Cybersecurity for Critical Infrastructure

MARITIME Cybersecurity for Critical Infrastructure

DNV GL Technology Week 2018

October 16, 2018

Ungraded

Jan Hagen Andersen, P.E. DNV GL Maritime . 27 years of experience in the maritime industry . 13 years with DNV GL . Head of Practice for Mechanical Systems and Engineering . BD for Maritime focus is on fleet performance management, environmental performance, cyber security, and novel technologies

Craig Reeds Digital Solution Americas . Over 30 years of experience in cyber security . CISSP – Certified Information Systems Security Professional . CRISC – Certified in Risk and Information Systems Control . Works with most of the critical infrastructure industries . 4 years with DNV GL Digital Solutions

Ungraded

8:30 – 8:45 Introduction Jan Andersen, Craig Reeds

8:45 – 9:00 You may already be under attack Craig Reeds

9:00 – 9:20 Safety in shipping heavily depends on cyber systems Jan Andersen

9:20 – 9:40 Challenges of Cyber Security in the Maritime Sector Craig and Jan

9:40 – 10:00 Break

10:00 – 10:30 What is the Threat and Where are the Risks Craig Reeds

10:30 – 10:45 Regulations, Standards and Best Practices Jan Andersen

10:45 – 11:00 Cyber Security Assessment Approach Craig Reeds

11:00 – 11:30 Questions, Discussion & Closing All speakers

Ungraded

Key building blocks Maritime Class Leading class on Cyber Security (CS) with ISDS (Integrated Software Dependent Systems) class notation and CS RP, CS Type Approval,…

Digital Solutions Cyber security competence centre with resource pool of expert supporting growth

Maritime Advisory Complete picture with maritime domain knowledge & hands-on experience and Ungraded close customer contact as an advisor

Overview • Learn about maritime cyber security Cyber Security – Intro why is it regulations suddenly an • Understand cyber issue? security terminology • Recognize malware types Typical threats User • Be able to identify and how to Awareness recognize them threats or vulnerabilities • Learn how to organize Methods, tools awareness measures Analysis and best for own company and and practices to eliminate risks from mitigation assess and social engineering mitigate the risks

Ungraded

Hugo Gernsback (1884-1967) Luxembourgish-American inventor, writer, editor, publisher, Ungraded best known for publications including the first science fiction magazine.

Software & Automation

Crew size

Interconnectivity

Ungraded

9 DNV GL © 2018 October 2018 Trends . Cyber security threats are progressing and becoming a part of our daily business ? 2018 +: What will the future bring ? . Regulations are evolving: IMO MSC. 428(98) - FAL.1/Circ.3 5 July 2017 2016: Bulk carrier … Stakeholders should take the necessary steps to safeguard switchboard shuts down-ransomware shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes

and systems in shipping… 2014: U.S. Port hacker attack . The cyber security exclusion clause in insurance (Clause 380) is being challenged: 2013: Hacking of – Owners expect complete insurance coverage cargo tracking system – Underwriters need to properly

manage their risks 2012: GPS jamming/spoofing – Charterers through TMSA 3.0 & VIQ 7

(vetting) 2011: Pirate Cyber Attack

2010: Drilling rig infected with malware Ungraded

. Difficulty in calculating risks linked RISK to the thinking of the human = IMPACT criminal mind X LIKELYHOOD <-?

. Disbelief “… a hacker gained control of a vessel…”

“Yeah Right, there are too many barriers to get through…”

Ungraded

“There are two types of companies in Misha Glenny, British journalist who specialises in the world: those that know they've cybersecurity been hacked, and those that don't”.

Cyber security incidents are more common than officially admitted..

Ungraded

. 2015: 64,199 reported IT Security incidents – just the tip of the iceberg1 – 89% of breaches had a financial or espionage motive . New threats arise: – Widespread ransomware – Orchestrated attacks on industrial control systems – Attacks can be rented as a service, lowering the entry bar – Government-sponsored attacks widespread – Cyber terrorism

Ungraded 1 Source: 2016 Data Breach Investigations Report, Verizon

800,000,000 +110% 700,000,000 2,600 Attacks on industrial control systems 2,400 600,000,000 2,200 The AV-Test 2,000 1,800 500,000,000 Institute registered 1,600 approx. 14,000,000 1,400 400,000,000 new malicious 1,200 programs during 1,000 300,000,000 800 the month of April 600 400 200,000,000 2018 alone… 200 0 100,000,000 2013 2014 2015 2016

0 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Sources: AV-TEST Institute, Germany IBM Managed Security Services - 2016 report “Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent”

Ungraded

Known affected organisations:

• Spain - Telefonica, power firm Iberdrola, utility provider Gas Natura and more large firms • USA - FedEx, • France - Renault, • Germany - Deutsche Bahn • Jakarta- Two hospitals • Russian Interior Ministry • Britain’s National Health Service, Nissan car plant

“The latest count is over 200,000 victims in at least 150 countries” - Rob Wainwright, Europol Executive Director

Ungraded

. Arrived via an update to an accounting system in Ukraine (ME Doc) . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was released on March 14th (MS17-010) . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master File Tree) tables for NTFS partitions . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet . Prevents victims from booting their computer

“Big hack at Maersk puts Rotterdam's container terminal flat”

Ungraded David Bremmer and Leon van Heel, AD, NL

. Arrived via an update to an accounting system in Ukraine (ME Doc) Software Configuration management ? . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was releasedSoftware on March Patch14th (MS17 management-010) ? . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master ObsolescenceFile Tree) tables for NTFS management partitions ? . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet General situation in Maritime ? . Prevents victims from booting their computer

“Big hack at Maersk puts Rotterdam's container terminal flat”

Ungraded David Bremmer and Leon van Heel, AD, NL

Ungraded

. German-owned 8,250 teu container . Vessel en route from Cyprus to Djibouti for 10 hours. “Suddenly the captain could not manoeuvre,” . The attack was carried out by “pirates” who gained full control of the vessel’s navigation system intending to steer it to an area where they could board and take over. Bild source: ARATINO, generic container vessel.

Source: FAIRPLAY- Tanya Blake, editor, Safety at Sea | 22 November 2017

Ungraded

. Top management is not involved or not walking the talk . Vendors sell tools, not solutions . It won’t happen to us, because… – We’re too small to be a target – Ships are not (always) connected to the internet – It never happened before – We have great antivirus/firewalls/snake oil technology in place – Only stupid companies get hit, we are not stupid – We make people change their passwords often . Balance between security and convenience – if it is hard to do it securely, people will be people . Social engineering is the psychological manipulation of people into performing actions or divulging confidential information; and it is boosted by privately used social media/networks . Social engineering, social spam, phishing, like-jacking,... they all target on people not on computer systems

Ungraded

24 DNV GL © 2018 October 2018 Safety in shipping today heavily depends on cyber systems Information Technology (IT) . IT networks . E-mail on-shore org. At risk: . Administration, accounts, crew lists, … Mainly . Planned Maintenance finance . Spares management and requisitioning . Electronic manuals and . Electronic certificates reputation . Permits to work . Charter party, notice of readiness, bill of lading…

Operation Technology (OT) . PLCs At risk: . SCADA Life, . On-board measurement and control property . ECDIS and . GPS environment . Remote support for engines + . Data loggers all of the . Engine & Cargo control above . Dynamic positioning, … Ungraded

Digital wearables for crew

Enhancing passenger experience

Ungraded

Pirate Hackers attack took “full supported control” of navigation by cyber Loss of fuel PMS systems for attack control and system 10 h ballast water valves due shore and to ECDIS vessel VSAT attack update hacking using common GPS login Loss of jamming main and switchboard due to spoofing ransomware Hacking of cargo AIS tracking spoofing system for smuggling ECIDS purposes ransomware and chart spoofing NotPetya cause Maersk upto USD 300m loss Malware allows full access to vessel systems Ungraded

• Air-gap prevents • Increasing demand on • No mandatory cyber incidents the maritime industry regulations on cyber • Lack of understanding to align cyber security security of implications of with other industries • ISM/ISPS treats cyber cyber attacks on OT • Potential lack of risks the same as any • There is no real case insurance coverage other risk publicized where a due to cyber attacks • Existing class rules do cyber incidents not cover most of the resulted in serious risks damage to a vessel

Ungraded

Risk factors . Limited education / awareness . Age of technology deployed . Limited and irregular network connectivity

Typical targets Mitigating factors . Ransom (vessel or crew) . Limited number of persons on board . Cargo theft (while on board or once . Persons on board usually employees landed) . Low turnover . Theft of information . Relatively simple systems . External damage (weaponisation)

Ungraded

Risk factors . High number of personnel of various employers on board, turnover every hitch . Budgets under pressure . Somewhat limited and irregular network connectivity . Complex chain of command

Typical targets Mitigating factors . Ransom (vessel or crew) . Persons on board usually employees or . Cargo theft (while on board or once contractors landed) . Some rigs very well equipped with . Theft of information technology . Terrorism . Regulations and safety culture

Ungraded

In the next few minutes, we will discuss what makes the maritime industry vulnerable to cyber attacks.

Ungraded

Ability of the system Information is not made available or to provide access to disclosed to unauthorized entities, its resources individuals or processes

Availability Confidentiality

Integrity

Authenticity Property that an Accuracy and entity is what it completeness claims to be

Ungraded

. Nuts & Bolts of a threat scenario :

Threat Agents Motivation Capability Physical infrastructure

Opportunity (overlap of Capability and knowledge of Physical infrastructure)

Ungraded

• Remote support (IT, engines, machinery) • E-mail and internet use • ECDIS chart updates • Planned Maintenance system • Noon reports, manifests, requisitioning • Software updates • Port activities • …

Ungraded

intentional Spear-phishing Malware Backdoors Disgruntled employee Ransomware Falling victim to social engineering untargeted targeted

Social media User error

Escaped proof-of-concept, Built-in software weaknesses runaway pentest

unintentional

Ungraded

Social Engineering is the art of tricking people into actions they later regret. Attackers may trick you into providing sensitive information, giving access to restricted systems or locations, or transferring money. They research facts about you, your vessel or your company from the web or social media. They then use this knowledge to gain your trust. Someone who knows so much about you already can easily pretend to be a colleague or a friend of a friend.

Ungraded

Phishing is a form of social engineering where attackers fish for sensitive information like usernames or passwords. Often emails are used, hoping you will click on a link. Mails may appear to come from a bank or other service provider, requesting you to verify your account entering personal details such as your password on a fake website. They may also claim to be from a colleague or your IT department. Attachments may be used to launch attacks when you open them. Always be careful when emails contain links or attachments; never click on them unless you are sure they are from a trusted source. If in doubt, contact the sender on a phone number or email address you know, not on a contact provided by the possible attacker. If the sender seems suspicious, play it safe and delete the email. Phishing attacks may also be launched from hacked websites or smartphone apps.

Ungraded

E-mail is still a very important attack vector, as e-mail is cheap and nearly anonymous. E-mail is like a postcard: Everything can be faked, there is no inherent security in e-mail.

Ungraded

Note seemingly valid @dnvgl.com sender!

Ungraded

. Research indicates that nearly 7 out of 10 people would reveal their password in exchange for a chocolate bar!

 Never share your passwords with anyone – ever.

 Never use your company passwords for other services.

 Never change your passwords based on instructions you receive on the phone, in e-mail or through instant message systems – unless you are the one who initiated the need for the change.

 Writing your password is acceptable as long as it is kept under control. If you want to write your passwords into a Word file, ensure that the file is encrypted.

Ungraded

1. Never use a USB device that is not your own or that you know for sure can be 100% trusted.

2. USB sticks may contain malicious code that could harm your PC or even use your PC to spread themselves in the company network.

3. Antivirus software, personal firewall, spam filters and other security software and patches are installed in our PCs. These measures only help us part of the way however - We all need to be vigilant and think before acting.

4. Always remember; the last – and the strongest – line of defence is situated between the chair and the keyboard. Ungraded

. E-mail has become a business critical application. We expect the messages to arrive instantly, as written, and kept away from curious eyes. . Unfortunately this is not the case. There is no guarantee that the e-mail will reach its destination, or the content will not be tampered with, or will not be leaked.

The Internet mail system is based on a store-and-forward mechanism. Network and server problems can sometimes cause the message to be stuck on a server for a long time before it is sent on to the nest system, towards its final destination.

Regular e-mail are sent in clear-text. On every IT-system, there is a number of people that have system privileges to read your message – even change its content.

There is no confidentiality when you send a regular, unencrypted e-mail.

Ungraded

 For these reasons business critical information should never be sent as regular e-mail, unless it has been accepted by the recipient. You should also verify that the message has been received if timing is essential.  If you need to send confidential information, it can be included in a password protected file and sent as an attachment instead of regular text in the e-mail. The password may be sent as an SMS message to the recipient’s mobile phone.  Keep in mind that you cannot trust the sender’s name and address when you receive e-mail. It is very easy to fake an identity on the Internet.  There are even sites that offer “free services” where one can enter the bogus sender information, along with the text to be transmitted. The e-mail will then be sent to the target of the prank – or the crime.  If you suspect a message not to be genuine, contact the sender to have it verified, preferably by phone, or e-mail. Always re-type the senders e-mail address. Clicking on the reply-button will in most cases send your message back to the falsifier.

Ungraded

. Approximately 700,000 new malware is currently identified per month!

. Many websites are being compromised visiting them may get unwanted program code installed on your PC

. Once the malware is inside, it will try to spread itself to all other systems in the network, as well as “call home” to download more malicious code.

. Until the faulty programs have been corrected, a patch has been produced and installed on all relevant systems, we are vulnerable.

Ungraded

 Ensure that the antivirus software is running on your system and that is frequently up-to-date.

 Regularly check that your Internet Security settings are set correctly in Internet Explorer [Tools  Internet Options…  Security]. Verify that the security level for Internet is set to Medium or Higher, and that Restricted Sites is set to High.

 Don’t use the PC for surfing on inappropriate sites on the Internet

 Do not accept any requests for software updated of offers of added functionality when you are visiting web sites as this may install a Trojan on your PC.

Ungraded

. Free access may seem convenient: No username, or password, or credit card. . Unfortunately, services named Free Public Network or Free Wi-Fi are not always what they appear to be. . Criminals go to public places where people access the Internet using their computers, tablets and smart phones, and set up fake wireless services. When their victims connect to the Internet, data such as usernames and passwords are recorded, passing through the criminal’s PC. . Serious providers of access points require that you enter some form of ID and a password before you are given access to the Internet.

Ungraded

. If Internet access is provided without asking for any credentials you should be very cautious and not use any net services such as web shops and banks where you must type in secret private information. . Using free Internet access from serious providers is fairly riskless when used for regular browsing, such as reading news and articles on the web. . You should still be vigilant and watchful for anormal system behaviour. If in doubt; disconnect your device and switch it off. . When connecting to your company network, using a company PC and applications such as Outlook and Internet Explorer, the communication is encrypted. This makes snooping and wiretapping of data and information impossible.

Ungraded

. Fake anti-malware may appear when using online services, e.g. booking sites, in the form of pop-up windows claiming that your PC is unprotected and offering anti-virus solutions.

. No matter which button you would click on – Yes or No – the program would download a virus to your machine.

. The viruses can switch off the antivirus programs, so that our PCs would be open to all kinds of malware installations.

Ungraded

. Unfortunately, there will always be new malware that exploit vulnerabilities in operating systems and applications and for which there is no protection.

. Until the virus or weakness has been analysed and a cure has been found, we will be at risk.

Steps to follow:  If your PC starts to behave suspiciously, never ignore the signs or try to correct the problem yourself.  Turn off your PC immediately by pressing the power-button until it stops completely.  Then call your IT support for help.

Ungraded

Source: https://citadeldigitalsecurity.com Ungraded

Plan & Prepare

Respond & Recover Detect & Report

Assess & Decide

Ungraded

. Produce or update relevant Information of Reporting Event Security Event Details management policies, processes Person Details Description Incident Category and procedures.

Total Recovery . Define a detailed information Incident Effect of Components/ Costs from Resolution Incident Assets Affected security incident management Incident plan.

Person(s) / Actual or Actions Taken Description of . Define responsibilities and tasks Perpetrator(s) Perceived to Resolve Perpetrator as well as establish an Incident Involved Motivation Incident Response Team (IRT).

Internal Actions Planned Actions Individuals/ Conclusion to Resolve . Providing appropriate training Outstanding Entities Notified Incident program for assigned responsibilities and tasks.

External Submission of Individuals/ . Incident Report Establish appropriate connections Entities Notified with internal and external organizations which are directly involved in cyber security events. Ungraded

. Monitor alerts from internal security systems from e.g. an intrusion detection systems . Monitor alerts from external information sources, e.g. National incident response teams, Vendors and Cyber security firms . Inform and escalate abnormal events to the IRT . Collect information about the incident . Record incident in a report, e.g. including,: – Event details (e.g. time, place, etc.) – Event description (what happened?) – Type of attack (see picture ) – Assets affected (e.g. HW, SW, Com, Process) – Effect of incident (in terms of CIA) – Incident resolution – Action to prevent similar incidents – Notification to internal/external persons/entities

Ungraded

. Determine whether an event is actually a cybersecurity incident or a false alarm. . If a cybersecurity incident has occurred, then escalation to the Incident Response Team is required. . Find out what information, system, or network is impacted. . Find out what the impact is in terms of confidentiality, integrity, and availability (CIA) and assign priority for respond activities based on the severity CIA impact.

Which Whom When Which To whom Who . Identify and notify all relevant stakeholders. When should it information (internal/extern Who should be needs to be al) should it be communicate? communicated? communicate? communicate?

Ungraded

. Contain the incident, including: – limit the damage – stop the attacker – ensure business continuity – prevent spreading of incident (internal/external)

. Eradicate the incident, including: – based on concluded incident investigation – remove all assets related to the incident – remove all artefacts left by the attacker – close vulnerabilities used by the attacker

. Recover from the incident, including: – Ensure return to normal operation – Eliminate vulnerabilities to prevent similar incidents

Ungraded

Industry is responding

75 DNV GL © 04 June 2018 Trends (contd.): Cyber security regulations evolving

. MSC 98 (07/17) agreed that there is an urgent need to raise awareness on cyber risk threats and vulnerabilities . An important part of achieving this would be to consider cyber risk as part of existing safety management systems (ISPS and ISM codes) . MSC 98 adopted resolution MSC.428(98) on Maritime cyber risk management in management systems . The guidelines are not mandatory but Member Governments are encouraged to apply them

Impact: Outcome: Cyber risks should be addressed in safety management MSC 98 adopted the systems no later than the first annual verification of DoC after recommendatory 1 January 2021. This is a non-mandatory requirement. MSC-FAL.1/Circ.3 superseding the interim guidelines

76 DNV GL © 04 June 2018 IMO – present requirements

. Cyber Security brought into ISM/ISPS audits – ISM Code 1.2.1 The objectives of the Code are to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment, and to property. . ISM Code 1.2.2 Safety management objectives of the Company should, inter alia: 1. provide for safe practices in ship operation and a safe working environment; 2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and 3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection. . ISM Code 1.2.3 The safety and management system should ensure: 1. compliance with mandatory rules and regulations; and 2. that applicable codes, guidelines and standards recommended by the Organization, Administrations, classification societies and maritime industry organizations are taken into account . Conclusion: If Cyber Risks exist, the ISM and ISPS Codes contain mandatory requirements.

Ungraded

. Assembly session of IMO, Nov 27th – Dec 6th 2017 . Submission of “Strategy, Planning and Reform” with a proposal for a new Strategic Plan for the six-year period 2018 to 2023. . In the submission paper A 30/7 on page 8, para. 28 it is stated/proposed how IMO should handle cyber risks in the strategic direction SD 5:

“Shipping operations are increasingly dependent on electronics and digital technologies and as such are exposed to cyber risks. The Organization will continue to monitor the issue and encourage a cooperative approach among Member States and stakeholders.”

78 DNV GL © 04 June 2018 MSC-FAL.1/Circ.3

MSC-FAL.1/Circ.3 - Guidelines On Maritime Cyber Risk Management. Recommendation (non-mandatory) Application: to encourage safety and security management practices Addresses both IT and OT systems Cyber Risk: Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). Cyber Risk Management: Identify – Protect – Detect – Respond – Recover Referring to the BIMCO guideline, ISO/IEC 27001 and the NIST Framework, etc.

79 DNV GL © 04 June 2018 EU regulations and national development

. Directive (EU)2016/1148 concerning measures for a high common level of security of network and information systems across the Union (May 2016) – Applicable for ports but not vessels

. Regulation (EU)2016/679 - General Data Protection Regulation (April 2016) – Applicable for vessels from May 2018

. USCG Cyber Strategy (June 2015)

. CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security (Dec 2016) – Require cyber security incident reporting on US waters

. USCG opens new unit to combat cyberspace threat (June 2017) Promotion video available here

. Draft navigation and vessel inspection circular no. 05-17 (July 2017) Subj: Guidelines for addressing cyber risks at maritime transportation security act (MTSA) regulated facilities

80 DNV GL © 04 June 2018 USCG - Vessel Profiles

. Cybersecurity Framework Profiles - Maritime Bulk Liquids Transfer, Offshore Operations, and Passenger Vessel (Dec 2017)

Summary of Subcategory Priorities by Mission Objective

Mission Objectives

1. Maintain Personnel Safety 5. Maintain Quality of Product

2. Maintain Environmental Safety 6. Meet HR Requirements

3. Maintain Operational Security 7. Pass Required Audits/Inspections

4. Maintain Preparedness 8. Obtain Timely Vessel Clearance Framework Core: Functions and Categories

81 DNV GL © 04 June 2018 DNV GL’ Cyber Secure Class Notation supports protecting the safety of vessel, crew and passenger

. The additional class notation Cyber secure includes requirements to cyber security for a vessel, intending to protect the safety of the vessel, crew and passenger. On-shore facilities are not addressed within the requirements.

. Cyber secure notation has 3 different qualifiers:

– Cyber secure(Basic) – Primarily intended for sailing vessels. – Based on security level 1 in IEC 62443-3-3 with specific adaptions for the maritime industry. Requirements to bridge systems are derived from IEC 61162-460.

– Cyber secure(Advanced) – Primarily intended for new build vessels – Based on security level 3 in IEC 62443-3-3 with specific adaptions for the maritime industry.

– Cyber secure(+) – Intended for system(s) not required as part of default scope in Basic/Advanced. – Can be combined with Basic/Advanced qualifier, e.g. Basic+

82 DNV GL © 04 June 2018

Cyber Security Advisory for the Maritime Industry Our Type Approval program support manufactures, owners and yards ensuring safety through cyber secure components

Based on: . ISA-62443-4-2 and . IEC 61162-460.

83 DNV GL © 04 June 2018

Cyber Security Advisory for the Maritime Industry Recommended practices Where should we start?

84 DNV GL © 04 June 2018 Cyber Security standards landscape

Organizational Standards

Technical Standards US Coastguard ISO 27001 Cyber Strategy FOR-2012- BSI TR 12-07- BSI 100 03109 1157 CPNI Process DNV GL ISA/IEC ISF control and Recommend 62433 Framework SCADA ed Practice security Cigre NIST LR IEC 62351 Security Framework Guidelines Standards

IEC 60870- BIMCO IEEE 1686 Enisa 5-101/104 Guidelines

IEC 60092- ABS IMO IEC 61850 504 Guidelines Guidelines

IEC 61508 Risk based Standards

DNV GL © 04 June 2018 BIMCO “The Guidelines on Cyber Security On-board Ships”

. Version 2.0 (July 2017) by . Aim: offer guidance to shipowners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships. . Scope: – Cyber security and safety management – Understanding the cyber threat (types and stages) – Determination of vulnerability for IT and OT systems – Risk assessments (process & criteria) – Technical & Procedural control measures – Contingency planning and emergency response

. Conclusion: Useful high-level introduction, comprehensive scope, but no specific “how to” guidance

86 DNV GL © 04 June 2018 Introduction to ISO 27001

. ISO27001 formally specifies how to establish an Information Security Management System (ISMS).

. The adoption of an ISMS is a strategic decision.

. The design and implementation of an organization’s ISMS is influenced by:

– its business and security objectives,

– its security risks and control requirements,

– the processes employed and

– the size and structure of the organization

 a simple situation requires a simple ISMS.

. The ISMS will evolve systematically in response to changing risks.

. Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.

. Explains ‘How To Do’ and not just the ‘What to do’  fills a gap amongst available guidelines . Facilitating an approach for both IT and OT systems. . Building on established standards – ISO/IEC-27001 – ISO/IEC 62443 (OT) – BSI Grundschutz (IT) What . Applying common Risk and Barrier Management principles . Provides practical examples and guidelines to implementation . Builds on experience from live projects

Assessment is key: Before spending money on a cyber security initiative, we recommend to carry out a structured and targeted assessment of the risk picture

ASSESSMENT IMPROVEMENT VERIFICATION

. High-level assessment: . Competence & awareness . Monitoring and testing of identification of key risks building technical barriers . Focused assessment: . Technical measures: . Verification of ISMS - barrier management e.g., access control, software against ISO/IEC 27001 methodology applied to specific configuration management and high-risk systems barrier management . In-depth assessment: . Information security comprehensive risk management system assessment, comparison of (ISMS) preparation of current safeguards with target documentation and implementation

Start of cyber security assessment program

High level Assessment [2.1]

Comprehensive, In Focused Assessment Depth Assessment [2.2] [2.3]

Improvement [3]

Ungraded

In Out

Ungraded

In OutOut

Ungraded

. Holistic approach for maritime cyber security assessments Process . Management Systems . Governance Frameworks . Policies & procedures . Vendor/Third party contracts-follow up . Audit regimes

People Technology

. Training & Awareness . System design . Professional skills . Hardening of connections & qualifications . Software configuration . Emergency drills . Encryption protocols . Authorizations & . Jamming & spoofing authentication . Detection & monitoring . Physical Security

Ungraded

Surveyors find viruses on-board during routine inspections…

Ungraded

Categories of findings on different ship types: Organisational Maturity Process

. People, Process, Technology Lack fear factor? People Technology – Passenger, Container, Tanker, Offshore production unit

Retrofit from older technology

Ungraded

. Network Security

Are firewalls used according to policy?

• Firewall mounted in engine performance monitoring cabinet, but not connected Ungraded

. Network Security

Are anti-virus used according to policy? • No Anti-virus on “island- • Skype installed on mode” workstations tank sounding computer

• Undetected infection of

Ungraded Loading computer

. Physical security and access control

. No password change policy, passwords pre-set by shore IT – Passwords printed on paper and posted on the wall

Checking access control

Ungraded

. Physical security and access control

Checking access control

Ungraded

. Physical security and access control

. Unnecessary Administrator access on engine performance monitoring PC . No automatic lock out, and users stay logged in to workstations, because reporting tasks are so time consuming that they cannot be handled by a single person Checking . Lack of physical security, all access control equipment in scope is accessible . Weak passwords, e.g. “123”

Ungraded

. Network Security . Personal use of company network – E-mail (bypassing corporate filtering), browsing, and social networking on on-board PCs . 4 base functions of on-board firewall disabled, including event-logging & Broadcast storm protection disabled in switches . Limited alarm and event logging – Security products generate alarms, but there is no central Network collection or review of events Security checks . Lack of Windows patching & hardening – Windows updated only during major upgrades, i.e. up to 3 years outdated. – Windows installations configured with standard settings – Default credentials on networking gear, e.g. switches, routers . 15 Anti-virus alarms in a week on sample PC on-board

Ungraded

. Network Security . Anti-virus installed on all hosts: However, no scheduled scans. Last scan in 2014 . No monitoring/alarming of network load within Network panel of Alarm server HMI . Alarm servers running unused/unnecessary services . Adequate malware protection not installed on HMI PCs (Alarm monitoring and Engine Performance monitoring) . Network Alarm overflow: After a certain number, no further alarms can be received Security checks . OS security patches ~twice a year (except ship’s firewall) . Unencrypted e-mail communication

Ungraded

. Policies and Procedures . No defined policies to follow by associated vendors/service personnel – Service provider technician uses own USB stick to print Checks on reports from on-board PCs policies and . Dedicated USB stick for updating ECDIS, however procedures physically not secured and no malware scanning . Single USB stick policy – Single USB used to transfer loading condition data to shore via Bridge – SD card used between camera and on-board workstations – Gradually all of business network on-board infected

Ungraded

. Policies and Procedures . All data and configuration backups stored in a single cabinet on-board . All backup HDDs stored in a single rack (together with all IT servers), and not transferred to shore . IT dept. responsible for comm. networks, but Master Checks on is responsible on the vessel policies and – No incident response policy defined. The procedures Master would contact IT dept. – AIS kept on in piracy area despite policy to switch off: No policy regarding sharing geo-tagged photos

Ungraded

. Identify critical systems Connected Requiring Remote Physically Ease of . Rank risks and/or software connection accessible Access (prioritise) integrated updates X - - - Medium X - - X High X - X High X X High - - X No effect on Medium - X - Ease of Medium - X X access Medium X X X High - - - X Medium - - - - Low

Table 2-4 Example rating of ‘ease of access’ (likelyhood) DNVGL-RP-0496 - Cyber security resilience management for ships and mobile offshore units in operation

Ungraded

Identify critical systems (2.3.1) IT System OT type

Determine Determine Consequence Likelihood (2.3.2) (2.3.3) (Appendix E) (Appendix F)

Establishing the Determine cyber security risks prioritised action (2.3.4) plan

Compare current safeguards with target (2.3.5) Table 2-7

Ungraded

Attack Attack Security Vulnerabilities threats techniques barriers

USB port Collision Attack Barrier ECDIS handling

Outdated Attack Barrier software Extortion CMS

Unsecure Remote Attack connection Cargo hijacking

Default Attack Barrier passwords

Ungraded RADAR

. Leverages existing industry knowledge using Bow-Tie & Barrier management methodologies and transposes this intuitive method to help assess complex attack scenarios

Ungraded

. Use graphical tools for communication with industry language . Bow-tie barrier management  Safety

Non IT background people learn how to do it in 10 minutes and realise they know a lot more than they thought

Ungraded

Categories and Subcategories

Ungraded

. ~97% of malware is designed to exploit social engineering weaknesses, not a technical flaw.

. The organisation can be strengthened against these exploits by building general competence and awareness of cybersecurity threats, issues and protective measures. – Focus (initially) on the highest risk parts of the organisation Recommended training content – Apply blended learning techniques – E- . Role and responsibility of the individual learning, class room and offline material . Common threats & traps – Periodic refreshers to improve retention . Good practices or “cyber hygiene” and keep up with shifting risk profiles.

Ungraded

Awareness campaign

Dedicated training program

Network segregation

Eliminate factory defaults

Access control

Harden remote connections

Software management

Implement ISMS

Ungraded

“I won’t be competitive unless “I need to practice my vessels offer a security by design to wide range of keep my ships safe” innovative features”

Ungraded

Maritime Cyber security Download the RP free of charge from: www.dnvgl.com/rpcs

DNV GL

Ungraded