedures ...................................................................................................................... 61.3 Relationshipbetweenshipmanagerandshipowner ...................................................................... 71.4 Therelationshipbetweentheshipownerandtheagent ................................................................ 71.5 Relationshipwithvendors ............................................................................................................... 82 Identifythreats ................................................................................................................................ 93 Identifyvulnerabilities ................................................................................................................... 133.1 Shiptoshoreinterface .................................................................................................................. 144 Assess risk exposure ...................................................................................................................... 164.1 Riskassessmentmadebythecompany ........................................................................................ 214.2 Third-partyriskassessments ......................................................................................................... 214.3 Risk assessment process ................................................................................................................ 225 Developprotectionanddetectionmeasures ................................................................................ 245.1 Defenceindepthandinbreadth ................................................................................................... 245.2 Technicalprotectionmeasures ...................................................................................................... 255.3 Proceduralprotectionmeasures ................................................................................................... 296 Establishcontingencyplans ........................................................................................................... 347 Respondtoandrecoverfromcybersecurityincidents ................................................................. 367.1 Effectiveresponse ......................................................................................................................... 367.2 Recoveryplan ................................................................................................................................ 377.3 Investigatingcyberincidents ......................................................................................................... 387.4 Losses arising from a cyber incident .............................................................................................. 38
Annex1 Targetsystems,equipmentandtechnologies ....................................................................... 40Annex2 Cyberriskmanagementandthesafetymanagementsystem .............................................. 42Annex3 Onboardnetworks ................................................................................................................ 46Annex 4 Glossary ................................................................................................................................ 50Annex5 Contributorstoversion3oftheguidelines .......................................................................... 53
Contents
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 1INTrOduCTION
Shipsareincreasinglyusingsystemsthatrelyondigitisation,digitalisation,integration,andautomation,whichcallforcyberriskmanagementonboard.Astechnologycontinuestodevelop,informationtechnology(IT)andoperationaltechnology(OT)onboardshipsarebeingnetworkedtogether–andmorefrequentlyconnectedtotheinternet.
Thisbringsthegreaterriskofunauthorisedaccessormaliciousattackstoships’systemsandnetworks.Risksmayalsooccurfrompersonnelaccessingsystemsonboard,forexamplebyintroducingmalwareviaremovablemedia.
Tomitigatethepotentialsafety,environmentalandcommercialconsequencesofacyberincident,agroupofinternationalshippingorganisations,withsupportfromawiderangeofstakeholders(pleaserefertoannex5formoredetails),haveparticipatedinthedevelopmentoftheseguidelines,whicharedesignedtoassistcompaniesinformulatingtheirownapproachestocyberriskmanagementonboardships.
Approachestocyberriskmanagementwillbecompany-andship-specificbutshouldbeguidedbytherequirementsofrelevantnational,internationalandflagstateregulations.Theseguidelinesprovidearisk-basedapproachtoidentifyingandrespondingtocyberthreats.Animportantaspectisthebenefitthatrelevantpersonnelwouldobtainfromtraininginidentifyingthetypicalmodusoperandiofcyberattacks.
In2017,theInternationalMaritimeOrganization(IMO)adoptedresolutionMSC.428(98)onMaritimeCyberRiskManagementinSafetyManagementSystem(SMS).TheResolutionstatedthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementinaccordancewiththeobjectivesandfunctionalrequirementsoftheISMCode.Itfurtherencouragesadministrationstoensurethatcyberrisksareappropriatelyaddressedinsafetymanagementsystemsnolaterthanthefirstannualverificationofthecompany’sDocumentofComplianceafter1January2021.Thesameyear,IMOdevelopedguidelines1thatprovidehigh-levelrecommendationsonmaritimecyberriskmanagementtosafeguardshippingfromcurrentandemergingcyberthreatsandvulnerabilities.AsalsohighlightedintheIMOguidelines,effectivecyberriskmanagementshouldstartattheseniormanagementlevel.Seniormanagementshouldembedacultureofcyberriskawarenessintoalllevelsanddepartmentsofanorganizationandensureaholisticandflexiblecyberriskmanagementregimethatisincontinuousoperationandconstantlyevaluatedthrougheffectivefeedbackmechanisms.
Thecommitmentofseniormanagementtocyberriskmanagementisacentralassumption,onwhichtheGuidelinesonCyberSecurityOnboardShipshavebeendeveloped.
TheGuidelinesonCyberSecurityOnboardShipsarealignedwithIMOresolutionMSC.428(98)andIMO’sguidelinesandprovidepracticalrecommendationsonmaritimecyberriskmanagementcoveringbothcybersecurityandcybersafety.(Seechapter1forthisdistinction).
Theaimofthisdocumentistoofferguidancetoshipownersandoperatorsonproceduresandactionstomaintainthesecurityofcybersystemsinthecompanyandonboardtheships.Theguidelinesarenotintendedtoprovideabasisfor,andshouldnotbeinterpretedas,callingforexternalauditingorvettingtheindividualcompany’sandship’sapproachtocyberriskmanagement.
LiketheIMOguidelines,theUSNationalInstituteofStandardsandTechnology(NIST)frameworkhasalsobeenaccountedforinthedevelopmentoftheseguidelines.TheNISTframeworkassistscompanieswiththeirriskassessmentsbyhelpingthemunderstand,manageandexpressthe1 MSC-FAL.1/Circ.3onGuidelinesonmaritimecyberriskmanagement
Introduction
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 2INTrOduCTION
potentialcyberriskthreatbothinternallyandexternally.Asaresultofthisassessment,a“profile”isdeveloped,whichcanhelptoidentifyandprioritiseactionsforreducingcyberrisks.Theprofilecanalsobeusedasatoolforaligningpolicy,businessandtechnologicalapproachestomanagetherisks.Sampleframeworkprofilesarepubliclyavailableformaritimebulkliquidtransfer,offshore,andpassengershipoperations2.TheseprofileswerecreatedbytheUnitedStatesCoastGuardandNIST’sNationalCybersecurityCenterofExcellencewithinputfromindustrystakeholders.Theprofilesareconsideredtobecomplimentarytotheseguidelinesandcanbeusedtogethertoassistindustryinassessing,prioritizing,andmitigatingtheircyberrisks.
2 TheNISTFrameworkProfilesformaritimebulkliquidtransfer,offshore,andpassengeroperationscanbeaccessedhere:http://mariners.coastguard.dodlive.mil/2018/01/12/1-12-2018-release-of-offshore-operations-and-passenger-vessel-cybersecurity-framework-profiles.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 3Cyber SeCurITy ANd SAfeTy mANAGemeNT
Cyber security and safety management
Bothcybersecurityandcybersafetyareimportantbecauseoftheirpotentialeffectonpersonnel,theship,environment,companyandcargo.CybersecurityisconcernedwiththeprotectionofIT,OT,informationanddatafromunauthorisedaccess,manipulationanddisruption.CybersafetycoverstherisksfromthelossofavailabilityorintegrityofsafetycriticaldataandOT.
Cybersafetyincidentscanariseastheresultof:
� acybersecurityincident,whichaffectstheavailabilityandintegrityofOT,forexamplecorruptionofchartdataheldinanElectronicChartDisplayandInformationSystem(ECDIS)
� afailureoccurringduringsoftwaremaintenanceandpatching
� lossoformanipulationofexternalsensordata,criticalfortheoperationofaship–thisincludesbutisnotlimitedtoGlobalNavigationSatelliteSystems(GNSS).
Whilstthecausesofacybersafetyincidentmaybedifferentfromacybersecurityincident,theeffectiveresponsetobothisbasedupontrainingandawareness.
1
Incident: Unrecognised virus in an ECDIS delays sailing
Anew-builddrybulkshipwasdelayedfromsailingforseveraldaysbecauseitsECDISwasinfectedbyavirus.Theshipwasdesignedforpaperlessnavigationandwasnotcarryingpapercharts.ThefailureoftheECDISappearedtobeatechnicaldisruptionandwasnotrecognizedasacyberissuebytheship’smasterandofficers.Aproducertechnicianwasrequiredtovisittheshipand,afterspendingasignificanttimeintroubleshooting,discoveredthatbothECDISnetworkswereinfectedwithavirus.TheviruswasquarantinedandtheECDIScomputerswererestored.Thesourceandmeansofinfectioninthiscaseareunknown.Thedelayinsailingandcostsinrepairstotalledinthehundredsofthousandsofdollars(US).
Cyberriskmanagementshould:
� identifytherolesandresponsibilitiesofusers,keypersonnel,andmanagementbothashoreandon board
� identifythesystems,assets,dataandcapabilities,whichifdisrupted,couldposeriskstotheship’soperationsandsafety
� implementtechnicalandproceduralmeasurestoprotectagainstacyberincidentandensurecontinuityofoperations
� implementactivitiestoprepareforandrespondtocyberincidents.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 4Cyber SeCurITy ANd SAfeTy mANAGemeNT
Someaspectsofcyberriskmanagementmayincludecommerciallysensitiveorconfidentialinformation.Companiesshould,therefore,considerprotectingthisinformationappropriately,andasfaraspossible,notincludesensitiveinformationintheirSafetyManagementSystem(SMS).
Development,implementation,andmaintenanceofacybersecuritymanagementprograminaccordancewiththeapproachinfigure1isnosmallundertaking.Itis,therefore,importantthatseniormanagementstaysengagedthroughouttheprocesstoensurethattheprotection,contingencyandresponseplanningarebalancedinrelationtothethreats,vulnerabilities,riskexposureandconsequencesofapotentialcyberincident.
Respond to and recover from cyber security incidents
Respond to and recover from cyber security incidents using the
contingency plan.Assess the impact of the
effectiveness of the response plan and re-assess threats and
vulnerabilities.
Understand the external cyber security threats to the ship.
Understand the internal cyber security threat posed by inappropriate use and
lack of awareness.
Identify threats
Identifyvulnerabilities
Develop inventories of onboard systems with direct and indirect
communications links.Understand the consequences of a
cyber security threat on these systems.
Understand the capabilities and limitations of existing protection measures.
Assess risk exposure
Determine the likelihood of vulnerabilities being exploited
by external threats.Determine the likelihood of
vulnerabilities being exposed by inappropriate use.
Determine the security and safety impact of any individual or
combination of vulnerabilities being exploited.
Reduce the likelihood of vulnerabilities being exploited through protection
measures.Reduce the potential impact
of a vulnerability being exploited.
Develop protection and
detection measures
Develop a prioritised contingency plan to mitigate any potential
identified cyber risk.
Establish contingency
plans
CYBER RISK MANAGEMENT
APPROACH
figure 1: Cyber risk management approach as set out in the guidelines
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 5Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.1 Differences between IT and OT systems
OTsystemscontrolthephysicalworldandITsystemsmanagedata.OTsystemsdifferfromtraditionalITsystems.OTishardwareandsoftwarethatdirectlymonitors/controlsphysicaldevicesandprocesses.ITcoversthespectrumoftechnologiesforinformationprocessing,includingsoftware,hardwareandcommunicationtechnologies.TraditionallyOTandIThavebeenseparated,butwiththeinternet,OTandITarecomingcloserashistoricallystand-alonesystemsarebecomingintegrated.DisruptionoftheoperationofOTsystemsmayimposesignificantrisktothesafetyofonboardpersonnel,cargo,damagetothemarineenvironment,andimpedetheship’soperation.TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
TypicaldifferencesbetweenITandOTsystemscanbeseeninthetablebelow.
Category IT system OT systemPerformance requirements � non-real-time
� response must be consistent
� lesscriticalemergencyinteraction
� tightlyrestrictedaccesscontrolcanbeimplementedtothedegreenecessaryfor security
� real-time
� responseistime-critical
� responsetohumanandanyotheremergencyinteractioniscritical
� accesstoOTshouldbestrictlycontrolled,butshouldnothamperorinterferewithhuman-machineinteraction
Availability (reliability) requirements
� responsessuchasrebootingareacceptable
� availabilitydeficienciesmaybetolerated,dependingonthesystem’soperationalrequirements
� responsessuchasrebootingmaynotbeacceptablebecauseofoperationalrequirements
� availabilityrequirementsmaynecessitateback-upsystems
Risk management requirements
� manage data
� dataconfidentialityandintegrityisparamount
� fault tolerance may be less important.
� riskimpactsmaycausedelayof:ship’sclearance,commencementofloading/unloading,andcommercialandbusinessoperations
� controlphysicalworld
� safetyisparamount,followedbyprotectionoftheprocess
� faulttoleranceisessential,evenmomentarydowntimemaynotbeacceptable
� riskimpactsareregulatorynon-compliance,aswellasharmtothepersonnelonboard,theenvironment,equipmentand/orcargo
System operation � systemsaredesignedforusewithcommonlyknownoperatingsystems
� upgradesarestraightforwardwiththeavailabilityofautomateddeploymenttools
� differingandpossiblyproprietaryoperatingsystems,oftenwithoutbuiltinsecuritycapabilities
� softwarechangesmustbecarefullymade,usuallybysoftwarevendors,becauseofthespecializedcontrolalgorithmsandpossibleinvolvementofmodifiedhardwareandsoftware
Resource constraints � systemsarespecifiedwithenoughresourcestosupporttheadditionofthird-partyapplicationssuchassecuritysolutions
� systemsaredesignedtosupporttheintendedoperationalprocessandmaynothaveenoughmemoryandcomputingresourcestosupporttheadditionofsecuritycapabilities
Table 1: differences between OT and IT3
3 Basedontable2-1inNISTSpecialPublication800-82,Revision2.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 6Cyber SeCurITy ANd SAfeTy mANAGemeNT
TheremaybeimportantdifferencesbetweenwhohandlesthepurchaseandmanagementoftheOTsystemsversusITsystemsonaship.ITdepartmentsarenotusuallyinvolvedinthepurchaseofOTsystems.Thepurchaseofsuchsystemsshouldinvolveachiefengineer,whoknowsabouttheimpactontheonboardsystemsbutwillmostprobablyonlyhavelimitedknowledgeofsoftwareandcyberriskmanagement.Itis,therefore,importanttohaveadialoguewiththeITdepartmenttoensurethatcyberrisksareconsideredduringtheOTpurchasingprocess.OTsystemsshouldbeinventoriedwiththeITdepartment,soastoobtainanoverviewofpotentialchallengesandtohelpestablishthenecessarypolicyandproceduresforsoftwaremaintenance.
OtherindustrysectorshaveseenthebarrierremovedbetweenITandOT,withmanagementandprocurementstrategiesallhandledunderthesameregime.
1.2 Plans and procedures
IMOResolutionMSC.428(98)identifiescyberrisksasspecificthreats,whichcompaniesshouldtrytoaddressasfaraspossibleinthesamewayasanyotherriskthatmayaffectthesafeoperationofashipandprotectionoftheenvironment.Moreguidanceonhowtoincorporatecyberriskmanagementintothecompany’sSMScanbefoundinannex2oftheseguidelines.
Cyberriskmanagementshouldbeaninherentpartofthesafetyandsecuritycultureconducivetothesafeandefficientoperationoftheshipandbeconsideredatvariouslevelsofthecompany,includingseniormanagementashoreandonboardpersonnel.Inthecontextofaship’soperation,cyberincidentsareanticipatedtoresultinphysicaleffectsandpotentialsafetyand/orpollutionincidents.ThismeansthatthecompanyneedstoassessrisksarisingfromtheuseofITandOTonboardshipsandestablishappropriatesafeguardsagainstcyberincidents.CompanyplansandproceduresforcyberriskmanagementshouldbeincorporatedintoexistingsecurityandsafetyriskmanagementrequirementscontainedintheISMCodeandISPSCode.
TheobjectiveoftheSMSistoprovideasafeworkingenvironmentbyestablishingappropriatepracticesandproceduresbasedonanassessmentofallidentifiedriskstotheship,onboardpersonnelandtheenvironment.TheSMSshouldincludeinstructionsandprocedurestoensurethesafeoperationoftheshipandprotectionoftheenvironmentincompliancewithrelevantinternationalandflagstaterequirements.TheseinstructionsandproceduresshouldconsiderrisksarisingfromtheuseofITandOTonboard,takingintoaccountapplicablecodes,guidelinesandrecommendedstandards.
Whenincorporatingcyberriskmanagementintothecompany’sSMS,considerationshouldbegivenastowhether,inadditiontoagenericriskassessmentoftheshipsitoperates,aparticularshipneedsaspecificriskassessment.Thecompanyshouldconsidertheneedforaspecificriskassessmentbasedonwhetheraparticularshipisuniquewithintheirfleet.ThefactorstobeconsideredincludebutarenotlimitedtotheextenttowhichITandOTareusedonboard,thecomplexityofsystemintegrationandthenatureofoperations.
Inaccordancewithchapter8oftheISPSCode,theshipisobligedtoconductasecurityassessment,whichincludesidentificationandevaluationofkeyshipboardoperationsandtheassociatedpotentialthreats.AsrecommendedbyPartB,paragraph8.3.5oftheISPSCode,theassessmentshouldaddressradioandtelecommunicationsystems,includingcomputersystemsandnetworks.Therefore,theship’ssecurityplanmayneedtoincludeappropriatemeasuresforprotectingboththeequipmentandtheconnection.DuetothefastadoptionofsophisticatedanddigitalisedonboardOTsystems,considerationshouldbegiventoincludingtheseproceduresbyreferencetotheSMSinordertohelpensuretheship’ssecurityproceduresareasup-to-dateaspossible.
SystemslikeTankerManagementandSelfAssessment(TMSA)alsorequireplansandprocedurestobe implemented.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 7Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.3 Relationship between ship manager and shipowner
TheDocumentofComplianceholderisultimatelyresponsibleforensuringthemanagementofcyberrisksonboard.Iftheshipisunderthirdpartymanagement,thentheshipmanagerisadvisedtoreachanagreementwiththeshipowner.
Particularemphasisshouldbeplacedbybothpartiesonthesplitofresponsibilities,alignmentofpragmaticexpectations,agreementonspecificinstructionstothemanagerandpossibleparticipationinpurchasingdecisionsaswellasbudgetaryrequirements.
ApartfromISMrequirements,suchanagreementshouldtakeintoconsiderationadditionalapplicablelegislationliketheEUGeneralDataProtectionRegulation(GDPR)orspecificcyberregulationsinothercoastalstates.Managersandownersshouldconsiderusingtheseguidelinesasabaseforanopendiscussiononhowbesttoimplementanefficientcyberriskmanagementregime.
Agreementsoncyberriskmanagementshouldbeformalandwritten.
1.4 The relationship between the shipowner and the agent
Theimportanceofthisrelationshiphasplacedtheagent4asanamedstakeholder,interfacingcontinuouslyandsimultaneouslywithshipowners,operators,terminals,portservicesvendors,andportstatecontrolauthoritiesthroughtheexchangeofsensitive,financial,andportcoordinationinformation.Therelationshipgoesbeyondthatofavendor.Itcantakedifferentformsandespeciallyinthetramptrade,shipownersrequirealocalrepresentative(anindependentshipagent)toserveasanextensionofthecompany.
Coordinationoftheship’scallofportisahighlycomplextaskbeingsimultaneouslyglobalandlocal.Itcoversupdatesfromagents,coordinatinginformationwithallportvendors,portstatecontrol,handlingshipandcrewrequirements,andelectroniccommunicationbetweentheship,portandauthoritiesashore.Asoneexample,whichtouchescyberriskmanagement:OftenagentsarerequiredtobuildITsystems,whichuploadinformationreal-timeintoowner’smanagementinformationsystem.
Qualitystandardsforagentsareimportantbecauselikeallotherbusinesses,agentsarealsotargetedbycybercriminals.Cyber-enabledcrime,suchaselectronicwirefraudandfalseshipappointments,andcyberthreatssuchasransomwareandhacking,callformutualcyberstrategiesandcyber-enhancedrelationshipsbetweenownersandagentstomitigatesuchcyberrisks.
4 Thepartyrepresentingtheship’sownerand/orcharterer(thePrincipal)inport.Ifsoinstructed,theagentisresponsibletotheprincipalforarranging,togetherwiththeport,aberth,allrelevantportandhusbandryservices,tendingtotherequirementsofthemasterandcrew,clearingtheshipwiththeportandotherauthorities(includingpreparationandsubmissionofappropriatedocumentation)alongwithreleasingorreceivingcargoonbehalfoftheprincipal(source:ConventiononFacilitationofInternationalMaritimeTraffic(FALConvention).
5 Nothingintheseguidelinesshouldbetakenasrecommendingthepaymentofransom.
Incident: Ship agent and shipowner ransomware incident
Ashipownerreportedthatthecompany’sbusinessnetworkswereinfectedwithransomware,apparentlyfromanemailattachment.Thesourceoftheransomwarewasfromtwounwittingshipagents,inseparateports,andonseparateoccasions.Shipswerealsoaffectedbutthedamagewaslimitedtothebusinessnetworks,whilenavigationandshipoperationswereunaffected.Inonecase,theownerpaidtheransom5.
Theimportanceofthisincidentisthatharmonizedcybersecurityacrossrelationshipswithtrustedbusinesspartnersandproducersiscriticaltoallinthesupplychain.Individualeffortstofortifyone’sownbusinesscanbevaliantandwell-intendedbutcouldalsobeinsufficient.Principalsinthesupplychainshouldworktogethertomitigatecyberrisk.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 8Cyber SeCurITy ANd SAfeTy mANAGemeNT
1.5 Relationship with vendors
Companiesshouldevaluateandincludethephysicalsecurityandcyberriskmanagementprocessesofserviceprovidersinsupplieragreementsandcontracts.Processesevaluatedduringsuppliervettingandincludedincontractrequirementsmayinclude:
� securitymanagementincludingmanagementofsub-suppliers
� manufacturing/operationalsecurity
� softwareengineeringandarchitecture
� asset and cyber incident management
� personnel security
� dataandinformationprotection.
Evaluationofserviceprovidersbeyondthefirsttiermaybechallengingespeciallyforcompanieswithalargenumberoftieronesuppliers.Thirdpartyprovidersthatarecollectingandmanagingsupplierriskmanagementdatamaybeanoptiontoconsider.
Lackofphysicaland/orcybersecurityatasupplierwithintheirproductsorinfrastructuremayresultinabreachofcorporateITsystemsorcorruptionofshipOT/ITsystems.
Companiesshouldevaluatethecyberriskmanagementprocessesforbothnewandexistingcontracts.Itisgoodpracticeforthecompanytodefinetheirownminimumsetofrequirementstomanagesupplychainor3rdpartyrisks.Asetofcyberriskrequirementsthatreflectthecompany’sexpectationsshouldbeclearandunambiguoustovendors.Thismayalsohelpprocurementpracticeswhendealingwithmultiplevendors.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 9IdeNTIfy ThreATS
Identify threats
Thecyberrisk6isspecifictothecompany,ship,operationand/ortrade.Whenassessingtherisk,companiesshouldconsideranyspecificaspectsoftheiroperationsthatmightincreasetheirvulnerabilitytocyberincidents.
Unlikeotherareasofsafetyandsecurity,wherehistoricevidenceisavailable,cyberriskmanagementismademorechallengingbytheabsenceofanydefinitiveinformationaboutincidentsandtheirimpact.Untilthisevidenceisobtained,thescaleandfrequencyofattackswillcontinuetobeunknown.
Experiencesintheshippingindustryandfromotherbusinesssectorssuchasfinancialinstitutions,publicadministrationandairtransporthaveshownthatsuccessfulcyberattacksmightresultinasignificantlossofservices.Assetscanalsocompromisesafety.
Therearemotivesfororganisationsandindividualstoexploitcybervulnerabilities.Thefollowingexamplesgivesomeindicationofthethreatsposedandthepotentialconsequencesforcompaniesandtheshipstheyoperate:
Group Motivation ObjectiveActivists (including disgruntled employees)
� reputationaldamage
� disruptionofoperations
� destructionofdata
� publicationofsensitivedata
� mediaattention
� denialofaccesstotheserviceorsystemtargeted
Criminals � financialgain
� commercial espionage
� industrial espionage
� selling stolen data
� ransoming stolen data
� ransoming system operability
� arrangingfraudulenttransportationofcargo
� gatheringintelligenceformoresophisticatedcrime,exactcargolocation,shiptransportationandhandlingplansetc
Opportunists � thechallenge � gettingthroughcybersecuritydefences
� financialgain
States
State sponsored organisations
Terrorists
� politicalgain
� espionage
� gainingknowledge
� disruptiontoeconomiesandcriticalnationalinfrastructure
Table 2: motivation and objectives
Theabovegroupsareactiveandhavetheskillsandresourcestothreatenthesafetyandsecurityofshipsandacompany’sabilitytoconductitsbusiness.
2
6 ThetextinthischapterhasbeensummarisedfromCESG,CommonCyberAttacks:ReducingtheImpact.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 10IdeNTIfy ThreATS
Inaddition,thereisthepossibilitythatcompanypersonnel,onboardandashore,couldcompromisecybersystemsanddata.Ingeneral,thecompanyshouldrealisethatthismaybeunintentionalandcausedbyhumanerrorwhenoperatingandmanagingITandOTsystemsorfailuretorespecttechnicalandproceduralprotectionmeasures.Thereis,however,thepossibilitythatactionsmaybemaliciousandareadeliberateattemptbyadisgruntledemployeetodamagethecompanyandtheship.
Types of cyber attack
Ingeneral,therearetwocategoriesofcyberattacks,whichmayaffectcompaniesandships:
� untargetedattacks,whereacompanyoraship’ssystemsanddataareoneofmanypotentialtargets
� targetedattacks,whereacompanyoraship’ssystemsanddataaretheintendedtarget.
Untargetedattacksarelikelytousetoolsandtechniquesavailableontheinternet,whichcanbeusedtolocate,discoverandexploitwidespreadvulnerabilitiesthatmayalsoexistinacompanyandonboardaship.Examplesofsometoolsandtechniquesthatmaybeusedinthesecircumstancesinclude:
� Malware–Malicioussoftwarewhichisdesignedtoaccessordamageacomputerwithouttheknowledgeoftheowner.Therearevarioustypesofmalwareincludingtrojans,ransomware,spyware,viruses,andworms.Ransomwareencryptsdataonsystemsuntilaransomhasbeenpaid.Malwaremayalsoexploitknowndeficienciesandproblemsinoutdated/unpatchedbusinesssoftware.Theterm“exploit”usuallyreferstotheuseofasoftwareorcode,whichisdesignedtotakeadvantageofandmanipulateaprobleminanothercomputersoftwareorhardware.Thisproblemcan,forexample,beacodebug,systemvulnerability,improperdesign,hardwaremalfunctionand/orerrorinprotocolimplementation.Thesevulnerabilitiesmaybeexploitedremotelyortriggeredlocally.Locally,apieceofmaliciouscodemayoftenbeexecutedbytheuser,sometimesvialinksdistributedinemailattachmentsorthroughmaliciouswebsites.
� Phishing–Sendingemailstoalargenumberofpotentialtargetsaskingforparticularpiecesofsensitiveorconfidentialinformation.Suchanemailmayalsorequestthatapersonvisitsafakewebsiteusingahyperlinkincludedintheemail.
� Water holing–Establishingafakewebsiteorcompromisingagenuinewebsitetoexploitvisitors.
� Scanning–Attackinglargeportionsoftheinternetatrandom.
Targetedattacksmaybemoresophisticatedandusetoolsandtechniquesspecificallycreatedfortargetingacompanyorship.Examplesoftoolsandtechniques,whichmaybeusedinthesecircumstances,include:
� Social engineering–Anon-technicaltechniqueusedbypotentialcyberattackerstomanipulateinsiderindividualsintobreakingsecurityprocedures,normally,butnotexclusively,throughinteractionviasocialmedia.
� Brute force–Anattacktryingmanypasswordswiththehopeofeventuallyguessingcorrectly.Theattackersystematicallychecksallpossiblepasswordsuntilthecorrectoneisfound.
� Denial of service (DoS)–Preventslegitimateandauthorisedusersfromaccessinginformation,usuallybyfloodinganetworkwithdata.Adistributeddenialofservice(DDoS)attacktakescontrolofmultiplecomputersand/orserverstoimplementaDoSattack.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 11IdeNTIfy ThreATS
� Spear-phishing–Likephishingbuttheindividualsaretargetedwithpersonalemails,oftencontainingmalicioussoftwareorlinksthatautomaticallydownloadmalicioussoftware.
� Subverting the supply chain–Attackingacompanyorshipbycompromisingequipment,softwareorsupportingservicesbeingdeliveredtothecompanyorship.
Theaboveexamplesarenotexhaustive.Othermethodsareevolvingsuchasimpersonatingalegitimateshore-basedemployeeinashippingcompanytoobtainvaluableinformation,whichcanbeusedforafurtherattack.Thepotentialnumberandsophisticationoftoolsandtechniquesusedincyberattackscontinuetoevolveandarelimitedonlybytheingenuityofthoseorganisationsandindividualsdevelopingthem.
Stages of a cyber attack
In2018,ittookonaverage140daysbetweentimeofinfectionofavictim’snetworkanddiscoveryofacyberattack.However,intrusioncangoundetectedforyears.Thisfigureisdownfrom205daysin2015andcontinuestodropbecausedetectionisgettingbetter7.Cyberattacksareconductedinstages.Thelengthoftimetoprepareacyberattackcanbedeterminedbythemotivationsandobjectivesoftheattacker,andtheresilienceoftechnicalandproceduralcyberriskcontrolsimplementedbythecompany,includingthoseonboarditsships.Whenconsideringtargetedcyberattacks,thegenerally-observedstagesofanattackare:
� Survey/reconnaissance–Open/publicsourcesareusedtogaininformationaboutacompany,shiporseafarerinpreparationforacyberattack.Socialmedia,technicalforumsandhiddenpropertiesinwebsites,documentsandpublicationsmaybeusedtoidentifytechnical,proceduralandphysicalvulnerabilities.Theuseofopen/publicsourcesmaybecomplementedbymonitoring(analysing–sniffing)theactualdataflowingintoandfromacompanyoraship.
� Delivery–Attackersmayattempttoaccessthecompany’sandship’ssystemsanddata.Thismaybedonefromeitherwithinthecompanyorshiporremotelythroughconnectivitywiththeinternet.Examplesofmethodsusedtoobtainaccessinclude:
• companyonlineservices,includingcargoorcontainertrackingsystems
• sendingemailscontainingmaliciousfilesorlinkstomaliciouswebsitestopersonnel
• providinginfectedremovablemedia,forexampleaspartofasoftwareupdatetoanonboardsystem
• creatingfalseormisleadingwebsites,whichencouragethedisclosureofuseraccountinformationbypersonnel.
� Breach–Theextenttowhichanattackercanbreachacompany’sorship’ssystemwilldependonthesignificanceofthevulnerabilityfoundbyanattackerandthemethodchosentodeliveranattack.Itshouldbenotedthatabreachmightnotresultinanyobviouschangestothestatusoftheequipment.Dependingonthesignificanceofthebreach,anattackermaybeableto:
• makechangesthataffectthesystem’soperation,forexampleinterruptormanipulateinformationusedbynavigationequipment,oralteroperationallyimportantinformationsuchasloading lists
• gainaccesstocommerciallysensitivedatasuchascargomanifestsand/orcrewandpassenger/visitorlists
7 TheMicrosoftCybercrimeCenter.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 12IdeNTIfy ThreATS
• achievefullcontrolofasystem,forexampleamachinerymanagementsystem.
� Pivot–Pivotingisthetechniqueofusinganinstancealreadyexploitedtobeableto“move”andperformotheractivities.Duringthisphaseofanattack,anattackerusesthefirstcompromisedsystemtoattackotherwiseinaccessiblesystems.Anattackerwillusuallytargetthemostvulnerablepartofthevictim’ssystemwiththelowestlevelofsecurity.Onceaccessisgainedthentheattackerwilltrytoexploittherestofthesystem.Usually,inthePivotphase,theattackermaytryto:
• uploadtools,exploitsandscriptsinthesystemtosupporttheattackerinthenewattackphase
• executeadiscoveryofneighboursystemswithscanningornetworkmappingtools
• installpermanenttoolsorakeyloggertokeepandmaintainaccesstothesystem
• executenewattacksonthesystem.
Themotivationandobjectivesoftheattackerwilldeterminewhateffecttheyhaveonthecompanyorshipsystemanddata.Anattackermayexploresystems,expandaccessand/orensurethattheyareabletoreturntothesysteminorderto:
� accesscommerciallysensitiveorconfidentialdataaboutcargo,crew,visitorsandpassengers
� manipulatecreworpassenger/visitorslists,cargomanifestsorloadinglists.Thismaysubsequentlybeusedtoallowthefraudulenttransportofillegalcargo,orfacilitatethefts
� causecompletedenialofserviceonbusinesssystems
� enableotherformsofcrimeforexamplepiracy,theftandfraud
� disruptnormaloperationofthecompanyandshipsystems,forexamplebydeletingcriticalpre-arrivalordischargeinformationoroverloadingcompanysystems.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 13IdeNTIfy vulNerAbIlITIeS
Identify vulnerabilities3
Itisrecommendedthatashippingcompanyinitiallyperformsanassessmentofthepotentialthreatsthatmayrealisticallybefaced.Thisshouldbefollowedbyanassessmentofthesystemsandonboardprocedurestomaptheirrobustnesstohandlethecurrentlevelofthreat.Itmaybefacilitatedbyinternalexpertsorsupportedbyexternalexpertswithknowledgeofthemaritimeindustryanditskeyprocesses.Theresultshouldbeastrategycentredaroundthekeyrisks.
Stand-alonesystemswillbelessvulnerabletoexternalcyberattackscomparedtothoseattachedtouncontrollednetworksordirectlytotheinternet.Networkdesignandnetworksegregationwillbeexplainedinmoredetailinannex3.Careshouldbetakentounderstandhowcriticalshipboardsystemsmightbeconnectedtouncontrollednetworks.Whendoingso,thehumanelementshouldbetakenintoconsideration,asmanyincidentsareinitiatedbypersonnel’sactions.Onboardsystemscouldinclude:
� Cargo management systems–Digitalsystemsusedfortheloading,managementandcontrolofcargo,includinghazardouscargo,mayinterfacewithavarietyofsystemsashore,includingports,marineterminals.Suchsystemsmayincludeshipment-trackingtoolsavailabletoshippersviatheinternet.However,thetrackingisusuallydoneviathecompany’ssystemsconnectedtotheshipandnotdirectlybetweentheshipperandtheship.Interfacesofthiskindmakecargomanagementsystemsanddataincargomanifestsandloadinglistsvulnerabletocyberattacks.
� Bridge systems–Theincreasinguseofdigital,networknavigationsystems,withinterfacestoshoresidenetworksforupdateandprovisionofservices,makesuchsystemsvulnerabletocyberattacks.Bridgesystemsthatarenotconnectedtoothernetworksmaybeequallyvulnerable,asremovablemediaareoftenusedtoupdatesuchsystemsfromothercontrolledoruncontrollednetworks.Acyberincidentcanextendtoservicedenialormanipulationand,therefore,mayaffectallsystemsassociatedwithnavigation,includingECDIS,GNSS,AIS,VDRandRadar/ARPA.
� Propulsion and machinery management and power control systems–Theuseofdigitalsystemstomonitorandcontrolonboardmachinery,propulsionandsteeringmakessuchsystemsvulnerabletocyberattacks.Thevulnerabilityofthesesystemscanincreasewhenusedinconjunctionwithremotecondition-basedmonitoringand/orareintegratedwithnavigationandcommunicationsequipmentonshipsusingintegratedbridgesystems.
� Access control systems–Digitalsystemsusedtosupportaccesscontroltoensurephysicalsecurity
Incident: Crash of integrated navigation bridge at sea
Ashipwithanintegratednavigationbridgesufferedafailureofnearlyallnavigationsystemsatsea,inahightrafficareaandreducedvisibility.Theshiphadtonavigatebyoneradarandbackuppaperchartsfortwodaysbeforearrivinginportforrepairs.ThecauseofthefailureofallECDIScomputerswasdeterminedtobeattributedtotheoutdatedoperatingsystems.Duringthepreviousportcall,aproducertechnicalrepresentativeperformedanavigationsoftwareupdateontheship’snavigationcomputers.However,theoutdatedoperatingsystemswereincapableofrunningthesoftwareandcrashed.TheshipwasrequiredtoremaininportuntilnewECDIScomputerscouldbeinstalled,classificationsurveyorscouldattend,andanear-missnotificationhadbeenissuedasrequiredbythecompany.Thecostsofthedelayswereextensiveandincurredbytheshipowner.
Thisincidentemphasizesthatnotallcomputerfailuresarearesultofadeliberateattackandthatoutdatedsoftwareispronetofailure.Moreproactivesoftwaremaintenancetotheshipmayhavepreventedthisincidentfrom occurring.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 14IdeNTIfy vulNerAbIlITIeS
andsafetyofashipanditscargo,includingsurveillance,shipboardsecurityalarm,andelectronic“personnel-on-board”systemsarevulnerabletocyberattacks.
� Passenger servicing and management systems–Digitalsystemsusedforpropertymanagement,boardingandaccesscontrolmayholdvaluablepassengerrelateddata.Intelligentdevices(tablets,handheldscannersetc.)arethemselvesanattackvectorasultimatelythecollecteddataispassedontoothersystems.
� Passenger facing public networks–Fixedorwirelessnetworksconnectedtotheinternet,installedonboardforthebenefitofpassengers,forexampleguestentertainmentsystems,shouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.
� Administrative and crew welfare systems–Onboardcomputernetworksusedforadministrationoftheshiporthewelfareofthecrewareparticularlyvulnerablewhenprovidinginternetaccessandemail.Thiscanbeexploitedbycyberattackerstogainaccesstoonboardsystemsanddata.Thesesystemsshouldbeconsidereduncontrolledandshouldnotbeconnectedtoanysafetycriticalsystemonboard.Softwareprovidedbyshipmanagementcompaniesorownersisalsoincludedinthiscategory.
� Communication systems–Availabilityofinternetconnectivityviasatelliteand/orotherwirelesscommunicationcanincreasethevulnerabilityofships.Thecyberdefencemechanismsimplementedbytheserviceprovidershouldbecarefullyconsideredbutshouldnotbesolelyreliedupontosecureeveryshipboardsystemanddata.Includedinthesesystemsarecommunicationlinkstopublicauthoritiesfortransmissionofrequiredshipreportinginformation.Applicableauthenticationandaccesscontrolmanagementrequirementsbytheseauthoritiesshouldbestrictlycompliedwith.
Theabove-mentionedonboardsystemsconsistofpotentiallyvulnerableequipment,whichshouldbereviewedduringtheassessment.Moredetailcanbefoundinannex1oftheseguidelines.
3.1 Ship to shore interface
Shipsarebecomingmoreandmoreintegratedwithshoresideoperationsbecausedigitalcommunicationisbeingusedtoconductbusiness,manageoperations,andretaincontactwithheadoffice.Furthermore,criticalshipsystemsessentialtothesafetyofnavigation,powerandcargomanagementhavebecomeincreasinglydigitalisedandconnectedtotheinternettoperformawidevarietyoflegitimatefunctionssuchas:
� engine performance monitoring
� maintenance and spare parts management
� cargo,loadingandunloading,crane,pumpmanagementandstowplanning
� voyageperformancemonitoring.
Theabovelistprovidesexamplesofthisinterfaceandisnotexhaustive.Theabovesystemsprovidedata,whichmaybeofinteresttocybercriminalstoexploit.
Moderntechnologiescanaddvulnerabilitiestotheshipsespeciallyifthereareinsecuredesignsofnetworksanduncontrolledaccesstotheinternet.Additionally,shoresideandonboardpersonnelmaybeunawarehowsomeequipmentproducersmaintainremoteaccesstoshipboardequipmentanditsnetworksystem.Unknown,anduncoordinatedremoteaccesstoanoperatingshipshouldbetakenintoconsiderationasanimportantpartoftheriskassessment.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 15IdeNTIfy vulNerAbIlITIeS
Itisrecommendedthatcompaniesshouldfullyunderstandtheship’sOTandITsystemsandhowthesesystemsconnectandintegratewiththeshoreside,includingpublicauthorities,marineterminalsandstevedores.Thisrequiresanunderstandingofallcomputerbasedonboardsystemsandhowsafety,operations,andbusinesscanbecompromisedbyacyberincident.
Thefollowingshouldbeconsideredregardingproducersandthirdpartiesincludingcontractorsandserviceproviders:
1. Theproducer’sandserviceprovider’scyberriskmanagementawarenessandprocedures:Suchcompaniesmaylackcyberawarenesstrainingandgovernanceintheirownorganisationsandthismayrepresentmoresourcesofvulnerability,whichcouldresultincyberincidents.Thesecompaniesshouldhaveanupdatedcyberriskmanagementcompanypolicy,whichincludestrainingandgovernanceproceduresforaccessibleITandOTonboardsystems.
2. Thematurityofathird-party’scyberriskmanagementprocedures:Theshipownershouldquerytheinternalgovernanceofcybernetworksecurity,andseektoobtainacyberriskmanagementassurancewhenconsideringfuturecontractsandservices.Thisisparticularlyimportantwhencoveringnetworksecurityiftheshipistobeinterfacedwiththethird-partysuchasamarineterminalorstevedoringcompany.
Common vulnerabilities
Thefollowingarecommoncybervulnerabilities,whichmaybefoundonboardexistingships,andonsomenewbuildships:
� obsoleteandunsupportedoperatingsystems
� outdatedormissingantivirussoftwareandprotectionfrommalware
� inadequatesecurityconfigurationsandbestpractices,includingineffectivenetworkmanagementandtheuseofdefaultadministratoraccountsandpasswords,
� shipboardcomputernetworks,whichlackboundaryprotectionmeasuresandsegmentationofnetworks
� safetycriticalequipmentorsystemsalwaysconnectedwiththeshoreside
� inadequateaccesscontrolsforthirdpartiesincludingcontractorsandserviceproviders.
Incident: Navigation computer crash during pilotage
AshipwasundertheconductofapilotwhentheECDISandvoyageperformancecomputerscrashed.Apilotwasonthebridge.Thecomputerfailuresbrieflycreatedadistractiontothewatchofficers;however,thepilotandthemasterworkedtogethertofocusthebridgeteamonsafenavigationbyvisualmeansandradar.Whenthecomputerswererebooted,itwasapparentthattheoperatingsystemswereoutdatedandunsupported.Themasterreportedthatthesecomputerproblemswerefrequent(referredtotheissuesas“gremlins”)andthatrepeatedrequestsforservicingfromtheshipownerhadbeenignored.
Itisaclearcaseofhowsimpleservicingandattentiontotheshipbymanagementcanpreventmishaps.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 16ASSeSS rISk expOSure
Assess risk exposure4
Cyberriskassessmentshouldstartatseniormanagementlevelofacompany,insteadofbeingimmediatelydelegatedtotheshipsecurityofficerortheheadoftheITdepartment.Thereareseveralreasonsforthis.
1. Initiativestoheightencybersecurityandsafetymayatthesametimeaffectstandardbusinessproceduresandoperations,renderingthemmoretimeconsumingand/orcostly.Itis,therefore,aseniormanagementleveldecisiontoevaluateanddecideonriskmitigation.
2. Anumberofinitiatives,whichwouldimprovecyberriskmanagement,arerelatedtobusinessprocesses,training,thesafetyoftheshipandtheenvironmentandnottoITsystems,andthereforeneedtobeanchoredorganisationallyoutsidetheITdepartment.
3. Initiativeswhichheightencyberawarenessmaychangehowthecompanyinteractswithcustomers,suppliersandauthorities,andimposenewrequirementsontheco-operationbetweentheparties.Itisaseniormanagementleveldecisionwhetherandhowtodrivethesechangesinrelationships.
Thefollowingquestionsmaybeusedasabasisforariskassessmentwhenaddressingcyberrisksonboardships:
� Whatassetsareatrisk?
� Whatisthepotentialimpactofacyberincident?
� Whohasthefinalresponsibilityforthecyberriskmanagement?
� AretheOTsystemsandtheirworkingenvironmentprotectedfromtheinternet?
� IsthereremoteaccesstotheOTsystems,andifsohowisitmonitoredandprotected?
� AretheITsystemsprotectedandisremoteaccessbeingmonitoredandmanaged?
� Whatcyberriskmanagementbestpracticesarebeingused?
� WhatisthetraininglevelofthepersonneloperatingtheITandOTsystems?
Basedontheanswers,thecompanyshoulddelegateauthorityandallocatethebudgetneededtocarryoutafullriskassessmentanddevelopsolutionsthatarebestsuitedforthecompanyandtheoperationoftheirships.Thefollowingshouldbeaddressed:
� identifysystemsthatareimportanttooperation,safetyandenvironmentalprotection
� assignthepersonsresponsibleforsettingcyberpolicies,proceduresandenforcemonitoring
� determinewheresecureremoteaccessshouldusemultipledefencelayersandwhereprotectionofnetworksshouldbedisconnectedfromtheinternet
� identificationofneedsfortrainingofpersonnel.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 17ASSeSS rISk expOSure
Thelevelofcyberriskwillreflectthecircumstancesofthecompany,ship(itsoperationandtrade),theITandOTsystemsused,andtheinformationand/ordatastored.Themaritimeindustrypossessesarangeofcharacteristics,whichaffectitsvulnerabilitytocyberincidents:
� thecybercontrolsalreadyimplementedbythecompanyonboarditsships
� multiplestakeholdersareofteninvolvedintheoperationandcharteringofashippotentiallyresultinginlackofaccountabilityfortheITinfrastructure
� theshipbeingonlineandhowitinterfaceswithotherpartsoftheglobalsupplychain
� shipequipmentbeingremotelymonitored,egbytheproducers
� business-critical,datasensitiveandcommerciallysensitiveinformationsharedwithshore-basedserviceproviders,includingmarineterminalsandstevedoresandalso,whereapplicable,publicauthorities
� theavailabilityanduseofcomputer-controlledcriticalsystemsfortheship’ssafetyandforenvironmentalprotection.
Theseelementsshouldbeconsidered,andrelevantpartsincorporatedintothecompanycybersecuritypolicies,safetymanagementsystems,andshipsecurityplans.Usersoftheseguidelinesshouldrefertospecificnational,internationalandflagstateregulationsaswellasrelevantinternationalandindustrystandardsandbestpracticeswhendevelopingandimplementingcyberriskmanagement procedures.
ITandOTsystems,softwareandmaintenancecanbeoutsourcedtothird-partyserviceprovidersandthecompany,itself,maynotpossessawayofverifyingthelevelofsecuritysuppliedbytheseproviders.Somecompaniesusedifferentprovidersresponsibleforsoftwareandcybersecuritychecks.
Thegrowinguseofbigdata,smartshipsandthe“internetofthings”8willincreasetheamountofinformationavailabletocyberattackersandthepotentialattacksurfacetocybercriminals.Thismakestheneedforrobustapproachestocyberriskmanagementimportantbothnowandinthefuture.
Incident: Worm attack on maritime IT and OT
Ashipwasequippedwithapowermanagementsystemthatcouldbeconnectedtotheinternetforsoftwareupdatesandpatching,remotediagnostics,datacollection,andremoteoperation.Theshipwasbuiltrecently,butthissystemwasnotconnectedtotheinternetbydesign.
Thecompany’sITdepartmentmadethedecisiontovisittheshipandperformedvulnerabilityscanstodetermineifthesystemhadevidenceofinfectionandtodetermineifitwassafetoconnect.Theteamdiscoveredadormantwormthatcouldhaveactivateditselfoncethesystemwasconnectedtotheinternetandthiswouldhavehadsevereconsequences.Theincidentemphasizesthatevenairgappedsystemscanbecompromisedandunderlinesthevalueofproactivecyberriskmanagement.
Theshipowneradvisedtheproduceraboutthediscoveryandrequestedproceduresonhowtoerasetheworm.Theshipownerstatedthatbeforethediscovery,aservicetechnicianhadbeenaboardtheship.Itwasbelievedthattheinfectioncouldpotentiallyhavebeencausedbythetechnician.
ThewormspreadviaUSBdevicesintoarunningprocess,whichexecutesaprogramintothememory.Thisprogramwasdesignedtocommunicatewithitscommandandcontrolservertoreceiveitsnextsetofinstructions.Itcould
8 Lloyd’sRegister,QinetiqandUniversityofSouthampton,GlobalMarineTechnologyTrends2030.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 18ASSeSS rISk expOSure
evencreatefilesandfolders.
Thecompanyaskedcybersecurityprofessionalstoconductforensicanalysisandremediation.Itwasdeterminedthatallserversassociatedwiththeequipmentwereinfectedandthatthevirushadbeeninthesystemundiscoveredfor875days.Scanningtoolsremovedthevirus.Ananalysisprovedthattheserviceproviderwasindeedthesourceandthatthewormhadintroducedthemalwareintotheship’ssystemviaaUSBflashdriveduringasoftwareinstallation.
Analysisalsoprovedthatthiswormoperatedinthesystemmemoryandactivelycalledouttotheinternetfromtheserver.Sincethewormwasloadedintomemory,itcouldaffecttheperformanceoftheserverandsystemsconnectedtotheinternet.
Third-party access
Visitstoshipsbythirdpartiesrequiringaconnectiontooneormorecomputersonboardcanalsoresultinconnectingtheshiptoshore.Itiscommonfortechnicians,vendors,portofficials,marineterminalrepresentatives,agents,pilots,andothertechnicianstoboardtheshipandplugindevices,suchaslaptopsandtablets.Sometechniciansmayrequiretheuseofremovablemediatoupdatecomputers,downloaddataand/orperformothertasks.Ithasalsobeenknownforcustomsofficialsandportstatecontrolofficerstoboardashipandrequesttheuseofacomputerto“printofficialdocuments”afterhavinginsertedanunknownremovablemedia.
Sometimesthereisnocontrolastowhohasaccesstotheonboardsystems,egduringdrydocking,layupsorwhentakingoveraneworexistingship.Insuchcases,itisdifficulttoknowifmalicioussoftwarehasbeenleftintheonboardsystems.Itisrecommendedthatsensitivedataisremovedfromtheshipandreinstalledonreturningtotheship.Wherepossible,systemsshouldbescannedformalwarepriortouse.OTsystemsshouldbetestedtocheckthattheyarefunctioningcorrectly.
SomeITandOTsystemsareremotelyaccessibleandmayoperatewithacontinuousinternetconnectionforremotemonitoring,datacollection,maintenancefunctions,safetyandsecurity.Thesesystemscanbe“third-partysystems”,wherebythecontractormonitorsandmaintainsthesystemsfromaremoteaccess.Thesesystemscouldincludebothtwo-waydataflowandupload-only.Systemsandworkstationswithremotecontrol,accessorconfigurationfunctionscould,forexample,be:
� bridgeandengineroomcomputersandworkstationsontheship’sadministrativenetwork
� cargosuchascontainerswithreefertemperaturecontrolsystemsorspecialisedcargothataretracked remotely
� stability decision support systems
� hullstressmonitoringsystems
� navigationalsystemsincludingElectronicNavigationChart(ENC)VoyageDataRecorder(VDR),dynamicpositioning(DP)
� cargohandlingandstowage,engine,andcargomanagementandloadplanningsystems
� safetyandsecuritynetworks,suchasCCTV(closedcircuittelevision)
� specialisedsystemssuchasdrillingoperations,blowoutpreventers,subseainstallationsystems,EmergencyShutDown(ESD)forgastankers,submarinecableinstallationandrepair.
Theextentandnatureofconnectivityofequipmentshouldbeknownbytheshipowneroroperatorandconsideredasanimportantpartoftheriskassessment.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 19ASSeSS rISk expOSure
Impact assessment
Theconfidentiality,integrityandavailability(CIA)model9providesaframeworkforassessingtheimpactof:
� unauthorisedaccesstoanddisclosureofinformationordataabouttheship,crew,cargoandpassengers
� lossofintegrity,whichwouldmodifyordestroyinformationanddatarelatingtothesafeandefficientoperationandadministrationoftheship
� lossofavailabilityduetothedestructionoftheinformationanddataand/orthedisruptiontoservices/operationofshipsystems.
Therelativeimportanceofconfidentiality,integrityandavailabilitydependsontheuseoftheinformationordata.Forexample,assessingthevulnerabilityofITsystemsrelatedtocommercialoperationsmayfocusonconfidentialityandintegrityratherthanavailability.Conversely,assessingthevulnerabilityofOTsystemsonboardships,particularlysafetycriticalsystems,mayfocusonavailabilityand/orintegrityinsteadofconfidentiality.
Potentialimpactscouldbesafety-related,operational,environmental-related,financial,reputationalandcompliance-related.Severalassessmentmethodologiesoffercriteriaandtechniquesthatcanhelpdefinethemagnitudeoftheimpactfromacyberattack10.
Potential impact Definition In practiceLow Thelossofconfidentiality,integrity,oravailability
couldbeexpectedtohavealimitedadverseeffectoncompanyandship,organisationalassets,orindividuals
Alimitedadverseeffectmeansthatasecuritybreachmight:(i)causeadegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)resultinminordamagetoorganisationalassets;(iii)resultinminorfinancialloss;or(iv)resultinminorharmtoindividuals.
Moderate Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasubstantialadverseeffectoncompanyandship,assetsorindividuals
Asubstantialadverseeffectmeansthatasecuritybreachmight:(i)causeasignificantdegradationinshipoperationtoanextentanddurationthattheorganisationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganisationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.
High Thelossofconfidentiality,integrity,oravailabilitycouldbeexpectedtohaveasevereorcatastrophicadverseeffectoncompanyandshipoperations,assets,environmentorindividuals.
Asevereorcatastrophicadverseeffectmeansthatasecuritybreachmight:(i)causeaseveredegradationinorlossofshipoperationtoanextentanddurationthattheorganisationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoenvironmentand/ororganisationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslife-threateninginjuries.
Table 3: potential impact levels when using the CIA model
WhenitcomestoOTsystems,anextradimensionmustbeaddedtotheCIAmodel.
9 FederalInformationProcessingStandards,Publication199,ComputerSecurityDivisionInformationTechnologyLaboratory,NationalInstituteofStandardsandTechnology,Gaithersburg,MD20899-8900.
10Methodologiesinclude,andarenotlimitedto,ISO/IEC27005:2018Informationtechnology–Securitytechniques–Informationsecurityriskmanagement,COSOEnterpriseRiskManagementFramework,andISO31000:2018Riskmanagement–Guidelines.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 20ASSeSS rISk expOSure
AriskassessmentofOTsystemsneedstobebasedonaninventoryoverviewofequipmentand/orcomputer-basedsystemsandamapofthenetworks’connections.Further,accesspointsandcommunicationdevicesshouldbepartofthisoverview.AstheimpactofanonboardOTsystem’scyberincidentmayincludephysicaleffects,riskassessmentsshouldinclude:
� impactsonthesafetyofonboardpersonnel,theshipandcargo
� physicalimpactonanOTsystem,includingtheenvironmentsurroundingitonboard;theeffectontheprocessthatisbeingcontrolledandthephysicaleffectontheOTsystemitself
� theconsequencesforriskassessmentsofnon-digitalcontrolcomponentswithinanOTsystem.
TheimplementationofprotectionmeasuresbasedonriskassessmentsiswellestablishedonallshipsviatheISMcodeandtheship’sSMS.Safetyassessmentsareconcernedprimarilywiththephysicalworldbearinginmindthatthephysicalandthedigitalworldsarenowintertwined.Assessingthepotentialphysicaldamagefromacyberincidentshouldinclude:
1. howanincidentcouldmanipulatetheoperationofsensorsandactuatorstoimpactthephysicalenvironment
2. whatredundantcontrolsandmanualoverridingpossibilitiesexistintheOTsystemtopreventan incident
3. howaphysicalincidentcouldemerge.
4. howtoevaluatepotentialeffectstothephysicalprocessperformedbytheOTsystem.
Example
Ashipisequippedwithacomplexpowermanagementsystem.Itconsistsofswitchboardsandgeneratorscontrollingsystemsforautoloadsharing,powercontrolandautosynchronizing.Ontopofthepowermanagementsystem,asupervisorycontrolanddataacquisition(SCADA)systemprovidesoutputandmakesitpossibleforthecrewtocontrolthedistributionofonboardelectricpower.
Powermanagementisimportanttothesafetyofthecrew,ship,andcargo.Italsohasaclearenvironmentalandfinancialimpactaspowerisgeneratedbyuseoffueleitherbytheship’smainengine(shaftgenerator)and/orauxiliaryengines.Therefore,acyberincidentthatdisablesorcausesthepowermanagementsystemtomalfunctioncanplacetheoperationandsafetyoftheshipatrisk.Tolowertherisk,thecompanyshouldaddprotectionmeasuresthatminimizethepossibilityofsuchacyberincidenttakingplace.
TheSCADAsystemcontainsreal-timesensordata,whichisusedonboardforpowermanagement.Italsogeneratesdataaboutthepowerconsumption,whichisusedbytheshippingcompanyforadministrativepurposes.Todetermineifthepotentialimpactofdataandinformationisbeingbreached,theCIAmodelshouldbeused.Whendoingso,theshippingcompanyshoulddeterminethepotentialimpactofthemostsensitiveinformationstored,processedortransmittedbytheSCADAsystem.
UsingtheCIAmodel,theshippingcompanycanconcludethat:
� losingconfidentialityofthesensordataacquiredbytheSCADAsystemwillhavealowimpactasthesensorsarepubliclydisplayedonboard.However,fromasafetypointofview,itisimportantthattheinformationtransmittedbythesensorscanbereliedupon.Therefore,thereisapotentialhighimpactfromalossofintegrity.Itwillalsobeasafetyissueiftheinformationcannotberead.So,thereisapotentialhighimpactfromalossofavailability.
� alossofconfidentialityregardingthepowerconsumptioninformationbeingsenttotheshippingcompanyforstatisticalpurposesisassessedasapotentiallowimpact.Therewillalsobeapotentiallowimpactfromalossofintegrityandavailabilityasthedataisonlyusedforin-houseconsiderations.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 21ASSeSS rISk expOSure
Thefollowingtableshowstheresultoftheassessment.
SCADA system Confidentiality Integrity Availability Overall impact
Sensor data Low High High High
Statistical data Low Low Low Low
Table 4: result of CIA assessment of SCAdA system
Bring your own device (BYOD)
Itisrecognisedthatpersonnelmaybeallowedtobringtheirowndevices(BYOD)onboardtoaccesstheship’ssystemornetwork.Althoughthismaybebothbeneficialandeconomicalforships,itsignificantlyincreasesthelevelofvulnerabilitybecausethesedevicesmaybeunmanaged.PoliciesandproceduresshouldaddressthecontrolanduseofBYODs,aswellashowtoprotectvulnerabledata,byusingnetworksegregationforexample.
4.1 Risk assessment made by the company
Asmentionedabove,theriskassessmentprocessstartsbyassessingthesystemsonboard,inordertomaptheirrobustnesstohandlethecurrentlevelofcyberthreats.TheassessmentshouldassesstheITandOTsystemsonboard.Whenconductingtheassessment,thecompanyshouldconsidertheoutcomesoftheshipsecurityassessmentaswellasthefollowing:
1. identificationofexistingtechnicalandproceduralcontrolstoprotecttheonboardITandOTsystems
2. identificationofITandOTsystemsthatarevulnerableincludingthehumanfactor,andthepoliciesandproceduresgoverningtheuseofthesesystems.Theidentificationshouldincludesearchesforknownvulnerabilitiesrelevanttotheequipmentaswellasthecurrentlevelofpatchingandfirmwareupdates
3. identificationandevaluationofkeyshipboardoperationsthatarevulnerabletocyberattacks
4. identificationofpossiblecyberincidentsandtheirimpactonkeyshipboardoperations,andthelikelihoodoftheiroccurrencetoestablishandprioritiseprotectionmeasures.
Companiesmayconsultwiththeproducersandserviceprovidersofonboardequipmentandsystemstounderstandthetechnicalandproceduralcontrolsthatmayalreadybeinplacetoaddresscyberriskmanagement.Furthermore,anyidentifiedcybervulnerabilityinthefactorystandardconfigurationofacriticalsystemorcomponentshouldbedisclosedtofacilitatebetterprotectionoftheequipmentinthefuture.
4.2 Third-party risk assessments
Self-assessmentscanserveasagoodstartbutmaybecomplementedbythird-partyriskassessmentstodrilldeeperandidentifytherisksandthegapsthatmaynotbefoundduringtheself-assessment.PenetrationtestsofcriticalITandOTinfrastructurecanalsobeperformedtoidentifywhethertheactualdefencelevelmatchesthedesiredlevelsetforthinthecybersecuritystrategyforthecompany.SuchtestscanbeperformedbyexternalexpertssimulatingattacksusingbothIT-systems,social
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 22ASSeSS rISk expOSure
engineeringand,ifdesired,evenphysicalpenetrationofafacility’ssecurityperimeter.Thesetestsarereferredtoasactivetestsbecausetheyinvolveaccessingandinsertingsoftwareintoasystem.ThismayonlybeappropriateforITsystems.WhererisktoOTsystemsduringpenetrationtestingisunacceptable,passivetestingapproachesshouldbeconsidered.Passivemethodsrelyonscanningdatatransmittedbyasystemtoidentifyvulnerabilities.Ingeneral,noattemptismadetoactivelyaccessorinsertsoftwareintothesystem.
4.3 Risk assessment process
Phase 1: Pre-assessment activities
Priortostartingacyberriskassessmentonboard11,thefollowingactivitiesshouldbeperformed:
� maptheship’skeyfunctionsandsystemsandtheirpotentialimpactlevels,forexampleusingtheCIAmodel,takingintoconsiderationtheoperationofOTsystems
� identifymainproducersofcriticalshipboardITandOTequipment
� reviewdetaileddocumentationofcriticalOTandITsystemsincludingtheirnetworkarchitecture,interfacesandinterconnections
� identifycybersecuritypoints-of-contactwitheachoftheproducersandestablishaworkingrelationshipwiththem
� reviewdetaileddocumentationontheship’smaintenanceandsupportoftheITandOTsystems
� establishcontractualrequirementsandobligationsthattheshipowner/shipoperatormayhaveformaintenanceandsupportofshipboardnetworksandequipment
� support,ifnecessary,theriskassessmentwithanexternalexperttodevelopdetailedplansandincludeproducersandserviceproviders.
Phase 2: Ship assessment
Thegoaloftheassessmentofaship’snetworkanditssystemsanddevicesistoidentifyanyvulnerabilitiesthatcouldcompromiseorresultineitherlossofconfidentiality,lossofintegrityorresultinalossofoperationoftheequipment,system,network,oreventheship.Thesevulnerabilitiesandweaknessescouldfallintooneofthefollowingcategories:
� technicalsuchassoftwaredefectsoroutdatedorunpatchedsystems
� designsuchasaccessmanagement,unmanagednetworkinterconnections
� implementationerrorsforexamplemisconfiguredfirewalls
� proceduralorotherusererrors.
Theactivitiesperformedduringanassessmentcouldincludereviewingtheconfigurationofallcomputers,servers,routers,andcybersecuritytechnologiesincludingfirewalls.ItcouldalsoincludereviewsofallavailablecybersecuritydocumentationandproceduresforconnectedITandOTsystemsanddevices.
11Basedonathird-partyriskassessmentmethoddescribedbyNCCGroup.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 23ASSeSS rISk expOSure
Anaspectofon-shipassessmentisinvolvementofcrewofalllevels;particularlythemaster,chiefengineerandfirstmate.ThisprocessassiststounderstandtheimplementationoftheITandOTsystemsonboard,andhowtheymayvaryfromstateddesigndocumentation,andalsotounderstandthelevelofcybertrainingdeliveredtotheship’screw.
Phase 3: Debrief and vulnerability review/reporting
Followingtheassessment,eachidentifiedvulnerabilityshouldbeevaluatedforitspotentialimpactandtheprobabilityofitsexploitation.Recommendedtechnicaland/orproceduralcorrectiveactionsshouldbeidentifiedforeachvulnerability.
Ideally,thecyberriskassessmentshouldinclude:
� executivesummary–ahigh-levelsummaryofresults,recommendationsandtheoverallsecurityprofileoftheassessedship
� technicalfindings–breakdownofdiscoveredvulnerabilities,theirprobabilityofexploitation,theresultingimpact,andappropriatetechnicalfixandmitigationadvice
� prioritisedlistofactions–theprioritiesallocatedshouldreflecttheeffectivenessofthemeasure,thecost,theapplicability,etc.Itisimportantthatthislistshouldbeacompletelistofoptionsavailableandnotrepresentalistofservicesandproductsthethird-partyriskassessor,ifapplicable,wouldliketosell.
� supplementarydata–asupplementcontainingthetechnicaldetailsofallkeyfindingsandcomprehensiveanalysisofcriticalflaws.Thissectionshouldalsoincludesampledatarecoveredduringthepenetrationtesting,ifany,ofcriticalorhigh-riskvulnerabilities
� appendices–recordsofactivitiesconductedbythecyberriskassessmentteamandthetoolsusedduringtheengagement.
Considerationshouldbegivenastowhetherpartsofthecyberriskassessmentshouldbetreatedasconfidential.
Whilstcyberriskmanagementpoliciesandproceduresshouldbeincludedinthecompanysafetymanagementsystem,theseshouldnotcontaininformation,whichifmadeavailableoutsidethecompanycouldbecomeavulnerability.
Phase 4: Producer debrief
Oncetheshipownerhashadanopportunitytoreview,discussandassessthefindings,asubsetofthefindingsmayneedtobesenttotheproducersoftheaffectedsystems.Anyfindings,whichareapprovedbytheshipownerfordisclosuretotheproducers,couldbefurtheranalysedwithsupportfromexternalexperts,whoshouldworkwiththeproducer’scybersecuritypointofcontacttoensurethatafullriskandtechnicalunderstandingoftheproblemisachieved.Thissupportingactivityisintendedtoensurethatanyremediationplandevelopedbytheproduceriscomprehensiveinnatureandidentifiesthecorrectsolutiontoeliminatethevulnerabilities.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 24develOp prOTeCTION ANd deTeCTION meASureS
Develop protection and detection measures5
Theoutcomeofthecompany’sriskassessmentandsubsequentcybersecuritystrategyshouldbeareductioninrisktobeaslowasreasonablypracticable.Atatechnicallevel,thiswouldincludethenecessaryactionstobeimplementedtoestablishandmaintainanagreedlevelofcybersecurity.
Itisimportanttoidentifyhowtomanagecybersecurityonboardandtodelegateresponsibilitiestothemaster,responsibleofficersandwhenappropriatethecompanysecurityofficer.
5.1 Defence in depth and in breadth
Itisimportanttoprotectcriticalsystemsanddatawithmultiplelayersofprotectionmeasures,whichtakeintoaccounttheroleofpersonnel,proceduresandtechnologyto:
� increasetheprobabilitythatacyberincidentisdetected
� increasetheeffortandresourcesrequiredtoprotectinformation,dataortheavailabilityofITandOTsystems.
ConnectedOTsystemsonboardshouldrequiremorethanonetechnicaland/orproceduralprotectionmeasure.Perimeterdefencessuchasfirewallsareimportantforpreventingunwelcomedentryintothesystems,butthismaynotbesufficienttocopewithinsiderthreats.
Thisdefenceindepthapproachencouragesacombinationof:
� physicalsecurityoftheshipinaccordancewiththeshipsecurityplan(SSP)
� protectionofnetworks,includingeffectivesegmentation
� intrusiondetection
� periodicvulnerabilityscanningandtesting
� softwarewhitelisting
� access and user controls
� appropriateproceduresregardingtheuseofremovablemediaandpasswordpolicies
� personnel’sawarenessoftheriskandfamiliaritywithappropriateprocedures.
Companypoliciesandproceduresshouldhelpensurethatcybersecurityisconsideredwithintheoverallapproachtosafetyandsecurityriskmanagement.Thecomplexityandpotentialpersistenceofcyberthreatsmeansthata“defenceindepth”approachshouldbeconsidered.Equipmentanddataprotectedbylayersofprotectionmeasuresaremoreresilienttocyberattacks.
Whendevelopingintegrationbetweensystems,atrustboundarymodelshouldbeconsidered,wherebysystemsaregroupedintothosebetweenwhichtrustisimplicit(forexampleuserworkstations),andthosebetweenwhichtrustshouldbeexplicit(betweenbridgecomputersandcorporatenetworks).Forlargeorcomplexnetworks,threatmodellingshouldbeconsideredasan
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 25develOp prOTeCTION ANd deTeCTION meASureS
activitytounderstandwheretechnicalcontrolsshouldbeimplementedbetweensystemsinordertosupportadefenceinbreadthapproach.
However,onboardshipswherelevelsofintegrationbetweenITandOTsystemsmaybehigh,defenceindepthonlyworksiftechnicalandproceduralprotectionmeasuresareappliedinlayersacrossallvulnerableandintegratedsystems.Thisis“defenceinbreadth”anditisusedtopreventanyvulnerabilitiesinonesystembeingusedtocircumventprotectionmeasuresofanothersystem.
Cyberriskprotectionmeasuresmaybeeithertechnicalorproceduralinnature,withtechnicalcontrolsimplementedtoenforceproceduralcontrols;acombinationapproachusingappropriatemeasuresprovidesthemosteffectivelevelofprotection.
Defenceindepthanddefenceinbreadtharecomplementaryapproaches,which,whenimplementedtogether,providethefoundationofaholisticresponsetothemanagementofcyberrisks.
Cyberriskprotectionmeasuresmaybetechnicalandfocusedonensuringthatonboardsystemsaredesignedandconfiguredtoberesilienttocyberattacks.Protectionmeasuresmayalsobeproceduralandshouldbecoveredbycompanypolicies,safetymanagementprocedures,securityproceduresandaccess controls.
Considerationneedstobegiventoimplementingtechnicalcontrolsthatarepracticalandcosteffective,particularlyonexistingships.
Implementationofcybersecuritycontrolsshouldbeprioritised,focusingfirstonthosemeasures,orcombinationsofmeasures,whichofferthegreatestbenefit.
5.2 Technical protection measures
TheCentreforInternetSecurity(CIS)providesguidanceonmeasures12thatcanbeusedtoaddresscybersecurityvulnerabilities.TheprotectionmeasuresarealistofCriticalSecurityControls(CSC)thatareprioritisedandvettedtohelpensurethattheyprovideaneffectiveapproachforcompaniestoassessandimprovetheirdefences.TheCSCsincludebothtechnicalandproceduralaspects.
ThebelowmentionedexamplesofCSCshavebeenselectedasparticularlyrelevanttoequipmentanddataonboardships13. Limitation to and control of network ports, protocols and services
Accessliststonetworksystemscanbeusedtoimplementthecompany’ssecuritypolicy.Thishelpsensurethatonlyappropriatetrafficwillbeallowedviaacontrollednetworkorsubnet,basedonthecontrolpolicyofthatnetworkorsubnet.
Itisrecommendedthatroutersaresecuredagainstattacksandunusedportsshouldbeclosedtopreventunauthorisedaccesstosystemsordata.
Configuration of network devices such as firewalls, routers and switches
Itshouldbedeterminedwhichsystemsshouldbeattachedtocontrolledoruncontrolled14networks.Controllednetworksaredesignedtopreventanysecurityrisksfromconnecteddevicesbyuseof
12 CIS,CriticalSecurityControlsforEffectiveCyberSecurity,availableatwww.cisecurity.org/critical-controls.cfm.13 StephensonHarwood(2015),CyberRisk.14 InaccordancewithEC61162-460:2015:Maritimenavigationandradiocommunicationequipmentandsystems-Digitalinterfaces-Part460:Multipletalkersandmultiplelisteners-Ethernetinterconnection-Safetyandsecurity.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 26develOp prOTeCTION ANd deTeCTION meASureS
firewalls,securitygateways,routersandswitches.Uncontrollednetworksmayposerisksduetolackofdatatrafficcontrolandshouldbeisolatedfromcontrollednetworks,asdirectinternetconnectionmakesthemhighlypronetoinfiltrationbymalware.Forexample:
� networksthatarecriticaltotheoperationofashipitself,shouldbecontrolled.Itisimportantthatthesesystemshaveahighlevelofsecurity
� networksthatprovidesupplierswithremoteaccesstonavigationandotherOTsystems’softwareonboard,shouldalsobecontrolled.Thesenetworksmaybenecessarytoallowsupplierstouploadsystemupgradesorperformremoteservicing.Shoresideexternalaccesspointsofsuchconnectionsshouldbesecuredtopreventunauthorisedaccess
� cargostowage,loadplanningandmanagementsystemsshouldbecontrolled.So,shouldthosesystemsthatperformmandatoryshipreportingtopublicauthorities
� othernetworks,suchasguestaccessnetworks,maybeuncontrolled,forinstancethoserelatedtopassengerrecreationalactivitiesorprivateinternetaccessforcrew.Normally,anywirelessnetworkshouldbeconsidereduncontrolled.
Effectivesegregationofsystems,basedonnecessaryaccessandtrustlevels,isoneofthemostsuccessfulstrategiesforthepreventionofcyberincidents.Effectivelysegregatednetworkscansignificantlyimpedeanattacker’saccesstoaship’ssystemsandisoneofthemosteffectivetechniquesforpreventingthespreadofmalware.Onboardnetworksshouldbepartitionedbyfirewallstocreatesafezones.Thefewercommunicationslinksanddevicesinazone,themoresecurethesystemsanddataareinthatzone.Confidentialandsafetycriticalsystemsshouldbeinthemostprotectedzone.Seeannex3oftheseguidelinesformoreinformationonshipboardnetworksandalsorefertoISO/IEC62443. Physical security
Physicalsecurity15isacentralaspectofcyberriskmanagementandaneffectivedefenceindepthstrategyreliesonensuringthattechnicalcontrolscannotbecircumventedthroughtrivialtechnicalmeans.AreascontainingsensitiveOTorITcontrolcomponentsshouldbesecurelylocked,securityandsafetycriticalequipmentandcablerunsshouldbeprotectedfromunauthorisedaccess,andphysicalaccesstosensitiveuserequipment(suchasexposedUSBportsonbridgesystems)shouldbesecured.
Detection, blocking and alerts
Identifyingintrusionsandinfectionsisacentralpartofthecontrolprocedures.Abaselineofnetworkoperationsandexpecteddataflowsforusersandsystemsshouldbeestablishedandmanaged,sothatcyberincidentalertthresholdscanbeestablished.Keytothiswillbethedefinitionofrolesandresponsibilitiesfordetectiontohelpensureaccountability.Additionally,acompanymaychoosetoincorporateanIntrusionDetectionSystem(IDS)oranIntrusionPreventionSystem(IPS)intothenetworkoraspartofthefirewall.Someoftheirmainfunctionsincludeidentifyingthreats/maliciousactivityandcode,andthenlogging,reportingandattemptingtoblocktheactivity.FurtherdetailsconcerningIDSandIPScanbefoundinannex3oftheseguidelines.Ithelpstoensurethatdedicatedonboardpersonnelcanunderstandthealertsandtheirimplications.Incidentsdetectedshouldbedirectedtoanindividualorserviceprovider,whoisresponsibleforactingonthistypeofalert.
15 SeealsotheISPSCode.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 27develOp prOTeCTION ANd deTeCTION meASureS
Satellite and radio communication
Cybersecurityoftheradioandsatelliteconnectionshouldbeconsideredincollaborationwiththeserviceprovider.Inthisconnection,thespecificationofthesatellitelinkshouldbeconsideredwhenestablishingtherequirementsforonboardnetworkprotection.
Whenestablishinganuplinkconnectionforaship’snavigationandcontrolsystemstoshore-basedserviceproviders,considerationshouldbegivenonhowtopreventillegitimateconnectionsgainingaccesstotheonboardsystems.
Theaccessinterconnectisthedistributionpartner’sresponsibility.Thefinalroutingofusertrafficfromtheinternetaccesspointtoitsultimatedestinationonboard(“lastmile”)istheresponsibilityoftheshipowner.Usertrafficisroutedthroughthecommunicationequipmentforonwardtransmissiononboard.Attheaccesspointforthistraffic,itisnecessarytoprovidedatasecurity,firewallingandadedicated“last-mile”connection.
WhenusingaVirtualPrivateNetwork(VPN),thedatatrafficshouldbeencryptedtoanacceptableinternationalstandard.Furthermore,afirewallinfrontoftheserversandcomputersconnectedtothenetworks(ashoreoronboard)shouldbedeployed.Thedistributionpartnershouldadviseontheroutingandtypeofconnectionmostsuitedforspecifictraffic.Onshorefiltering(inspection/blocking)oftrafficisalsoamatterbetweenashipownerandthedistributionpartner.Bothonshorefilteringoftrafficandfirewalls/securityinspection/blockinggatewaysontheshipareneededandsupplementeachothertoachieveasufficientlevelofprotection.
Producersofsatellitecommunicationterminalsandothercommunicationequipmentmayprovidemanagementinterfaceswithsecuritycontrolsoftwarethatareaccessibleoverthenetwork.Thisisprimarilyprovidedintheformofweb-baseduserinterfaces.Protectionofsuchinterfacesshouldbeconsideredwhenassessingthesecurityofaship’sinstallation.
Wireless access control
Wirelessaccesstonetworksontheshipshouldbelimitedtoappropriateauthoriseddevicesandsecuredusingastrongencryptionkey,whichischangedregularly.Thefollowingcanbeconsideredforcontrollingwirelessaccess:
� theuseofenterpriseauthenticationsystemsusingasymmetricencryptionandisolatingnetworkswithappropriatewirelessdedicatedaccesspoints(e.g.guestnetworksisolatedfromadministrativenetworks)
� theadoptionofsystems,suchaswirelessIPS,thatcaninterceptnon-authorizedwirelessaccesspointsorroguedevices
� theprotectionofthephysicalinterconnectionbetweenwirelessaccessdevicesandthenetwork,suchasnetworkplugs,networkracks,etc.)toavoidunauthorizedaccessbyroguedevices.
Malware detection
Scanningsoftwarethatcanautomaticallydetectandaddressthepresenceofmalwareinsystemsonboardshouldberegularlyupdated.
Asageneralguideline,onboardcomputersshouldbeprotectedtothesamelevelasofficecomputersashore.Anti-virusandanti-malwaresoftwareshouldbeinstalled,maintainedandupdatedonall
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 28develOp prOTeCTION ANd deTeCTION meASureS
personalwork-relatedcomputersonboard.Thiswillreducetheriskofthesecomputersactingasattackvectorstowardsserversandothercomputersontheship’snetwork.Howregularlythescanningsoftwarewillbeupdatedmustbetakenintoconsiderationwhendecidingwhethertorelyonthesedefencemethods.
Secure configuration for hardware and software
Onlyseniorofficersshouldbegivenadministratorprofiles,sothattheycancontrolthesetupanddisablingofnormaluserprofiles.Userprofilesshouldberestrictedtoonlyallowthecomputers,workstationsorserverstobeusedforthepurposes,forwhichtheyarerequired.Userprofilesshouldnotallowtheusertoalterthesystemsorinstallandexecutenewprograms. Email and web browser protection
Emailcommunicationbetweenshipandshoreisavitalpartofaship’soperation.Appropriateemailandwebbrowserprotectionservesto:
� protectshoresideandonboardpersonnelfrompotentialsocialengineering
� preventemailbeingusedasamethodofobtainingsensitiveinformation
� ensurethattheexchangeofsensitiveinformationviaemailorbyvoiceisappropriatelyprotectedtoensureconfidentialityandintegrityofdata,egencryptionprotection
� preventwebbrowsersandemailclientsfromexecutingmaliciousscripts.
Somebestpracticesforsafeemailtransferare:emailasziporencryptedfilewhennecessary,disablehyperlinksonemailsystem,avoidusinggenericemailaddressesandensurethesystemhasconfigureduseraccounts.
Data recovery capability
Datarecoverycapabilityistheabilitytorestoreasystemand/ordatafromasecurecopyorimage,therebyallowingtherestorationofacleansystem.Essentialinformationandsoftware-adequatebackupfacilitiesshouldbeavailabletohelpensurerecoveryfollowingacyberincident.
Retentionperiodsandrestorescenariosshouldbeestablishedtoprioritisewhichcriticalsystemsneedquickrestorecapabilitiestoreducetheimpact.Systemsthathavehighdataavailabilityrequirementsshouldbemaderesilient.OTsystems,whicharevitaltothesafenavigationandoperationoftheship,shouldhavebackupsystemstoenabletheshiptoquicklyandsafelyregainnavigationalandoperationalcapabilitiesafteracyberincident.Moredetailsonrecoverycanbefoundinchapter7oftheseguidelines.
Application software security (patch management)
Safetyandsecurityupdatesshouldbeprovidedtoonboardsystems.Ordinarysecuritypatchesshouldbeincludedintheperiodicmaintenancecycle.CriticalpatchesshouldbeevaluatedintermsofoperationalimpactontheOTsystems.Theseupdatesorpatchesshouldbeappliedcorrectlyandinatimelymannertoensurethatanyflawsinasystemareaddressedbeforetheyareexploitedbyacyberattack.Ifacriticalpatchcannotbeinstalled,alternativemeasuresshouldbeevaluatedtohelpimplementvirtualpatchingtechniques.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 29develOp prOTeCTION ANd deTeCTION meASureS
5.3 Procedural protection measures
Proceduralcontrolsarefocusedonhowpersonnelusetheonboardsystems.Plansandproceduresthatcontainsensitiveinformationshouldbekeptconfidentialandhandledaccordingtocompanypolicies.Examplesforproceduralactionscanbe: Training and awareness
Trainingandawarenessarethekeysupportingelementstoaneffectiveapproachtocyberriskmanagementasdescribedintheseguidelinesandsummarisedinfigure1.
Theinternalcyberthreatshouldbetakenintoaccount.PersonnelhaveakeyroleinprotectingITandOTsystemsbutcanalsobecareless,forexamplebyusingremovablemediatotransferdatabetweensystemswithouttakingprecautionsagainstthetransferofmalware.Trainingandawarenessshouldbetailoredtotheappropriatelevelsfor:
� onboardpersonnelincludingthemaster,officersandcrew
� shoresidepersonnel,whosupportthemanagement,loadingandoperationoftheship.
Theseguidelinesassumethatothermajorstakeholdersinthesupplychain,suchascharterers,classificationsocietiesandserviceproviders,willcarryouttheirownbest-practicecybersecurityprotectionandtraining.Itisadvisableforownersandoperatorstoascertainthestatusofcybersecuritypreparednessoftheirthird-partyproviders,includingmarineterminalsandstevedores,aspartoftheirsourcingproceduresforsuchservices.
Anawarenessprogrammeshouldbeinplaceforallonboardpersonnel,coveringatleastthefollowing:
� risksrelatedtoemailsandhowtobehaveinasafemanner.Examplesarephishingattackswheretheuserclicksonalinktoamalicioussite
� risksrelatedtointernetusage,includingsocialmedia,chatforumsandcloud-basedfilestoragewheredatamovementislesscontrolledandmonitored
� risksrelatedtotheuseofowndevices.Thesedevicesmaybemissingsecuritypatchesandcontrols,suchasanti-virus,andmaytransfertherisktotheenvironment,towhichtheyareconnected
� risksrelatedtoinstallingandmaintainingsoftwareoncompanyhardwareusinginfectedhardware(removablemedia)orsoftware(infectedpackage)
� risksrelatedtopoorsoftwareanddatasecuritypractices,wherenoanti-viruschecksorauthenticityverificationsareperformed
� safeguardinguserinformation,passwordsanddigitalcertificates
� cyberrisksinrelationtothephysicalpresenceofnon-companypersonnel,eg,wherethird-partytechniciansarelefttoworkonequipmentwithoutsupervision
� detectingsuspiciousactivityordevicesandhowtoreportapossiblecyberincident.Examplesofthisarestrangeconnectionsthatarenotnormallyseenorsomeoneplugginginanunknowndeviceontheshipnetwork
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 30develOp prOTeCTION ANd deTeCTION meASureS
� awarenessoftheconsequencesorimpactofcyberincidentstothesafetyandoperationsoftheship
� understandinghowtoimplementpreventativemaintenanceroutinessuchasanti-virusandanti-malware,patching,backups,andincident-responseplanningandtesting
� proceduresforprotectionagainstrisksfromserviceproviders’removablemediabeforeconnectingtotheship’ssystems.
Inaddition,personnelneedtobemadeawarethatthepresenceofanti-malwaresoftwaredoesnotremovetherequirementforrobustsecurityprocedures,forexamplecontrollingtheuseofallremovablemedia.
Further,applicablepersonnelshouldknowthesignswhenacomputerhasbeencompromised.Thismayincludethefollowing:
� anunresponsiveorslowtorespondsystem
� unexpectedpasswordchangesorauthorisedusersbeinglockedoutofasystem
� unexpectederrorsinprograms,includingfailuretoruncorrectlyorprogramsrunningunexpectedly
� unexpectedorsuddenchangesinavailablediskspaceormemory
� emails being returned unexpectedly
� unexpectednetworkconnectivitydifficulties
� frequentsystemcrashes
� abnormalharddriveorprocessoractivity
� unexpectedchangestobrowser,softwareorusersettings,includingpermissions.
And,nominatedpersonnelshouldbeabletounderstandreportsfromIDSsystems,ifused.Thislistisnotcomprehensiveandisintendedtoraiseawarenessofpotentialsigns,whichshouldbetreatedaspossible cyber incidents.
Access for visitors
Visitorssuchasauthorities,technicians,agents,portandterminalofficials,andownerrepresentativesshouldberestrictedwithregardtocomputeraccesswhilstonboard.UnauthorisedaccesstosensitiveOTnetworkcomputersshouldbeprohibited.Ifaccesstoanetworkbyavisitorisrequiredandallowed,thenitshouldberestrictedintermsofuserprivileges.Accesstocertainnetworksformaintenancereasonsshouldbeapprovedandco-ordinatedfollowingappropriateproceduresasoutlinedbythecompany/shipoperator. Ifavisitorrequirescomputerandprinteraccess,anindependentcomputer,whichisair-gappedfromallcontrollednetworks,shouldbeused.Toavoidunauthorisedaccess,removablemediablockersshouldbeusedonallotherphysicallyaccessiblecomputersandnetworkports.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 31develOp prOTeCTION ANd deTeCTION meASureS
Upgrades and software maintenance
Hardwareorsoftwarethatisnolongersupportedbyitsproducerorsoftwaredeveloperwillnotreceiveupdatestoaddresspotentialvulnerabilities.Forthisreason,theuseofhardwareandsoftware,whichisnolongersupported,shouldbecarefullyevaluatedbythecompanyaspartofthecyber risk assessment.
Relevanthardwareandsoftwareinstallationsonboardshouldbeupdatedtohelpmaintainasufficientlevelofsecurity.Proceduresfortimelyupdatingofsoftwaremayneedtobeputinplacetakingintoaccounttheshiptype,speedofinternetconnectivity,seatime,etc.Softwareincludescomputeroperatingsystems,whichshouldalsobekeptuptodate.
Additionally,anumberofrouters,switchesandfirewalls,andvariousOTdeviceswillberunningtheirownfirmware,whichmayrequireregularupdatesandsoshouldbeaddressedintheproceduralrequirements.
Effectivemaintenanceofsoftwaredependsontheidentification,planningandexecutionofmeasuresnecessarytosupportmaintenanceactivitiesthroughoutthefullsoftwarelifecycle.Anindustrystandard16tohelpensuresafeandsecuresoftwaremaintenancehasbeendeveloped.Itspecifiesrequirementsforallstakeholdersinvolvedinsoftwaremaintenanceofshipboardequipmentandassociatedintegratedsystems.Thestandardcoversonboard,onshoreandremotesoftwaremaintenance.
Anti-virus and anti-malware tool updates
Inorderforscanningsoftwaretoolstodetectanddealwithmalware,theyneedtobeupdated.Proceduralrequirementsshouldbeestablishedtoensureupdatesaredistributedtoshipsonatimelybasisandthatallrelevantcomputersonboardareupdated. Remote access
PolicyandproceduresshouldbeestablishedforcontroloverremoteaccesstoonboardITandOTsystems.Clearguidelinesshouldestablishwhohaspermissiontoaccess,whentheycanaccess,andwhattheycanaccess.Anyproceduresforremoteaccessshouldincludecloseco-ordinationwiththeship’smasterandotherkeyseniorshippersonnel.
AllremoteaccessoccurrencesshouldberecordedforreviewincaseofadisruptiontoanITorOTsystem.Systems,whichrequireremoteaccess,shouldbeclearlydefined,monitoredandreviewedperiodically.
16 See:IndustrystandardonsoftwaremaintenanceofshipboardequipmentbyBIMCOandCIRM(ComitéInternationalRadio-Maritime).
Incident: Bunker surveyor’s access to a ship’s administrative network
Adrybulkshipinporthadjustcompletedbunkeringoperations.Thebunkersurveyorboardedtheshipandrequestedpermissiontoaccessacomputerintheenginecontrolroomtoprintdocumentsforsignature.ThesurveyorinsertedaUSBdriveintothecomputerandunwittinglyintroducedmalwareontotheship’sadministrativenetwork.Themalwarewentundetecteduntilacyberassessmentwasconductedontheshiplater,andafterthecrewhadreporteda“computerissue”affectingthebusinessnetworks.
ThisemphasisestheneedforprocedurestopreventorrestricttheuseofUSBdevicesonboard,includingthosebelongingtovisitors.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 32develOp prOTeCTION ANd deTeCTION meASureS
Use of administrator privileges
Accesstoinformationshouldonlybeallowedtorelevantauthorisedpersonnel.
Administratorprivilegesallowfullaccesstosystemconfigurationsettingsandalldata.Usersloggingontosystemswithadministratorprivilegesmayenableexistingvulnerabilitiestobemoreeasilyexploited.Administratorprivilegesshouldonlybegiventoappropriatelytrainedpersonnel,whoaspartoftheirroleinthecompanyoronboard,needtologontosystemsusingtheseprivileges.Inanycase,useofadministratorprivilegesshouldalwaysbelimitedtofunctionsrequiringsuchaccess.
Userprivilegesshouldberemovedwhenthepeopleconcernedarenolongeronboard.Useraccountsshouldnotbepassedonfromoneusertothenextusinggenericusernames.Similarrulesshouldbeappliedtoanyonshorepersonnel,whohaveremoteaccesstosystemsonships,whentheychangerole and no longer need access.
Inabusinessenvironment,suchasshipping,accesstoonboardsystemsisgrantedtovariousstakeholders.Suppliersandcontractorsareariskbecausetheyoftenhavebothintimateknowledgeofaship’soperationsandfullaccesstosystems.
Toprotectaccesstoconfidentialdataandsafetycriticalsystems,arobustpasswordpolicyshouldbedeveloped17.Passwordsshouldbestrongandchangedperiodically.Thecompanypolicyshouldaddressthefactthatover-complicatedpasswords,whichmustbechangedtoofrequently,areatriskofbeingwrittenonapieceofpaperandkeptnearthecomputer.
Physical and removable media controls
Whentransferringdatafromuncontrolledsystemstocontrolledsystems,thereisariskofintroducingmalware.Removablemediacanbeusedtobypasslayersofdefencesandattacksystemsthatareotherwisenotconnectedtotheinternet.Aclearpolicyfortheuseofsuchmediadevicesisimportant;itmusthelpensurethatmediadevicesarenotnormallyusedtotransferinformationbetweenun-controlled and controlled systems.
Thereare,however,situationswhereitisunavoidabletousethesemediadevices,forexampleduringsoftwaremaintenance.Insuchcases,thereshouldbeaprocedureinplacetocheckremovablemediaformalwareand/orvalidatelegitimatesoftwarebydigitalsignaturesandwatermarks.
Policiesandproceduresrelatingtotheuseofremovablemediashouldincludearequirementtoscananyremovablemediadeviceinacomputerthatisnotconnectedtotheship’scontrollednetworks.Ifitisnotpossibletoscantheremovablemediaonboard,egthelaptopofamaintenancetechnician,
Incident: Main application server infected by ransomware
AransomwareinfectiononthemainapplicationserveroftheshipcausedcompletedisruptionoftheITinfrastructure.Theransomwareencryptedeverycriticalfileontheserverandasaresult,sensitivedatawerelost,andapplicationsneededforship’sadministrativeoperationswereunusable.Theincidentwasreoccurringevenaftercompleterestorationoftheapplicationserver.
Therootcauseoftheinfectionwaspoorpasswordpolicythatallowedattackerstobruteforceremotemanagementservicessuccessfully.Thecompany’sITdepartmentdeactivatedtheundocumenteduserandenforcedastrongpasswordpolicyontheship’ssystemstoremediatetheincident.
16 MoreinformationcanbefoundinNISTpublicationSP800-63-3DigitalIdentityGuidelines.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 33develOp prOTeCTION ANd deTeCTION meASureS
thenthescancouldbedonepriortoboarding.Companiesshouldconsidernotifyingportsandterminalsabouttherequirementtoscanremovablemediapriortopermittingtheuploadingoffilesontoaship’ssystem.Thisscanningshouldbecarriedoutwhentransferringthefollowingfiletypes:
� cargofilesandloadingplansegcontainershipBAPLIEfiles
� national,customs,andportauthorityforms
� bunkeringandlubricationoilforms
� ship’sstoresandprovisionslists
� engineeringmaintenancefiles.
Thislistrepresentsexamplesandshouldnotbeseenasexhaustive.Whereverpossible,thefilesandformsshouldbetransferredelectronicallyorbedownloadeddirectlyfromatrustedsourcewithoutusingremovablemedia.
Equipment disposal, including data destruction
Obsoleteequipmentcancontaindatawhichiscommerciallysensitiveorconfidential.Priortodisposaloftheequipment,thecompanyshouldhaveaprocedureinplacetoensurethatthedataheldinobsoleteequipmentisproperlydestroyedandcannotberetrieved. Obtaining support from ashore and contingency plans
Shipsshouldhaveaccesstotechnicalsupportintheeventofacyberattack.Detailsofthissupportandassociatedproceduresshouldbeavailableonboard.Pleaserefertochapter6oftheseguidelinesformoreinformationoncontingencyplanning.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 34eSTAblISh CONTINGeNCy plANS
Establish contingency plans6
Whendevelopingcontingencyplansforimplementationonboardships,itisimportanttounderstandthesignificanceofanycyberincidentandprioritiseresponseactionsaccordingly.
Anycyberincidentshouldbeassessedinaccordancewithchapter4toestimatetheimpactonoperations,assetsetc.Inmostcases,andwiththeexceptionofloadplanningandmanagementsystems,alossofITsystemsonboard,includingadatabreachofconfidentialinformation,willbeabusinesscontinuityissueandshouldnothaveanyimpactonthesafeoperationoftheship.IntheeventofacyberincidentaffectingITsystemsonly,theprioritymaybetheimmediateimplementationofaninvestigationandrecoveryplan.
ThelossofOTsystemsmayhaveasignificantandimmediateimpactonthesafeoperationoftheship.ShouldacyberincidentresultinthelossormalfunctioningofOTsystems,itwillbeessentialthateffectiveactionsaretakentohelpensuretheimmediatesafetyofthecrew,ship,cargoandprotectionofthemarineenvironment.Ingeneral,appropriatecontingencyplansforcyberincidents,includingthelossofcriticalsystemsandtheneedtousealternativemodesofoperation,shouldbeaddressedbytherelevantoperationalandemergencyproceduresincludedinthesafetymanagementsystem.
Someoftheexistingproceduresintheship’ssafetymanagementsystemwillalreadycoversuchcyberincidents.However,cyberincidentsmayresultinmultiplefailurescausingmoresystemstoshutdownatthesametime.Thecontingencyplanningshouldtakesuchincidentsintoconsideration.
Disconnecting OT from shore network connection
ConnectionsbetweenshoreandOTsystemscanberelevantinawiderangeofapplicationslikeperformancemonitoring,predictivemaintenance,andremotesupportjusttomentionafew.Commonforthesesystemsarethattheyarenotstrictlynecessaryforoperatingtheshipsafely.However,theyrepresentapotentialattackvectortothesystemsthatareneededfortheship’ssafeoperation.Therefore,itisrelevanttoassesswhentheseconnectionsareallowedandunderwhatcircumstances.PlansshouldbeestablishedspecifyingwhensuchOTsystemsshouldbetemporarilyseparatedfromtheshorenetworkconnectiontoprotecttheship’ssafeoperation.Disconnectingwillhelppreventtheattackerfrombeingabletomanipulatesafetycriticalsystemsortakedirectcontrolofthesystem.Disconnectingcouldalsotakeplacetoavoidmalwarespreadingbetweennetworksegments.
Toeffectivelyshutdownshoreconnections,itisimportanttohavethenetworkandconnectivityservicesdesignedinsuchawaythatthenetworkscanbephysicallysegregatedquicklybyremovingasinglenetworkcable(egmarkedinanoddcolor)orpoweringoffthefirewall.
Safety management system
Thesafetymanagementsystemwillalreadyincludeproceduresforreportingaccidentsorhazardoussituationsanddefinelevelsofcommunicationandauthorityfordecisionmaking.Whereappropriate,suchproceduresshouldbeamendedtoreflectcommunicationandauthorityintheeventofacyberincident.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 35eSTAblISh CONTINGeNCy plANS
Thefollowingisanon-exhaustivelistofcyberincidents,whichshouldbeaddressedincontingencyplansonboard:
� lossofavailabilityofelectronicnavigationalequipmentorlossofintegrityofnavigationrelateddata
� lossofavailabilityorintegrityofexternaldatasources,includingbutnotlimitedtoGNSS
� lossofessentialconnectivitywiththeshore,includingbutnotlimitedtotheavailabilityofGlobalMaritimeDistressandSafetySystem(GMDSS)communications
� lossofavailabilityofindustrialcontrolsystems,includingpropulsion,auxiliarysystemsandothercriticalsystems,aswellaslossofintegrityofdatamanagementandcontrol
� theeventofaransomwareordenialorserviceincident.
Furthermore,itisimportanttohelpensurethatalossofequipmentorreliableinformationduetoacyberincidentdoesnotmakeexistingemergencyplansandproceduresineffective.Contingencyplansandrelatedinformationshouldbeavailableinanon-electronicformassometypesofcyberincidentscanincludethedeletionofdataandshutdownofcommunicationlinks.
Theremaybeoccasionswhenrespondingtoacyberincidentmaybebeyondthecompetenciesonboardoratheadofficeduetothecomplexityorseverityofsuchincidents.Inthesecases,externalexpertassistancemayberequired(forexample,posteventforensicanalysisandclean-up).
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 36reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS
Respond to and recover from cyber security incidents7
Itisimportanttounderstandthatcyberincidentsmaynotdisappearbythemselves.Ifforexample,theECDIShasbeeninfectedwithmalware,startinguptheback-upECDISmaycauseanothercyberincident.Itis,therefore,recommendedtoplanhowtocarryoutthecleaningandrestoringofinfectedsystems.
Knowledgeaboutpreviousidentifiedcyberincidentsshouldbeusedtoimprovetheresponseplansofallshipsinthecompany’sfleetandaninformationstrategyforsuchincidentsmaybeconsidered.
7.1 Effective response
Ateam,whichmayincludeacombinationofonboardandshore-basedpersonneland/orexternalexperts,shouldbeestablishedtotaketheappropriateactiontorestoretheITand/orOTsystemssothattheshipcanresumenormaloperations.Theteamshouldbecapableofperformingallaspectsoftheresponse.
Aneffectiveresponseshouldatleastconsistofthefollowingsteps:
1. Initialassessment.Tohelpensureanappropriateresponse,theresponseteamshouldfindout:
• howtheincidentoccurred
• whichITand/orOTsystemswereaffectedandhow
• theextenttowhichthecommercialand/oroperationaldataisaffected
• towhatextentanythreattoITandOTremains.
2. Recoversystemsanddata.Followinganinitialassessmentofthecyberincident,ITandOTsystemsanddatashouldbecleaned,recoveredandrestored,sofarasispossible,toanoperationalconditionbyremovingthreatsfromthesystemandrestoringsoftware.Thecontentofarecoveryplaniscoveredinsection7.2.
3. Investigatetheincident.Tounderstandthecausesandconsequencesofacyberincident,aninvestigationshouldbeundertakenbythecompany,withsupportfromanexternalexpert,ifappropriate.Theinformationfromaninvestigationwillplayasignificantroleinpreventingapotentialrecurrence.Investigationsintocyberincidentsarecoveredinsection7.3.
4. Preventare-occurrence.Consideringtheoutcomeoftheinvestigationmentionedabove,actionstoaddressanyinadequaciesintechnicaland/orproceduralprotectionmeasuresshouldbeconsidered,inaccordancewiththecompanyproceduresforimplementationofcorrectiveaction.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 37reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS
Whenacyberincidentiscomplex,forexampleifITand/orOTsystemscannotbereturnedtonormaloperation,itmaybenecessarytoinitiatetherecoveryplanalongsideonboardcontingencyplans.Whenthisisthecase,theresponseteamshouldbeabletoprovideadvicetotheshipon:
� whetherITorOTsystemsshouldbeshutdownorkeptrunningtoprotectdata
� whethercertainshipcommunicationlinkswiththeshoreshouldbeshutdown
� theappropriateuseofanyadvancedtoolsprovidedinpre-installedsecuritysoftware
� theextenttowhichtheincidenthascompromisedITorOTsystemsbeyondthecapabilitiesofexistingrecoveryplans.
Itisimportantforrelevantpersonneltoexecuteregularcybersecurityexercisesinordertohelpkeeptheresponsecapabilityeffective.Cybersecurityexercisescould,whereappropriate,beinspiredbyreal-lifeeventsandcanbesimulationsoflarge-scaleincidentsthatescalatetobecomecybercrises.Thisoffersanopportunitytoanalyseadvancedtechnicalcybersecurityincidents,butalsotohelpaddressbusinesscontinuityandcrisismanagement.
7.2 Recovery plan
Recoveryplansshouldbeavailableinhardcopyonboardandashore.ThepurposeoftheplanistosupporttherecoveryofsystemsanddatanecessarytorestoreITandOTtoanoperationalstate.Tohelpensurethesafetyofonboardpersonnel,theoperationandnavigationoftheshipshouldbeprioritisedintheplan.Therecoveryplanshouldbeunderstoodbypersonnelresponsibleforcybersecurity.ThedetailandcomplexityofarecoveryplanwilldependonthetypeofshipandtheIT,OTandothersystemsinstalledonboard.
Theincidentresponseteamshouldconsidercarefullytheimplicationsofrecoveryactions(suchaswipingofdrives),whichmayresultinthedestructionofevidencethatcouldprovidevaluableinformationastothecausesofanincident.Wherepossible,professionalcyberincidentresponsesupportshouldbeobtainedinordertoassistinpreservationofevidencewhilstrestoringoperationalcapability.
Asexplainedinsection5.1,adatarecoverycapabilityisavaluabletechnicalprotectionmeasure.DatarecoverycapabilitiesarenormallyintheformofsoftwarebackupforITdata.Theavailabilityofasoftwarebackup,eitheronboardorashore,shouldenablerecoveryofITtoanoperationalconditionfollowingacyberincident.
RecoveryofOTmaybemorecomplexespeciallyiftherearenobackupsystemsavailableandmayrequireassistancefromashore.Detailsofwherethisassistanceisavailableandbywhom,shouldbepartoftherecoveryplan,forexamplebyproceedingtoaporttoobtainassistancefromaserviceengineer.
Ifqualifiedpersonnelareavailableonboard,moreextensivediagnosticandrecoveryactionsmaybeperformed.Otherwise,therecoveryplanwillbelimitedtoobtainingquickaccesstotechnicalsupport.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 38reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS
7.3 Investigating cyber incidents
Investigatingacyberincidentcanprovidevaluableinformationaboutthewayinwhichavulnerabilitywasexploited.Companiesshould,whereverpossible,investigatecyberincidentsaffectingITandOTonboardinaccordancewithcompanyprocedures.Adetailedinvestigationmayrequireexternalexpert support.
Theinformationfromaninvestigationcanbeusedtoimprovethetechnicalandproceduralprotectionmeasuresonboardandashore.Itmayalsohelpthewidermaritimeindustrywithabetterunderstandingofmaritimecyberrisks.Anyinvestigationshouldresultin18:
� abetterunderstandingofthepotentialcyberrisksfacingthemaritimeindustrybothonboardandashore
� identificationoflessonslearned,includingimprovementsintrainingtoincreaseawareness
� updatestotechnicalandproceduralprotectionmeasurestopreventarecurrence.
7.4 Losses arising from a cyber incident
Forinsurers,theterm“cyber”includesmanydifferentaspectsanditisimportanttodistinguishbetweenthemandtheireffectsoninsurancecover.Someinsurersbelievethatthereisnosystemicrisktoshipsarisingfromacyberincidentandtheimpactofanincidentwillmostlikelybeconfinedtoasingleship.
Companieswillbeawarethatspecificnon-marineinsurancecovermaybeavailabletocoverdatalossandanyresultingfinesandpenalties.
Companiesshouldbeabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheshipfromanydamagethatmayarisefromacyberincident.
Cover for property damage
Generally,inmanymarketsofferingmarinepropertyinsurance,thepolicymaycoverlossordamagetotheshipanditsequipmentcausedbyashippingincidentsuchasgrounding,collision,fireorflood,evenwhentheunderlyingcauseoftheincidentisacyberincident.Itmaybenotedthatcurrentlyinsomemarkets,exclusionclausesforcyberattacksexist.Ifthemarinepolicycontainsanexclusionclauseforcyberattacks,thelossordamagemaynotbecovered.
Companiesarerecommendedtocheckwiththeirinsurers/brokersinadvancewhethertheirpolicycoversclaimscausedbycyberincidentsand/orbycyberattacks.
Guidelinesforthemarkethavebeenpublished,inwhichmarineinsurersarerecommendedtoaskquestionsaboutacompany’scyberriskawarenessandnon-technicalprocedures.Companiesshould,therefore,expectarequestfornon-technicalinformationregardingtheirapproachtocyberriskmanagement from insurers.
Thelimiteddataonthefrequency,severityoflossorprobabilityofphysicaldamageresultingfromcyberincidents,representsachallengeandmeansthatstandardpricingisnotavailable.
18 BasedonCREST,CyberSecurityIncidentResponseGuide,Version1.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 39reSpONd TO ANd reCOver frOm Cyber SeCurITy INCIdeNTS
Cover for liability
ItisrecommendedtocontacttheP&IClubfordetailedinformationaboutcoverprovidedtoshipownersandcharterersinrespectofliabilitytothirdparties(andrelatedexpenses)arisingfromtheoperationofships.
Anincidentcaused,forexamplebymalfunctionofaship’snavigationormechanicalsystemsbecauseofacriminalactoraccidentalcyberattack,doesnotinitselfgiverisetoanyexclusionofnormalP&Icover.Intheeventofaclaiminvolvingacyberincident,claimantsmaywellseektoarguethattheclaimaroseasaresultofaninadequatelevelofcyberpreparedness.This,therefore,furtherstressestheimportanceofcompaniesbeingabletodemonstratethattheyareactingwithreasonablecareintheirapproachtomanagingcyberriskandtoprotectingtheship.
Itshouldbenotedthatmanylosses,whichcouldarisefromacyberincident,arenotinthenatureofthird-partyliabilitiesarisingfromtheoperationoftheshipandarethereforenotcoveredbyP&Iinsurance.Forexample,financiallosscausedbyransomware,orcostsofrebuildingscrambleddatawouldnotbeidentifiedinthecoverage.
Itshould,however,benotedthatnormalP&Icoverinrespectofliabilitiesissubjecttoawarriskexclusionandcyberincidentsinthecontextofawarorterrorriskwillnotnormallybecovered.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 40TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS
Target systems, equipment and technologiesANNEX 1
Thisannexprovidesasummaryofpotentiallyvulnerablesystemsanddataonboardshipstoassistcompanieswithassessingtheircyberriskexposure.Vulnerablesystems,equipmentandtechnologiesmayinclude:
Communication systems � integratedcommunicationsystems � satellitecommunicationequipment � VoiceOverInternetProtocols(VOIP)equipment � wirelessnetworks(WLANs) � public address and general alarm systems � systemsusedforreportingmandatoryinformationtopublicauthorities.
Bridge systems � integratednavigationsystem � positioningsystems(GPS,etc.) � ElectronicChartDisplayInformationSystem(ECDIS) � DynamicPositioning(DP)systems � systemsthatinterfacewithelectronicnavigationsystemsandpropulsion/manoeuvringsystems � AutomaticIdentificationSystem(AIS) � GlobalMaritimeDistressandSafetySystem(GMDSS) � radarequipment � VoyageDataRecorders(VDRs) � othermonitoringanddatacollectionsystems.
Propulsion and machinery management and power control systems � enginegovernor � powermanagement � integrated control system � alarm system � emergency response system.
Access control systems � surveillancesystemssuchasCCTVnetwork � BridgeNavigationalWatchAlarmSystem(BNWAS) � ShipboardSecurityAlarmSystems(SSAS) � electronic“personnel-on-board”systems.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 41TArGeT SySTemS, equIpmeNT ANd TeChNOlOGIeS
Cargo management systems � CargoControlRoom(CCR)anditsequipment � onboardloadingcomputersandcomputersusedforexchangeofloadinginformationandloadplanupdateswiththemarineterminalandstevedoringcompany
� remote cargo and container sensing systems � levelindicationsystem � valveremotecontrolsystem � ballastwatersystems � wateringressalarmsystem.
Passenger or visitor servicing and management systems � PropertyManagementSystem(PMS) � electronichealthrecords � financialrelatedsystems � shippassenger/visitor/seafarerboardingaccesssystems � infrastructuresupportsystemslikedomainnamingsystem(DNS)anduserauthentication/authorisationsystems.
Passenger-facing networks � passengerWi-FiorLocalAreaNetwork(LAN)internetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices19
� guest entertainment systems.
Core infrastructure systems � securitygateways � routers � switches � firewalls � VirtualPrivateNetwork(s)(VPN) � VirtualLAN(s)(VLAN) � intrusionpreventionsystems � securityeventloggingsystems.
Administrative and crew welfare systems � administrativesystems � crewWi-FiorLANinternetaccess,forexamplewhereonboardpersonnelcanconnecttheirowndevices.
19 ThisisnotconsideredasBringYourOwnDevice(BYOD).Devicesarenotusedtoaccessprotectedinformation.Theycanonlybeusedforanindividual’spersonal,non-company,use.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 42Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem
Cyber risk management and the safety management systemANNEX 2
IMOResolutionMSC.428(98)makesclearthatanapprovedSMSshouldtakeintoaccountcyberriskmanagementwhenmeetingtheobjectivesandfunctionalrequirementsoftheISMCode.TheguidanceprovidedintheGuidelinesonmaritimecyberriskmanagement(MSC-FAL.1/Circ.3)provideshighlevelrecommendationsregardingtheelementsofanappropriateapproachtoimplementingcyberriskmanagement.TheguidanceinthisannexisdesignedtoprovidetheminimummeasuresthatallcompaniesshouldconsiderimplementingsoastoaddresscyberriskmanagementinanapprovedSMS.
IDENTIFY20
Roles and responsibilities21
Action RemarksISMCode:3.2IndustryGuidelines:1.1Updatethesafetyandenvironmentprotectionpolicytoincludereferencetotheriskposedbyunmitigatedcyberrisks.
Anupdatedsafetyandenvironmentprotectionpolicyshoulddemonstrate: � acommitmenttomanagecyberrisksaspartoftheoverallapproachtosafetymanagement(includingsafetyculture)andprotectionoftheenvironment
� anunderstandingthatCRMhasbothsafetyandsecurityaspects,buttheemphasisisonmanagingthesafetyrisksintroducedbyOT,ITandnetworks
� anunderstandingthatwithoutappropriatetechnicalandproceduralriskprotectionandcontrolmeasures,OTisvulnerabletodisruptionaffectingthesafeoperationofashipandprotectionoftheenvironment.
NothingintheupdatedpolicyshouldsuggestthatCRMisgivenanymoreorlessattentionthananyotherrisksidentifiedbythecompany.
ISMCode:3.3IndustryGuidelines:1.1UpdatetheresponsibilityandauthorityinformationprovidedintheSMStoincludeappropriateallocationofresponsibilityandauthorityforcyberriskmanagement(CRM).
Ingeneral,ITpersonnelshouldunderstandpotentialvulnerabilitiesincomputer-basedsystemsandknowtheappropriatetechnicalandproceduralprotectionmeasurestohelpensuretheavailabilityandintegrityofsystemsanddata.Operationalandtechnicalpersonnelshouldgenerallyunderstandthesafetyandenvironmentalimpactsofdisruptiontocriticalsystems22onboardshipsandareresponsiblefortheSMS.AllocationofresponsibilityandauthoritymayneedtobeupdatedtoenableCRM.Thisshouldinclude:
� allocationofresponsibilitiesandauthoritieswhichencouragecooperationbetweenITpersonnel(whichmaybeprovidedbyathirdparty)andthecompany’soperationalandtechnicalpersonnel
� incorporatingcompliancewithcyberriskmanagementpoliciesandproceduresintotheexistingresponsibilityandauthorityoftheMaster.
ISMCode:6.5IndustryGuidelines:5.2Usingexistingcompanyprocedures,identifyanytrainingwhichmayberequiredtosupporttheincorporationofcyberriskmanagementintotheSMS.
Cyberawarenesstrainingisnotamandatoryrequirement.Notwithstandingthis,trainingisaprotectionandcontrolmeasurethatformsthebasisofCRM.Ithelpstoensurethatpersonnelunderstandhowtheiractionswillinfluencetheeffectivenessofthecompany’sapproachtoCRM.Existingcompanyproceduresforidentifyingtrainingrequirementsshouldbeusedtoassessthebenefitsandneedfor:
� allcompanypersonneltoreceivebasiccyberawarenesstraininginsupportofthecompany’sCRMpoliciesandprocedures
� companypersonnel,whohavebeenassignedCRMduties,toreceiveatypeandlevelofcybertrainingappropriatetotheirresponsibilityandauthority.
Identify systems, assets, data and capabilities that, when disrupted, pose risks to ship operationsAction RemarksISMCode:10.3IndustryGuidelines:3&4Usingexistingcompanyprocedures,identifyequipmentandtechnicalsystems(OTandIT)thesuddenoperationalfailureofwhichmayresultinhazardoussituations.
AnapprovedSMSwillalreadyidentifytheequipmentandtechnicalsystems(includingOTandIT),andcapabilities,whichmaycausehazardoussituationsiftheybecomeunavailableorunreliable.TheimpactsshouldalreadyhavebeendocumentedinanapprovedSMS.However,anapprovedSMS,whichincorporatesCRMwillalsoneedtoaddressdatainthecontextofsuddenoperationalfailure.Lossofavailabilityorintegrityofdatausedbycriticalsystemscanhavethesameimpactonsafetyandprotectionoftheenvironmentasthesystembecomingunavailableorunreliableforsomeotherreason.Consequently,itisrecommendedthatthelistofequipmentandtechnicalsystems,shouldbesupplementedbyalistofthedatausedbythosesystemsanditssource(s).
20 Identify,Protect,Detect,RespondandRecoverasdescribedintheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).21 FunctionalelementfromtheGuidelinesonMaritimeCyberRiskManagement(MSC-FAL.1/Circ.3).22 Forthepurposeofthisannex,“criticalsystems”meanstheOT,IT,softwareanddatathesuddenoperationalfailureorunavailabilityofwhichisidentifiedbythecompanyashavingthepotentialtoresultinhazardoussituations.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 43Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem
PROTECTImplement risk control measuresAction RemarksISMCode:1.2.2.2IndustryGuidelines:5andAnnex1Assessallidentifiedriskstoships,personnelandtheenvironmentandestablishappropriatesafeguards.
Thefullscopeofriskcontrolmeasuresimplementedbythecompanyshouldbedeterminedbyariskassessment,takingintoaccounttheinformationprovidedintheseguidelines.Asabaseline,thefollowingmeasuresshouldbeconsideredbeforeariskassessmentisundertaken.Thebaselineconsistsofthetechnicalandproceduralmeasures,whichshouldbeimplementedinallcompaniestotheextentappropriate.Thesemeasuresare:
� Hardwareinventory–Developandmaintainaregisterofallcriticalsystemhardwareonboard,includingauthorizedandunauthorizeddevicesoncompanycontrollednetworks.TheSMSshouldincludeproceduresformaintainingthisinventorythroughouttheoperationallifeoftheship.
� Softwareinventory–Developandmaintainaregisterofallauthorizedandunauthorizedsoftwarerunningoncompany-controlledhardwareonboard,includingversionandupdatestatus.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthisinventorywhenhardwarecontrolledbythecompanyisreplaced• maintainingthisinventorywhensoftwarecontrolledbythecompanyisupdatedor
changed• authorizingtheinstallationofneworupgradedsoftwareonhardwarecontrolledby
thecompany• preventionofinstallationofunauthorizedsoftware,anddeletionofsuchsoftwareif
identified• softwaremaintenance.
� Mapdataflows–Mapdataflowsbetweencriticalsystemsandotherequipment/technicalsystemsonboardandashore,includingthoseprovidedbythirdparties.Vulnerabilitiesidentifiedduringthisprocessshouldberecordedandsecurelyretainedbythecompany.TheSMSshouldbeupdatedtoincludeproceduresfor:• maintainingthemapofdataflowstoreflectchangesinhardware,softwareand/or
connectivity• identifyingandrespondingtovulnerabilitiesintroducedwhennewdataflowsare
createdfollowingtheinstallationofnewhardware• reviewingtheneedforconnectivitybetweencriticalsystemsandotherOTandIT
systems.Suchareviewshouldbebasedontheprinciplethatsystemsshouldonlybeconnectedwherethereisaneedforthesafeandefficientoperationoftheship,ortoenable planned maintenance
• controllingtheuseofremovablemedia,accesspointsandthecreationofad-hocoruncontrolleddataflows.ThismaybeachievedbyrestrictionsontheuseofremovablemediaanddisablingUSBandsimilarportsoncriticalsystems.
� Implementsecureconfigurationsforallhardwarecontrolledbythecompany–Thisshouldincludedocumentingandmaintainingcommonlyacceptedsecurityconfigurationstandardsforallauthorizedhardwareandsoftware.TheSMSshouldincludepoliciesontheallocationanduseofadministrativeprivilegesbyshipandshore-basedpersonnel,andthirdparties.However,itisnotrecommendedthatthedetailsofsecureconfigurationsareincludedintheSMS.Thisinformationshouldberetainedseparatelyandsecurelybythecompany.
� Auditlogs–Securitylogsshouldbemaintainedandperiodicallyreviewed.Securityloggingshouldbeenabledonallcriticalsystemswiththiscapability.TheSMSshouldbeupdatedtoincludeproceduresfor:• policiesandproceduresforthemaintenanceofsecuritylogsandperiodicreviewby
competentpersonnelaspartoftheoperationalmaintenanceroutine• proceduresforthecollationandretentionofsecuritylogsbythecompany,if
appropriate. � Awarenessandtraining–Seeline3above. � Physicalsecurity–Thephysicalsecurityoftheshipisenhancedbycompliancewiththesecuritymeasuresaddressedintheshipsecurityplan(SSP)requiredbytheISPSCode.Measuresshouldbetakentorestrictaccessandpreventunauthorizedaccesstocriticalsystemnetworkinfrastructureonboard.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 44Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem
Develop contingency plansAction RemarksISMCode:7IndustryGuidelines:6Updateprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironmentwhichrelyonOT.
AnapprovedSMSshouldalreadyaddressprocedures,plansandinstructionsforkeyshipboardoperationsconcerningthesafetyofthepersonnel,shipandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofCRMintotheSMS.ThisisbecausetheeffectofthelossofavailabilityofOT,orlossofintegrityofthedatausedorprovidedbysuchsystems,isthesameasiftheOTwasunavailableorunreliableforsomeotherreason.Notwithstandingthis,considerationshouldbegiventodevelopinginstructionsontheactionstobetakenifdisruptiontocriticalsystemsissuspected.Thiscouldincludeproceduresforrevertingtoback-uporalternativearrangementsasaprecautionwhilstanysuspecteddisruptionisinvestigated.ProceduresforperiodicallycheckingtheintegrityofinformationprovidedbyOTtooperatorsshouldbeconsideredforinclusioninoperationalmaintenanceroutines.
ISMCode:8.1IndustryGuidelines:6Updateemergencyplanstoincluderesponses to cyber incidents.
AnapprovedSMSshouldalreadyaddressemergencyplansforthedisruptionofcriticalsystemsrequiredforthesafeoperationofshipsandprotectionoftheenvironment.Ingeneral,theseplansshouldbeunaffectedbytheincorporationofcyberriskmanagementintosafetymanagementsystems.Thisisbecausetheeffectofcommonshipboardemergenciesshouldbeindependentoftherootcause.Forexample,afiremaybecausedbyequipmentmalfunctioningbecauseofasoftwarefailureorinappropriatemaintenanceoroperationoftheequipment.Notwithstandingtheabove,considerationshouldbegiventothedevelopmentofacyberincidentmoduleintheintegratedsystemofshipboardemergencyplansforsignificantdisruptiontotheavailabilityofOTorthedatausedbythem.ThepurposeofthemodulecouldbetoprovideinformationontheactionstobetakenintheeventofasimultaneousdisruptiontomultipleOTsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.Inthismorecomplexsituation,additionalinformationonappropriateimmediateactionstobetakeninresponsemaybenecessary.
DETECTDevelop and implement activities necessary to detect a cyber-event in a timely mannerAction RemarksISMCode:9.1IndustryGuidelines:5.1Updateproceduresforreportingnon-conformities,accidentsandhazardoussituationstoincludereportsrelatingtocyberincidents.
AnapprovedSMSshouldalreadyaddressproceduresrelatingtonon-conformities.WhenincorporatingCRMintotheSMS,companyreportingrequirementsfornon-conformitiesmayneedtobeupdatedtoincludecyberrelatednon-conformities.Examplesofsuchnon-conformitiesandcyberincidents:
� unauthorisedaccesstonetworkinfrastructure � unauthorizedorinappropriateuseofadministratorprivileges � suspiciousnetworkactivity � unauthorisedaccesstocriticalsystems � unauthoriseduseofremovablemedia � unauthorisedconnectionofpersonaldevices � failuretocomplywithsoftwaremaintenanceprocedures � failuretoapplymalwareandnetworkprotectionupdates � lossordisruptiontotheavailabilityofcriticalsystems � lossordisruptiontotheavailabilityofdatarequiredbycriticalsystems.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 45Cyber rISk mANAGemeNT ANd The SAfeTy mANAGemeNT SySTem
RESPONDDevelop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations and/or services impaired due to a cyber-eventAction RemarksISMCode:3.3IndustryGuidelines:7.1Ensurethatadequateresourcesandshore-basedsupportareavailabletosupporttheDPAinrespondingtothelossofcriticalsystems.
AnapprovedSMSshouldalreadybesupportedbyadequateresourcestosupporttheDPA.However,theincorporationofCRMintotheSMSshouldrequirethatthisresourcingincludesappropriateITexpertise.Thisresourcecouldcomefromwithinthecompanybutmayalsobeprovidedbyathirdparty.Inprovidingtheadequateresources,thefollowingshouldbeconsidered:
� companyorthirdpartytechnicalsupportshouldbefamiliarwithonboardITandOTinfrastructure and systems
� anyinternalresponseteamorexternalcyberemergencyresponseteam(CERT)shouldbeavailabletoprovidetimelysupporttotheDPA
� provisionofanalternativemeansofcommunicationbetweentheshipandtheDPA,whichshouldbeabletofunctionindependentlyofallothershipboardsystems,ifandwhentheneed arises
� internalauditsshouldconfirmthatadequateresources,includingthirdpartieswhenappropriate,areavailabletoprovidesupportinatimelymannertosupporttheDPA.
ISMCode:9.2IndustryGuidelines:7.1Updateproceduresforimplementingcorrectiveactionsto include cyber incidents and measurestopreventrecurrence.
AnapprovedSMSshouldalreadyincludeproceduresforrespondingtonon-conformities.Ingeneral,theseshouldnotbeaffectedbytheincorporationofCRMinSMS.However,theproceduresshouldhelpensurethatconsiderationofnon-conformitiesandcorrectiveactionsinvolvesthepersonnelwithresponsibilityandauthorityforCRM.Thisshouldhelpensurethatcorrectiveactions,includingmeasurestopreventrecurrence,areappropriateandeffective.
ISMCode:10.3IndustryGuidelines:7.1UpdatethespecificmeasuresaimedatpromotingthereliabilityofOT.
AnapprovedSMSshouldalreadyincludeproceduresforoperationalmaintenanceroutinestopromotethereliabilityofequipmentonboard.ASMS,whichincorporatesCRM,shouldoutlineproceduresfor:
� Softwaremaintenanceasapartofoperationalmaintenanceroutines–Suchproceduresshouldensurethatapplicationofsoftwareupdates,includingsecuritypatches,areappliedandtestedinatimelymanner,byacompetentperson.
� Authorizingremoteaccess,ifnecessaryandappropriate,tocriticalsystemsforsoftwareorothermaintenancetasks–Thisshouldincludeauthorizingaccessingeneral(includingverificationthatserviceprovidershavetakenappropriateprotectivemeasuresthemselves)andforeachspecificremoteaccesssession.
� Preventingtheapplicationofsoftwareupdatesbyserviceprovidersusinguncontrolledorinfectedremovablemedia.
� Periodicinspectionoftheinformationprovidedbycriticalsystemstooperatorsandconfirmationoftheaccuracyofthisinformationwhencriticalsystemsareinaknownstate.
� Controlleduseofadministratorprivilegestolimitsoftwaremaintenancetaskstocompetent personnel.
RECOVERYIdentify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber incidentAction RemarksISMCode:10.4IndustryGuidelines:5.1and7.2Includecreationandmaintenanceofback-upsintotheship’soperationalmaintenanceroutine.
AnapprovedSMSshouldalreadyincludeproceduresformaintainingandtestingback-uparrangementsforshipboardequipment.Notwithstandingthis,itmaynotaddressproceduresformaintainingandstoringofflineback-upsfordataandsystemsrequiredforthesafeoperationoftheshipandprotectionoftheenvironment.ASMS,whichincorporatesCRM,shouldincludeproceduresfor:
� checkingback-uparrangementsforcriticalsystems,ifnotcoveredbyexistingprocedures � checkingalternativemodesofoperationforcriticalsystems,ifnotcoveredbyexisting
procedures � creatingorobtainingback-ups,includingcleanimagesforOTtoenablerecoveryfroma
cyber incident � maintainingback-upsofdatarequiredforcriticalsystemstooperatesafely � offlinestorageofback-upsandcleanimages,ifappropriate � periodictestingofback-upsandback-upprocedures.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 46ONbOArd NeTwOrkS
Onboard networksANNEX 3
AsecurenetworkdependsontheIT/OTsetuponboardtheship,andtheeffectivenessofthecompanypolicybasedontheoutcomeoftheriskassessment.Controlofentrypointsandphysicalnetworkcontrolonanexistingshipmaybelimitedbecausecyberriskmanagementhadnotbeenconsideredduringtheship’sconstruction.Itisrecommendedthatnetworklayoutandnetworkcontrolshouldbeplannedforallnewbuildings.
Directcommunicationbetweenanuncontrolledandacontrollednetworkshouldbeprevented.Furthermore,severalprotectionmeasuresshouldbeadded:
� implementnetworkseparationand/ortrafficmanagement
� manageencryptionprotocolstoensurecorrectlevelofprivacyandcommercialcommunication
� manageuseofcertificatestoverifyoriginofdigitallysigneddocuments,softwareorservices.
Ingeneral,onlyequipmentorsystemsthatneedtocommunicatewitheachotheroverthenetworkshouldbeabletodoso.Theoverridingprincipleshouldbethatthenetworkingofequipmentorsystemsisdeterminedbyoperationalneed.
Physical layout
Thephysicallayoutofthenetworkshouldbecarefullyconsidered.Itisimportanttoconsiderthephysicallocationofessentialnetworkdevices,includingservers,switches,firewallsandcabling.Thiswillhelprestrictaccessandmaintainthephysicalsecurityofthenetworkinstallationandcontrolofentrypointstothenetwork.
Network management
Anynetworkdesignwillneedtoincludeaninfrastructureforadministeringandmanagingthenetwork.Thismayincludeinstallingnetworkmanagementsoftwareondedicatedworkstationsandserversprovidingfilesharing,emailandotherservicestothenetwork.
Network segmentation
Onboardnetworksshouldnormallyaccommodatethefollowing:
1. necessarycommunicationbetweenOTequipment
2. configurationandmonitoringofOTequipment
3. onboardadministrativeandbusinesstasksincludingemailandsharingbusinessrelatedfilesorfolders(ITnetworks)
4. recreationalinternetaccessforcrewand/orpassengers/visitors.
Effectivenetworksegmentationisakeyaspectof“defenceindepth”.OT,ITandpublicnetworksshouldbeseparatedorsegmentedbyappropriateprotectionmeasures.Theprotectionmeasuresusedmayinclude,butarenotlimitedtoanappropriatecombinationofthefollowing:
� aperimeterfirewallbetweentheonboardnetworkandtheinternet
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 47ONbOArd NeTwOrkS
� networkswitchesbetweeneachnetworksegment
� internalfirewallsbetweeneachnetworksegment
� VirtualLocalAreaNetworks(VLAN)tohostseparatesegments.
Inaddition,eachsegmentshouldhaveitsownrangeofInternetProtocol(IP)addresses.Networksegmentationdoesnotremovetheneedforsystemswithineachsegmenttobeconfiguredwithappropriatenetworkaccesscontrolsandsoftwarefirewallsandmalwaredetection.
figure 2: example of an onboard network
Internet
Business administra�on network
OT network
VPN connec�onNetwork connec�on
Guest networkFleet broadband4G router
Wi-fi
Firewall
Intheexampleshownabove,thenetworkhasbeensegmentedusingaperimeterfirewall,whichsupportsthreeVLANs:
1. theOTNetworkcontainingequipmentandsystems,thatperformssafetycriticalfunctions
2. theITnetworkcontainingequipmentandsystems,thatperformsadministrativeorbusinessfunctions
3. acrewandguestnetwork,providinguncontrolledinternetaccess.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 48ONbOArd NeTwOrkS
Considerationsshouldbemadeonhowtomaximisethesecurityoftheswitchesthemselves.Toachievethehighestlevelofsecurity,eachnetworkshoulduseadifferenthardwareswitch.Thiswillminimisethechanceofanattackerjumpingbetweennetworksduetomisconfigurationorbyacquiringaccesstotheconfigurationofaswitch.
Acorrectlyconfiguredandappropriatefirewallisanimportantelementofthepropersegmentationofanetworkinstallation.Theonboardinstallationshouldbeprotectedbyatleastaperimeterfirewalltocontroltrafficbetweentheinternetandtheonboardnetwork.Topreventanyunintendedcommunicationtakingplace,thefirewallshouldbeconfiguredbydefaulttodenyallcommunication.Basedonthisconfiguration,rulesshouldbeimplemented.Therulesshouldbedesignedtoallowthepassageofdatatrafficthatisessentialfortheintendedoperationofthatnetwork.
Forexample,ifaspecificendpointreceivesupdatesfromtheinternet,theruleshouldallowthespecificendpointtoconnectspecificallytotheserverhandlingthespecificupdateservice.Enablinggeneralinternetaccesstoaspecifiedendpointforupdatesisnotrecommended.
Uncontrollednetworkslikeacreworpassengernetworkshouldnotbeallowedanycommunicationwiththecontrollednetworks.Theuncontrollednetworkshouldbeconsideredasunsafeastheinternet,sincethedevicesconnectingtoitareunmanaged,theirsecuritystatus(antivirus,updates,etc.)isunknownandtheiruserscouldbeactingmaliciously,intentionallyorunintentionally.
Monitoring data activity
Itisimportanttomonitorandmanagesystemstobeawareofthenetworks’statusandtodetectanyunauthoriseddatatraffic.Loggingshouldbeimplementedinthefirewallandideallyinallnetwork-attacheddevicessothatincaseofabreach,theresponsiblepersoncantracebackthesourceandmethodologyoftheattack.Thiswillhelptosecurethenetworkfromanysimilarattacksinthefuture.
AnetworkIntrusionDetectionSystem(IDS)orIntrusionProtectionSystem(IPS)canalertthesystemadministratorinreal-timeofanyattackstothenetworksystems.TheIDSandIPSinspectdatatraffic,entrypointsorbothtoidentifyknownthreatsortorejecttraffic,whichdoesnotcomplywiththesecuritypolicy.AnIPSshouldcomplywiththelatestindustrybestpracticesandguidelines.
Itisrecommendedtoplaceasensorontheinternet-facingsegment,becausethepublicserversareavisibletargettoattackers.Anothersensorshouldbeplacedbehindthefirewall,tomonitortrafficbetweentheinternetandtheinternalnetwork.AnlDS/IPSsensorcouldalsobeplacedbyaremote-accesssegment,forinstanceaVirtualPrivateNetwork(VPN).
Protection measures
Protectionmeasuresshouldbeimplementedinawaythatmaintainsthesystem’sintegrityduringnormaloperationsaswellasduringacyberincident.EveryOTnetworkonboardhasseveralendpointssuchasworkstations,servers,routers,inputandoutputmodules,transducersetc.Theendpointsareveryimportantastheycontroltheoperationandthesecurityofthesystem.
Asinglesecurityproduct,technologyorsolutioncannotadequatelyprotectanOTsystembyitself.Amultiplelayerstrategyinvolvingtwo(ormore)differentoverlappingsecuritymechanismsisdesired,sothattheimpactofafailureinanyonemechanismisminimized(seechapter5.1defence-in-depth).Inaddition,aneffectivedefence-in-depthstrategyrequiresathoroughunderstandingofpossibleattackvectorsonanOTsystem.Thesemayinclude:
� backdoorsandholesinnetworkperimeterandinstruments
� vulnerabilitiesincommonlyusedprotocols
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 49ONbOArd NeTwOrkS
� vulnerableendpointsandsensors
� unprotected databases.
Asecurerunningenvironmentcanbeestablishedbyusingasandbox,whichprovidesadditionalprotectionagainstcyberthreatsbyisolatingexecutablesoftwarefromtheunderlyingoperatingsystem.Thispreventsunauthorisedaccesstotheoperatingsystems,onwhichthesoftwareisrunning.Thesandboxenablessoftwaretoberununderaspecificsetofrulesandthisaddscontroloverprocessesandcomputerresources.Therefore,thesandboxhelpspreventmalicious,malfunctioningoruntrustedsoftwarefromaffectingtherestofthesystem.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 50GlOSSAry
GlossaryANNEX 4
Access controlisselectivelimitingoftheabilityandmeanstocommunicatewithorotherwiseinteractwithasystem,tousesystemresourcestohandleinformation,togainknowledgeoftheinformationthesystemcontainsortocontrolsystemcomponentsandfunctions.
Back door isasecretmethodofbypassingnormalauthenticationandverificationwhenaccessingasystem.Abackdoorissometimescreatedinhiddenpartsofthesystemitselforestablishedbyseparatesoftware.
Bring your own device (BYOD) allowsemployeestobringpersonallyowneddevices(laptops,tablets,andsmartphones)totheshipandtousethosedevicestoaccessprivilegedinformationandapplicationsforbusinessuse.
Cyber attack isanytypeofoffensivemanoeuvrethattargetsITandOTsystems,computernetworks,and/orpersonalcomputerdevicesandattemptstocompromise,destroyoraccesscompanyandshipsystems and data.
Cyber incident isanoccurrence,whichactuallyorpotentiallyresultsinadverseconsequencestoanonboardsystem,networkandcomputerortotheinformationthattheyprocess,storeortransmit,andwhichmayrequirearesponseactiontomitigatetheconsequences.
Cyber risk management meanstheprocessofidentifying,analysing,assessing,andcommunicatingacyber-relatedriskandaccepting,avoiding,transferring,ormitigatingittoanacceptablelevelbytakingintoconsiderationthecostsandbenefitsofactionstakenbystakeholders.
Cyber system isanycombinationoffacilities,equipment,personnel,proceduresandcommunicationsintegratedtoprovidecyberservices;examplesincludebusinesssystems,controlsystemsandaccesscontrol systems.
Defence in breadth isaplanned,systematicsetofactivitiesthatseektoidentify,manage,andreduceexploitablevulnerabilitiesinITandOTsystems,networksandequipmentateverystageofthesystem,network,orsub-componentlifecycle.Onboardships,thisapproachwillgenerallyfocusonnetworkdesign,systemintegration,operationsandmaintenance.
Defence in depth isanapproachwhichuseslayersofindependenttechnicalandproceduralmeasurestoprotectITandOTonboard.
Executable software includesinstructionsforacomputertoperformspecifiedtasksaccordingtoencodedinstructions.
Firewall isalogicalorphysicalbreakdesignedtopreventunauthorisedaccesstoITinfrastructureandinformation.
Firmware issoftwareimbeddedinelectronicdevicesthatprovidescontrol,monitoringanddatamanipulationofengineeredproductsandsystems.Thesearenormallyself-containedandnotaccessibletousermanipulation.
Flaw isunintendedfunctionalityinsoftware.
Intrusion Detection System (IDS) isadeviceorsoftwareapplicationthatmonitorsnetworkorsystemactivitiesformaliciousactivitiesorpolicyviolationsandproducesreportstoamanagementstation.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 51GlOSSAry
Intrusion Prevention System (IPS),alsoknownasIntrusionDetectionandPreventionSystems(IDPSs),arenetworksecurityappliancesthatmonitornetworkand/orsystemactivitiesformaliciousactivity.
Local Area Network (LAN) isacomputernetworkthatinterconnectscomputerswithinalimitedareasuchasahome,shiporofficebuilding,usingnetworkmedia.
Malware isagenerictermforavarietyofmalicioussoftware,whichcaninfectcomputersystemsandimpactontheirperformance.
Operational technology (OT) includesdevices,sensors,softwareandassociatednetworkingthatmonitor and control onboard systems.
Patches aresoftwaredesignedtoupdatesoftwareorsupportingdatatoimprovethesoftwareoraddresssecurityvulnerabilitiesandotherbugsinoperatingsystemsorapplications.
Phishing referstotheprocessofdeceivingrecipientsintosharingsensitiveinformationwithathird-party.
Principle of least privilege referstotherestrictionofuseraccountprivilegesonlytothosewithprivilegesthatareessentialtofunction.
Producer istheentitythatmanufacturestheshipboardequipmentandassociatedsoftware.
Recovery referstotheactivitiesafteranincidentrequiredtorestoreessentialservicesandoperationsintheshortandmediumtermandfullyrestoreallcapabilitiesinthelongerterm.
Removable media isacollectivetermforallmethodsofstoringandtransferringdatabetweencomputers.Thisincludeslaptops,USBmemorysticks,CDs,DVDsanddiskettes.
Risk assessment istheprocesswhichcollectsinformationandassignsvaluestorisksasabaseonwhichtomakedecisiononprioritiesanddevelopingorcomparingcoursesofaction.
Risk management istheprocessofidentifying,analysing,assessingandcommunicatingriskandaccepting,avoiding,transferringorcontrollingittoanacceptablelevelconsideringassociatedcostsandbenefitsofanyactionstaken.
Sandbox isanisolatedenvironment,inwhichaprogrammaybeexecutedwithoutaffectingtheunderlyingsystem(computeroroperatingsystem)andanyotherapplications.Asandboxisoftenusedwhenexecutinguntrustedsoftware.
Service provider isacompanyorperson,whoprovidesandperformssoftwaremaintenance.
Social engineering isamethodusedtogainaccesstosystemsbytrickingapersonintorevealingconfidentialinformation.
Software whitelisting meansspecifyingthesoftware,whichispresentandactiveonanITorOTsystem.
Virtual Local Area Network (VLAN)isthelogicalgroupingofnetworknodes.AvirtualLANallowsgeographicallydispersednetworknodestocommunicateasiftheywerephysicallyonthesamenetwork.
Virtual Private Network (VPN)enablesuserstosendandreceivedataacrosssharedorpublicnetworksasiftheircomputingdevicesweredirectlyconnectedtotheprivatenetwork,therebybenefitingfromthefunctionality,securityandmanagementpoliciesoftheprivatenetwork.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 52GlOSSAry
Virus isahidden,self-replicatingsectionofcomputersoftwarethatmaliciouslyinfectsandmanipulatestheoperationofacomputerprogramorsystem.
Wi-Fi isallshort-rangecommunicationsthatusesometypeofelectromagneticspectrumtosendand/orreceiveinformationwithoutwires.
THE GUIDELINES ON CYBER SECURITY ONBOARD SHIPS V3 53CONTrIbuTOrS TO verSION 3 Of The GuIdelINeS
Contributors to version 3 of the guidelinesANNEX 5
Thefollowingorganisationsandcompanieshaveparticipatedinthedevelopmentoftheseguidelines:
Anglo-EasternGroupAspidaBIMCOChamberofShippingofAmerica(CSA)ClassNKCOLUMBIAShipmanagementLtdCruiseLinesInternationalAssociation(CLIA)CyberKeelInternationalAssociationofDryCargoShipowners(INTERCARGO)InternationalAssociationofIndependentTankerOwners(INTERTANKO)InternationalChamberofShipping(ICS)InternationalgroupofProtection&IndemnityclubsInternationalUnionofMarineInsurance(IUMI)InterManagerMaerskLineMoranShippingAgencies,Inc.NCCGroupOilCompaniesInternationalMarineForum(OCIMF)SOFTimpactLtdTemplarExecutivesWorldShippingCouncil
Recommended