MARITIME Cybersecurity for Critical Infrastructure
DNV GL Technology Week 2018
October 16, 2018
Ungraded
1 DNV GL © 20182016 October 2018 SAFER, SMARTER, GREENER Your presenters today
Jan Hagen Andersen, P.E. DNV GL Maritime . 27 years of experience in the maritime industry . 13 years with DNV GL . Head of Practice for Mechanical Systems and Engineering . BD for Maritime focus is on fleet performance management, environmental performance, cyber security, and novel technologies
Craig Reeds Digital Solution Americas . Over 30 years of experience in cyber security . CISSP – Certified Information Systems Security Professional . CRISC – Certified in Risk and Information Systems Control . Works with most of the critical infrastructure industries . 4 years with DNV GL Digital Solutions
Ungraded
2 DNV GL © 2018 October 2018 Agenda
8:30 – 8:45 Introduction Jan Andersen, Craig Reeds
8:45 – 9:00 You may already be under attack Craig Reeds
9:00 – 9:20 Safety in shipping heavily depends on cyber systems Jan Andersen
9:20 – 9:40 Challenges of Cyber Security in the Maritime Sector Craig and Jan
9:40 – 10:00 Break
10:00 – 10:30 What is the Threat and Where are the Risks Craig Reeds
10:30 – 10:45 Regulations, Standards and Best Practices Jan Andersen
10:45 – 11:00 Cyber Security Assessment Approach Craig Reeds
11:00 – 11:30 Questions, Discussion & Closing All speakers
Ungraded
3 DNV GL © 2018 October 2018 Our leading position on Maritime Cyber Security is built and ensured through a competent cross-unit DNV GL team
Key building blocks Maritime Class Leading class on Cyber Security (CS) with ISDS (Integrated Software Dependent Systems) class notation and CS RP, CS Type Approval,…
Digital Solutions Cyber security competence centre with resource pool of expert supporting growth
Maritime Advisory Complete picture with maritime domain knowledge & hands-on experience and Ungraded close customer contact as an advisor
4 DNV GL © 2018 October 2018 Training Overview
Overview • Learn about maritime cyber security Cyber Security – Intro why is it regulations suddenly an • Understand cyber issue? security terminology • Recognize malware types Typical threats User • Be able to identify and how to Awareness recognize them threats or vulnerabilities • Learn how to organize Methods, tools awareness measures Analysis and best for own company and and practices to eliminate risks from mitigation assess and social engineering mitigate the risks
Ungraded
5 DNV GL © 2018 October 2018 Cyber risks on ships and mobile offshore units The context
Ungraded
6 DNV GL © 2018 October 2018 Pirates 1.0 4.0
Ungraded
7 DNV GL © 2018 October 2018 Being the early adopter…
Hugo Gernsback (1884-1967) Luxembourgish-American inventor, writer, editor, publisher, Ungraded best known for publications including the first science fiction magazine.
8 DNV GL © 2018 October 2018 Maritime & Offshore trends
Software & Automation
Crew size
Interconnectivity
Ungraded
9 DNV GL © 2018 October 2018 Trends . Cyber security threats are progressing and becoming a part of our daily business ? 2018 +: What will the future bring ? . Regulations are evolving: IMO MSC. 428(98) - FAL.1/Circ.3 5 July 2017 2016: Bulk carrier … Stakeholders should take the necessary steps to safeguard switchboard shuts down-ransomware shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes
and systems in shipping… 2014: U.S. Port hacker attack . The cyber security exclusion clause in insurance (Clause 380) is being challenged: 2013: Hacking of – Owners expect complete insurance coverage cargo tracking system – Underwriters need to properly
manage their risks 2012: GPS jamming/spoofing – Charterers through TMSA 3.0 & VIQ 7
(vetting) 2011: Pirate Cyber Attack
2010: Drilling rig infected with malware Ungraded
10 DNV GL © 2018 October 2018 Risk misconception and industry lack of understanding
. Difficulty in calculating risks linked RISK to the thinking of the human = IMPACT criminal mind X LIKELYHOOD <-?
. Disbelief “… a hacker gained control of a vessel…”
“Yeah Right, there are too many barriers to get through…”
Ungraded
11 DNV GL © 2018 October 2018 Transparency VS Awareness…
“There are two types of companies in Misha Glenny, British journalist who specialises in the world: those that know they've cybersecurity been hacked, and those that don't”.
Cyber security incidents are more common than officially admitted..
Ungraded
12 DNV GL © 2018 October 2018 You may not know yet, but you are under attack
. 2015: 64,199 reported IT Security incidents – just the tip of the iceberg1 – 89% of breaches had a financial or espionage motive . New threats arise: – Widespread ransomware – Orchestrated attacks on industrial control systems – Attacks can be rented as a service, lowering the entry bar – Government-sponsored attacks widespread – Cyber terrorism
Ungraded 1 Source: 2016 Data Breach Investigations Report, Verizon
13 DNV GL © 2018 October 2018 Information technology (IT) Operational technology (OT)
800,000,000 +110% 700,000,000 2,600 Attacks on industrial control systems 2,400 600,000,000 2,200 The AV-Test 2,000 1,800 500,000,000 Institute registered 1,600 approx. 14,000,000 1,400 400,000,000 new malicious 1,200 programs during 1,000 300,000,000 800 the month of April 600 400 200,000,000 2018 alone… 200 0 100,000,000 2013 2014 2015 2016
0 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Sources: AV-TEST Institute, Germany IBM Managed Security Services - 2016 report “Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent”
Ungraded
14 DNV GL © 2018 October 2018 WannaCry: Largest ransomware attack to date
Known affected organisations:
• Spain - Telefonica, power firm Iberdrola, utility provider Gas Natura and more large firms • USA - FedEx, • France - Renault, • Germany - Deutsche Bahn • Jakarta- Two hospitals • Russian Interior Ministry • Britain’s National Health Service, Nissan car plant
“The latest count is over 200,000 victims in at least 150 countries” - Rob Wainwright, Europol Executive Director
Ungraded
17 DNV GL © 2018 October 2018 Maritime can also affected
Ungraded
18 DNV GL © 2018 October 2018 NotPETYA: Heavily impacting maritime industry players
. Arrived via an update to an accounting system in Ukraine (ME Doc) . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was released on March 14th (MS17-010) . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master File Tree) tables for NTFS partitions . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet . Prevents victims from booting their computer
“Big hack at Maersk puts Rotterdam's container terminal flat”
Ungraded David Bremmer and Leon van Heel, AD, NL
19 DNV GL © 2018 October 2018 NotPETYA: Heavily impacting maritime industry players
. Arrived via an update to an accounting system in Ukraine (ME Doc) Software Configuration management ? . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was releasedSoftware on March Patch14th (MS17 management-010) ? . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master ObsolescenceFile Tree) tables for NTFS management partitions ? . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet General situation in Maritime ? . Prevents victims from booting their computer
“Big hack at Maersk puts Rotterdam's container terminal flat”
Ungraded David Bremmer and Leon van Heel, AD, NL
20 DNV GL © 2018 October 2018 Video -Jim Hagemann Snabe, A.P. Møller-Maersk CEO, at World Economic Forum
Ungraded
21 DNV GL © 2018 October 2018 and in the Maritime industry.
. German-owned 8,250 teu container . Vessel en route from Cyprus to Djibouti for 10 hours. “Suddenly the captain could not manoeuvre,” . The attack was carried out by “pirates” who gained full control of the vessel’s navigation system intending to steer it to an area where they could board and take over. Bild source: ARATINO, generic container vessel.
Source: FAIRPLAY- Tanya Blake, editor, Safety at Sea | 22 November 2017
Ungraded
22 DNV GL © 2018 October 2018 Cyber Security is not just a technical problem
. Top management is not involved or not walking the talk . Vendors sell tools, not solutions . It won’t happen to us, because… – We’re too small to be a target – Ships are not (always) connected to the internet – It never happened before – We have great antivirus/firewalls/snake oil technology in place – Only stupid companies get hit, we are not stupid – We make people change their passwords often . Balance between security and convenience – if it is hard to do it securely, people will be people . Social engineering is the psychological manipulation of people into performing actions or divulging confidential information; and it is boosted by privately used social media/networks . Social engineering, social spam, phishing, like-jacking,... they all target on people not on computer systems
Ungraded
23 DNV GL © 2018 October 2018 Maritime Cyber risk - Fast changing trends Why?
Ungraded
24 DNV GL © 2018 October 2018 Safety in shipping today heavily depends on cyber systems Information Technology (IT) . IT networks . E-mail on-shore org. At risk: . Administration, accounts, crew lists, … Mainly . Planned Maintenance finance . Spares management and requisitioning . Electronic manuals and . Electronic certificates reputation . Permits to work . Charter party, notice of readiness, bill of lading…
Operation Technology (OT) . PLCs At risk: . SCADA Life, . On-board measurement and control property . ECDIS and . GPS environment . Remote support for engines + . Data loggers all of the . Engine & Cargo control above . Dynamic positioning, … Ungraded
25 DNV GL © 2018 October 2018 The future holds more…
Digital wearables for crew
Enhancing passenger experience
Ungraded
26 DNV GL © 2018 October 2018 Reported incidents around the world is increasing
Pirate Hackers attack took “full supported control” of navigation by cyber Loss of fuel PMS systems for attack control and system 10 h ballast water valves due shore and to ECDIS vessel VSAT attack update hacking using common GPS login Loss of jamming main and switchboard due to spoofing ransomware Hacking of cargo AIS tracking spoofing system for smuggling ECIDS purposes ransomware and chart spoofing NotPetya cause Maersk upto USD 300m loss Malware allows full access to vessel systems Ungraded
27 DNV GL © 2018 October 2018 Challenges of Cyber Security in the Maritime Sector
• Air-gap prevents • Increasing demand on • No mandatory cyber incidents the maritime industry regulations on cyber • Lack of understanding to align cyber security security of implications of with other industries • ISM/ISPS treats cyber cyber attacks on OT • Potential lack of risks the same as any • There is no real case insurance coverage other risk publicized where a due to cyber attacks • Existing class rules do cyber incidents not cover most of the resulted in serious risks damage to a vessel
Ungraded
29 DNV GL © 2018 October 2018 Cyber-threats targets
Ungraded
30 DNV GL © 2018 October 2018 Commercial ships have potential for attackers
Risk factors . Limited education / awareness . Age of technology deployed . Limited and irregular network connectivity
Typical targets Mitigating factors . Ransom (vessel or crew) . Limited number of persons on board . Cargo theft (while on board or once . Persons on board usually employees landed) . Low turnover . Theft of information . Relatively simple systems . External damage (weaponisation)
Ungraded
31 DNV GL © 2018 October 2018 Offshore assets are potential targets as well
Risk factors . High number of personnel of various employers on board, turnover every hitch . Budgets under pressure . Somewhat limited and irregular network connectivity . Complex chain of command
Typical targets Mitigating factors . Ransom (vessel or crew) . Persons on board usually employees or . Cargo theft (while on board or once contractors landed) . Some rigs very well equipped with . Theft of information technology . Terrorism . Regulations and safety culture
Ungraded
32 DNV GL © 2018 October 2018 The maritime industry is generally not well prepared
In the next few minutes, we will discuss what makes the maritime industry vulnerable to cyber attacks.
Ungraded
33 DNV GL © 2018 October 2018 Typical threats and how to recognize them What is the threat?
Ungraded
34 DNV GL © 2018 October 2018 Security properties and priorities (CIAA)
Ability of the system Information is not made available or to provide access to disclosed to unauthorized entities, its resources individuals or processes
Availability Confidentiality
Integrity
Authenticity Property that an Accuracy and entity is what it completeness claims to be
Ungraded
35 DNV GL © 2018 October 2018 Understanding Cyber Security threats/risks
. Nuts & Bolts of a threat scenario :
Threat Agents Motivation Capability Physical infrastructure
Opportunity (overlap of Capability and knowledge of Physical infrastructure)
Ungraded
36 DNV GL © 2018 October 2018 Vessels are not alone at sea any more
• Remote support (IT, engines, machinery) • E-mail and internet use • ECDIS chart updates • Planned Maintenance system • Noon reports, manifests, requisitioning • Software updates • Port activities • …
Ungraded
37 DNV GL © 2018 October 2018 Threats can be intended or accidental
intentional Spear-phishing Malware Backdoors Disgruntled employee Ransomware Falling victim to social engineering untargeted targeted
Social media User error
Escaped proof-of-concept, Built-in software weaknesses runaway pentest
unintentional
Ungraded
38 DNV GL © 2018 October 2018 Many attackers use a technique called Social Engineering
Social Engineering is the art of tricking people into actions they later regret. Attackers may trick you into providing sensitive information, giving access to restricted systems or locations, or transferring money. They research facts about you, your vessel or your company from the web or social media. They then use this knowledge to gain your trust. Someone who knows so much about you already can easily pretend to be a colleague or a friend of a friend.
Ungraded
39 DNV GL © 2018 October 2018 Phishing
Phishing is a form of social engineering where attackers fish for sensitive information like usernames or passwords. Often emails are used, hoping you will click on a link. Mails may appear to come from a bank or other service provider, requesting you to verify your account entering personal details such as your password on a fake website. They may also claim to be from a colleague or your IT department. Attachments may be used to launch attacks when you open them. Always be careful when emails contain links or attachments; never click on them unless you are sure they are from a trusted source. If in doubt, contact the sender on a phone number or email address you know, not on a contact provided by the possible attacker. If the sender seems suspicious, play it safe and delete the email. Phishing attacks may also be launched from hacked websites or smartphone apps.
Ungraded
40 DNV GL © 2018 October 2018 Fake websites
Ungraded
41 DNV GL © 2018 October 2018 Email attacks
E-mail is still a very important attack vector, as e-mail is cheap and nearly anonymous. E-mail is like a postcard: Everything can be faked, there is no inherent security in e-mail.
Ungraded
42 DNV GL © 2018 October 2018 DNV GL received major phishing attack
Note seemingly valid @dnvgl.com sender!
Ungraded
43 DNV GL © 2018 October 2018 Sharing passwords
. Research indicates that nearly 7 out of 10 people would reveal their password in exchange for a chocolate bar!
Never share your passwords with anyone – ever.
Never use your company passwords for other services.
Never change your passwords based on instructions you receive on the phone, in e-mail or through instant message systems – unless you are the one who initiated the need for the change.
Writing your password is acceptable as long as it is kept under control. If you want to write your passwords into a Word file, ensure that the file is encrypted.
Ungraded
45 DNV GL © 2018 October 2018 Memory sticks
1. Never use a USB device that is not your own or that you know for sure can be 100% trusted.
2. USB sticks may contain malicious code that could harm your PC or even use your PC to spread themselves in the company network.
3. Antivirus software, personal firewall, spam filters and other security software and patches are installed in our PCs. These measures only help us part of the way however - We all need to be vigilant and think before acting.
4. Always remember; the last – and the strongest – line of defence is situated between the chair and the keyboard. Ungraded
46 DNV GL © 2018 October 2018 E-mail security
. E-mail has become a business critical application. We expect the messages to arrive instantly, as written, and kept away from curious eyes. . Unfortunately this is not the case. There is no guarantee that the e-mail will reach its destination, or the content will not be tampered with, or will not be leaked.
The Internet mail system is based on a store-and-forward mechanism. Network and server problems can sometimes cause the message to be stuck on a server for a long time before it is sent on to the nest system, towards its final destination.
Regular e-mail are sent in clear-text. On every IT-system, there is a number of people that have system privileges to read your message – even change its content.
There is no confidentiality when you send a regular, unencrypted e-mail.
Ungraded
49 DNV GL © 2018 October 2018 E-mail security
For these reasons business critical information should never be sent as regular e-mail, unless it has been accepted by the recipient. You should also verify that the message has been received if timing is essential. If you need to send confidential information, it can be included in a password protected file and sent as an attachment instead of regular text in the e-mail. The password may be sent as an SMS message to the recipient’s mobile phone. Keep in mind that you cannot trust the sender’s name and address when you receive e-mail. It is very easy to fake an identity on the Internet. There are even sites that offer “free services” where one can enter the bogus sender information, along with the text to be transmitted. The e-mail will then be sent to the target of the prank – or the crime. If you suspect a message not to be genuine, contact the sender to have it verified, preferably by phone, or e-mail. Always re-type the senders e-mail address. Clicking on the reply-button will in most cases send your message back to the falsifier.
Ungraded
50 DNV GL © 2018 October 2018 Malware: Viruses, Trojans and Worms
. Approximately 700,000 new malware is currently identified per month!
. Many websites are being compromised visiting them may get unwanted program code installed on your PC
. Once the malware is inside, it will try to spread itself to all other systems in the network, as well as “call home” to download more malicious code.
. Until the faulty programs have been corrected, a patch has been produced and installed on all relevant systems, we are vulnerable.
Ungraded
51 DNV GL © 2018 October 2018 Malware: Dos and Do nots
Ensure that the antivirus software is running on your system and that is frequently up-to-date.
Regularly check that your Internet Security settings are set correctly in Internet Explorer [Tools Internet Options… Security]. Verify that the security level for Internet is set to Medium or Higher, and that Restricted Sites is set to High.
Don’t use the PC for surfing on inappropriate sites on the Internet
Do not accept any requests for software updated of offers of added functionality when you are visiting web sites as this may install a Trojan on your PC.
Ungraded
52 DNV GL © 2018 October 2018 Free public network
. Free access may seem convenient: No username, or password, or credit card. . Unfortunately, services named Free Public Network or Free Wi-Fi are not always what they appear to be. . Criminals go to public places where people access the Internet using their computers, tablets and smart phones, and set up fake wireless services. When their victims connect to the Internet, data such as usernames and passwords are recorded, passing through the criminal’s PC. . Serious providers of access points require that you enter some form of ID and a password before you are given access to the Internet.
Ungraded
53 DNV GL © 2018 October 2018 Free public network
. If Internet access is provided without asking for any credentials you should be very cautious and not use any net services such as web shops and banks where you must type in secret private information. . Using free Internet access from serious providers is fairly riskless when used for regular browsing, such as reading news and articles on the web. . You should still be vigilant and watchful for anormal system behaviour. If in doubt; disconnect your device and switch it off. . When connecting to your company network, using a company PC and applications such as Outlook and Internet Explorer, the communication is encrypted. This makes snooping and wiretapping of data and information impossible.
Ungraded
54 DNV GL © 2018 October 2018 Fake anti-malware
. Fake anti-malware may appear when using online services, e.g. booking sites, in the form of pop-up windows claiming that your PC is unprotected and offering anti-virus solutions.
. No matter which button you would click on – Yes or No – the program would download a virus to your machine.
. The viruses can switch off the antivirus programs, so that our PCs would be open to all kinds of malware installations.
Ungraded
55 DNV GL © 2018 October 2018 Fake anti-malware
. Unfortunately, there will always be new malware that exploit vulnerabilities in operating systems and applications and for which there is no protection.
. Until the virus or weakness has been analysed and a cure has been found, we will be at risk.
Steps to follow: If your PC starts to behave suspiciously, never ignore the signs or try to correct the problem yourself. Turn off your PC immediately by pressing the power-button until it stops completely. Then call your IT support for help.
Ungraded
56 DNV GL © 2018 October 2018 Game Fake or Real Websites
Ungraded
57 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
58 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
59 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
60 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
61 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
62 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
63 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
64 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
65 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
66 DNV GL © 2018 October 2018 Game – Fake or Real
Ungraded
67 DNV GL © 2018 October 2018 Cyber security incident response management
Ungraded
68 DNV GL © 2018 October 2018 Why is cyber security incident response important?
Source: https://citadeldigitalsecurity.com Ungraded
69 DNV GL © 2018 October 2018 Incident Response Management
Plan & Prepare
Respond & Recover Detect & Report
Assess & Decide
Ungraded
70 DNV GL © 2018 October 2018 Plan & Prepare
. Produce or update relevant Information of Reporting Event Security Event Details management policies, processes Person Details Description Incident Category and procedures.
Total Recovery . Define a detailed information Incident Effect of Components/ Costs from Resolution Incident Assets Affected security incident management Incident plan.
Person(s) / Actual or Actions Taken Description of . Define responsibilities and tasks Perpetrator(s) Perceived to Resolve Perpetrator as well as establish an Incident Involved Motivation Incident Response Team (IRT).
Internal Actions Planned Actions Individuals/ Conclusion to Resolve . Providing appropriate training Outstanding Entities Notified Incident program for assigned responsibilities and tasks.
External Submission of Individuals/ . Incident Report Establish appropriate connections Entities Notified with internal and external organizations which are directly involved in cyber security events. Ungraded
71 DNV GL © 2018 October 2018 Detect & Report
. Monitor alerts from internal security systems from e.g. an intrusion detection systems . Monitor alerts from external information sources, e.g. National incident response teams, Vendors and Cyber security firms . Inform and escalate abnormal events to the IRT . Collect information about the incident . Record incident in a report, e.g. including,: – Event details (e.g. time, place, etc.) – Event description (what happened?) – Type of attack (see picture ) – Assets affected (e.g. HW, SW, Com, Process) – Effect of incident (in terms of CIA) – Incident resolution – Action to prevent similar incidents – Notification to internal/external persons/entities
Ungraded
72 DNV GL © 2018 October 2018 Assess & Decide
. Determine whether an event is actually a cybersecurity incident or a false alarm. . If a cybersecurity incident has occurred, then escalation to the Incident Response Team is required. . Find out what information, system, or network is impacted. . Find out what the impact is in terms of confidentiality, integrity, and availability (CIA) and assign priority for respond activities based on the severity CIA impact.
Which Whom When Which To whom Who . Identify and notify all relevant stakeholders. When should it information (internal/extern Who should be needs to be al) should it be communicate? communicated? communicate? communicate?
Ungraded
73 DNV GL © 2018 October 2018 Respond & Recover
. Contain the incident, including: – limit the damage – stop the attacker – ensure business continuity – prevent spreading of incident (internal/external)
. Eradicate the incident, including: – based on concluded incident investigation – remove all assets related to the incident – remove all artefacts left by the attacker – close vulnerabilities used by the attacker
. Recover from the incident, including: – Ensure return to normal operation – Eliminate vulnerabilities to prevent similar incidents
Ungraded
74 DNV GL © 2018 October 2018 Regulations, Standards and Best Practices
Industry is responding
75 DNV GL © 04 June 2018 Trends (contd.): Cyber security regulations evolving
. MSC 98 (07/17) agreed that there is an urgent need to raise awareness on cyber risk threats and vulnerabilities . An important part of achieving this would be to consider cyber risk as part of existing safety management systems (ISPS and ISM codes) . MSC 98 adopted resolution MSC.428(98) on Maritime cyber risk management in management systems . The guidelines are not mandatory but Member Governments are encouraged to apply them
Impact: Outcome: Cyber risks should be addressed in safety management MSC 98 adopted the systems no later than the first annual verification of DoC after recommendatory 1 January 2021. This is a non-mandatory requirement. MSC-FAL.1/Circ.3 superseding the interim guidelines
76 DNV GL © 04 June 2018 IMO – present requirements
. Cyber Security brought into ISM/ISPS audits – ISM Code 1.2.1 The objectives of the Code are to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment, and to property. . ISM Code 1.2.2 Safety management objectives of the Company should, inter alia: 1. provide for safe practices in ship operation and a safe working environment; 2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and 3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection. . ISM Code 1.2.3 The safety and management system should ensure: 1. compliance with mandatory rules and regulations; and 2. that applicable codes, guidelines and standards recommended by the Organization, Administrations, classification societies and maritime industry organizations are taken into account . Conclusion: If Cyber Risks exist, the ISM and ISPS Codes contain mandatory requirements.
Ungraded
77 DNV GL © 2018 October 2018 IMO proposal for new Strategic Plan
. Assembly session of IMO, Nov 27th – Dec 6th 2017 . Submission of “Strategy, Planning and Reform” with a proposal for a new Strategic Plan for the six-year period 2018 to 2023. . In the submission paper A 30/7 on page 8, para. 28 it is stated/proposed how IMO should handle cyber risks in the strategic direction SD 5:
“Shipping operations are increasingly dependent on electronics and digital technologies and as such are exposed to cyber risks. The Organization will continue to monitor the issue and encourage a cooperative approach among Member States and stakeholders.”
78 DNV GL © 04 June 2018 MSC-FAL.1/Circ.3
MSC-FAL.1/Circ.3 - Guidelines On Maritime Cyber Risk Management. Recommendation (non-mandatory) Application: to encourage safety and security management practices Addresses both IT and OT systems Cyber Risk: Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). Cyber Risk Management: Identify – Protect – Detect – Respond – Recover Referring to the BIMCO guideline, ISO/IEC 27001 and the NIST Framework, etc.
79 DNV GL © 04 June 2018 EU regulations and national development
. Directive (EU)2016/1148 concerning measures for a high common level of security of network and information systems across the Union (May 2016) – Applicable for ports but not vessels
. Regulation (EU)2016/679 - General Data Protection Regulation (April 2016) – Applicable for vessels from May 2018
. USCG Cyber Strategy (June 2015)
. CG-5P Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security (Dec 2016) – Require cyber security incident reporting on US waters
. USCG opens new unit to combat cyberspace threat (June 2017) Promotion video available here
. Draft navigation and vessel inspection circular no. 05-17 (July 2017) Subj: Guidelines for addressing cyber risks at maritime transportation security act (MTSA) regulated facilities
80 DNV GL © 04 June 2018 USCG - Vessel Profiles
. Cybersecurity Framework Profiles - Maritime Bulk Liquids Transfer, Offshore Operations, and Passenger Vessel (Dec 2017)
Summary of Subcategory Priorities by Mission Objective
Mission Objectives
1. Maintain Personnel Safety 5. Maintain Quality of Product
2. Maintain Environmental Safety 6. Meet HR Requirements
3. Maintain Operational Security 7. Pass Required Audits/Inspections
4. Maintain Preparedness 8. Obtain Timely Vessel Clearance Framework Core: Functions and Categories
81 DNV GL © 04 June 2018 DNV GL’ Cyber Secure Class Notation supports protecting the safety of vessel, crew and passenger
. The additional class notation Cyber secure includes requirements to cyber security for a vessel, intending to protect the safety of the vessel, crew and passenger. On-shore facilities are not addressed within the requirements.
. Cyber secure notation has 3 different qualifiers:
– Cyber secure(Basic) – Primarily intended for sailing vessels. – Based on security level 1 in IEC 62443-3-3 with specific adaptions for the maritime industry. Requirements to bridge systems are derived from IEC 61162-460.
– Cyber secure(Advanced) – Primarily intended for new build vessels – Based on security level 3 in IEC 62443-3-3 with specific adaptions for the maritime industry.
– Cyber secure(+) – Intended for system(s) not required as part of default scope in Basic/Advanced. – Can be combined with Basic/Advanced qualifier, e.g. Basic+
82 DNV GL © 04 June 2018
Cyber Security Advisory for the Maritime Industry Our Type Approval program support manufactures, owners and yards ensuring safety through cyber secure components
Based on: . ISA-62443-4-2 and . IEC 61162-460.
83 DNV GL © 04 June 2018
Cyber Security Advisory for the Maritime Industry Recommended practices Where should we start?
84 DNV GL © 04 June 2018 Cyber Security standards landscape
Organizational Standards
Technical Standards US Coastguard ISO 27001 Cyber Strategy FOR-2012- BSI TR 12-07- BSI 100 03109 1157 CPNI Process DNV GL ISA/IEC ISF control and Recommend 62433 Framework SCADA ed Practice security Cigre NIST LR IEC 62351 Security Framework Guidelines Standards
IEC 60870- BIMCO IEEE 1686 Enisa 5-101/104 Guidelines
IEC 60092- ABS IMO IEC 61850 504 Guidelines Guidelines
IEC 61508 Risk based Standards
85
DNV GL © 04 June 2018 BIMCO “The Guidelines on Cyber Security On-board Ships”
. Version 2.0 (July 2017) by . Aim: offer guidance to shipowners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships. . Scope: – Cyber security and safety management – Understanding the cyber threat (types and stages) – Determination of vulnerability for IT and OT systems – Risk assessments (process & criteria) – Technical & Procedural control measures – Contingency planning and emergency response
. Conclusion: Useful high-level introduction, comprehensive scope, but no specific “how to” guidance
86 DNV GL © 04 June 2018 Introduction to ISO 27001
. ISO27001 formally specifies how to establish an Information Security Management System (ISMS).
. The adoption of an ISMS is a strategic decision.
. The design and implementation of an organization’s ISMS is influenced by:
– its business and security objectives,
– its security risks and control requirements,
– the processes employed and
– the size and structure of the organization
a simple situation requires a simple ISMS.
. The ISMS will evolve systematically in response to changing risks.
. Compliance with ISO27001 can be formally assessed and certified. A certified ISMS builds confidence in the organization’s approach to information security management among stakeholders.
87 DNV GL © 04 June 2018 DNV GL response: Cyber Security Recommended Practice
. Explains ‘How To Do’ and not just the ‘What to do’ fills a gap amongst available guidelines . Facilitating an approach for both IT and OT systems. . Building on established standards – ISO/IEC-27001 – ISO/IEC 62443 (OT) – BSI Grundschutz (IT) What . Applying common Risk and Barrier Management principles . Provides practical examples and guidelines to implementation . Builds on experience from live projects
88
DNV GL © 04 June 2018 CYBER SECURITY DNV GL’s Recommended Practice
Assessment is key: Before spending money on a cyber security initiative, we recommend to carry out a structured and targeted assessment of the risk picture
ASSESSMENT IMPROVEMENT VERIFICATION
. High-level assessment: . Competence & awareness . Monitoring and testing of identification of key risks building technical barriers . Focused assessment: . Technical measures: . Verification of ISMS - barrier management e.g., access control, software against ISO/IEC 27001 methodology applied to specific configuration management and high-risk systems barrier management . In-depth assessment: . Information security comprehensive risk management system assessment, comparison of (ISMS) preparation of current safeguards with target documentation and implementation
89 DNV GL © 04 June 2018 DNVGL-RP-0496 approach to assessment
Start of cyber security assessment program
High level Assessment [2.1]
Comprehensive, In Focused Assessment Depth Assessment [2.2] [2.3]
Improvement [3]
90
DNV GL © 04 June 2018 Cyber Security Assessment Approach How are risks managed?
Ungraded
91 DNV GL © 2018 October 2018 When welding/repair, a ‘crack’ is introduced to the vessel structure – how is this crack (risk) controlled?
In Out
Ungraded
DNV GL © 2018 October 2018 When software change is introduced to systems - then what?
In OutOut
Ungraded
DNV GL © 2018 October 2018 Three pillars of Cyber Security
. Holistic approach for maritime cyber security assessments Process . Management Systems . Governance Frameworks . Policies & procedures . Vendor/Third party contracts-follow up . Audit regimes
People Technology
. Training & Awareness . System design . Professional skills . Hardening of connections & qualifications . Software configuration . Emergency drills . Encryption protocols . Authorizations & . Jamming & spoofing authentication . Detection & monitoring . Physical Security
Ungraded
94 DNV GL © 2018 October 2018 On board Cyber Security inspections
Surveyors find viruses on-board during routine inspections…
Ungraded
95 DNV GL © 2018 October 2018 On board verification tests and inspections
Categories of findings on different ship types: Organisational Maturity Process
. People, Process, Technology Lack fear factor? People Technology – Passenger, Container, Tanker, Offshore production unit
Retrofit from older technology
Ungraded
96 DNV GL © 2018 October 2018 Example findings on Passenger, Container, Tanker & Offshore production units
. Network Security
Are firewalls used according to policy?
• Firewall mounted in engine performance monitoring cabinet, but not connected Ungraded
97 DNV GL © 2018 October 2018 Example findings (cont.)
. Network Security
Are anti-virus used according to policy? • No Anti-virus on “island- • Skype installed on mode” workstations tank sounding computer
• Undetected infection of
Ungraded Loading computer
98 DNV GL © 2018 October 2018 Example findings (cont.)
. Physical security and access control
. No password change policy, passwords pre-set by shore IT – Passwords printed on paper and posted on the wall
Checking access control
Ungraded
99 DNV GL © 2018 October 2018 Example findings (cont.)
. Physical security and access control
Checking access control
Ungraded
100 DNV GL © 2018 October 2018 Example findings (cont.)
. Physical security and access control
. Unnecessary Administrator access on engine performance monitoring PC . No automatic lock out, and users stay logged in to workstations, because reporting tasks are so time consuming that they cannot be handled by a single person Checking . Lack of physical security, all access control equipment in scope is accessible . Weak passwords, e.g. “123”
Ungraded
101 DNV GL © 2018 October 2018 Example findings (cont.)
. Network Security . Personal use of company network – E-mail (bypassing corporate filtering), browsing, and social networking on on-board PCs . 4 base functions of on-board firewall disabled, including event-logging & Broadcast storm protection disabled in switches . Limited alarm and event logging – Security products generate alarms, but there is no central Network collection or review of events Security checks . Lack of Windows patching & hardening – Windows updated only during major upgrades, i.e. up to 3 years outdated. – Windows installations configured with standard settings – Default credentials on networking gear, e.g. switches, routers . 15 Anti-virus alarms in a week on sample PC on-board
Ungraded
102 DNV GL © 2018 October 2018 Example findings (cont.)
. Network Security . Anti-virus installed on all hosts: However, no scheduled scans. Last scan in 2014 . No monitoring/alarming of network load within Network panel of Alarm server HMI . Alarm servers running unused/unnecessary services . Adequate malware protection not installed on HMI PCs (Alarm monitoring and Engine Performance monitoring) . Network Alarm overflow: After a certain number, no further alarms can be received Security checks . OS security patches ~twice a year (except ship’s firewall) . Unencrypted e-mail communication
Ungraded
103 DNV GL © 2018 October 2018 Example findings (cont.)
. Policies and Procedures . No defined policies to follow by associated vendors/service personnel – Service provider technician uses own USB stick to print Checks on reports from on-board PCs policies and . Dedicated USB stick for updating ECDIS, however procedures physically not secured and no malware scanning . Single USB stick policy – Single USB used to transfer loading condition data to shore via Bridge – SD card used between camera and on-board workstations – Gradually all of business network on-board infected
Ungraded
104 DNV GL © 2018 October 2018 Example findings (cont.)
. Policies and Procedures . All data and configuration backups stored in a single cabinet on-board . All backup HDDs stored in a single rack (together with all IT servers), and not transferred to shore . IT dept. responsible for comm. networks, but Master Checks on is responsible on the vessel policies and – No incident response policy defined. The procedures Master would contact IT dept. – AIS kept on in piracy area despite policy to switch off: No policy regarding sharing geo-tagged photos
Ungraded
105 DNV GL © 2018 October 2018 DNVGL-RP-0496 In depth assessment technique
Ungraded
106 DNV GL © 2018 October 2018 Understanding Cyber Security threats/risks LIKELYHOOD <-?
. Identify critical systems Connected Requiring Remote Physically Ease of . Rank risks and/or software connection accessible Access (prioritise) integrated updates X - - - Medium X - - X High X - X High X X High - - X No effect on Medium - X - Ease of Medium - X X access Medium X X X High - - - X Medium - - - - Low
Table 2-4 Example rating of ‘ease of access’ (likelyhood) DNVGL-RP-0496 - Cyber security resilience management for ships and mobile offshore units in operation
Ungraded
107 DNV GL © 2018 October 2018 Assessing the consequence of a cyber attack
Ungraded
108 DNV GL © 2018 October 2018 DNVGL-RP-0496: Comprehensive, in depth approach
Identify critical systems (2.3.1) IT System OT type
Determine Determine Consequence Likelihood (2.3.2) (2.3.3) (Appendix E) (Appendix F)
Establishing the Determine cyber security risks prioritised action (2.3.4) plan
Compare current safeguards with target (2.3.5) Table 2-7
Ungraded
109 DNV GL © 2018 October 2018 DNVGL-RP-0496 Bow-Tie Barrier Management
Ungraded
110 DNV GL © 2018 October 2018 Understanding cyber attack mechanics: Attacker Vulnerabilities Barriers Consequences
Attack Attack Security Vulnerabilities threats techniques barriers
USB port Collision Attack Barrier ECDIS handling
Outdated Attack Barrier software Extortion CMS
Unsecure Remote Attack connection Cargo hijacking
Default Attack Barrier passwords
Ungraded RADAR
111 DNV GL © 2018 October 2018 DNVGL-RP-0496: Graphical understanding of protection barriers
. Leverages existing industry knowledge using Bow-Tie & Barrier management methodologies and transposes this intuitive method to help assess complex attack scenarios
Ungraded
112 DNV GL © 2018 October 2018 A bridge between domain knowledge
. Use graphical tools for communication with industry language . Bow-tie barrier management Safety
Non IT background people learn how to do it in 10 minutes and realise they know a lot more than they thought
Ungraded
113 DNV GL © 2018 October 2018 Other approaches NIST Framework
Ungraded
116 DNV GL © 2018 October 2018 Profiling using the NIST CS Framework
Categories and Subcategories
Ungraded
117 DNV GL © 2018 October 2018 How DNV GL can help you Final remarks
Ungraded
118 DNV GL © 2018 October 2018 Competence and awareness: The Human Element
. ~97% of malware is designed to exploit social engineering weaknesses, not a technical flaw.
. The organisation can be strengthened against these exploits by building general competence and awareness of cybersecurity threats, issues and protective measures. – Focus (initially) on the highest risk parts of the organisation Recommended training content – Apply blended learning techniques – E- . Role and responsibility of the individual learning, class room and offline material . Common threats & traps – Periodic refreshers to improve retention . Good practices or “cyber hygiene” and keep up with shifting risk profiles.
Ungraded
119 DNV GL © 2018 October 2018 What are your next steps?
Awareness campaign
Dedicated training program
Network segregation
Eliminate factory defaults
Access control
Harden remote connections
Software management
Implement ISMS
Ungraded
120 DNV GL © 2018 October 2018 The Cyber Business Risk balance
“I won’t be competitive unless “I need to practice my vessels offer a security by design to wide range of keep my ships safe” innovative features”
Ungraded
121 DNV GL © 2018 October 2018 Thank you for your attention
Maritime Cyber security Download the RP free of charge from: www.dnvgl.com/rpcs
DNV GL
Ungraded
127 DNV GL © 2018 October 2018