MARITIME Cybersecurity for Critical Infrastructure DNV GL Technology Week 2018 October 16, 2018 Ungraded 1 DNV GL © 20182016 October 2018 SAFER, SMARTER, GREENER Your presenters today Jan Hagen Andersen, P.E. DNV GL Maritime . 27 years of experience in the maritime industry . 13 years with DNV GL . Head of Practice for Mechanical Systems and Engineering . BD for Maritime focus is on fleet performance management, environmental performance, cyber security, and novel technologies Craig Reeds Digital Solution Americas . Over 30 years of experience in cyber security . CISSP – Certified Information Systems Security Professional . CRISC – Certified in Risk and Information Systems Control . Works with most of the critical infrastructure industries . 4 years with DNV GL Digital Solutions Ungraded 2 DNV GL © 2018 October 2018 Agenda 8:30 – 8:45 Introduction Jan Andersen, Craig Reeds 8:45 – 9:00 You may already be under attack Craig Reeds 9:00 – 9:20 Safety in shipping heavily depends on cyber systems Jan Andersen 9:20 – 9:40 Challenges of Cyber Security in the Maritime Sector Craig and Jan 9:40 – 10:00 Break 10:00 – 10:30 What is the Threat and Where are the Risks Craig Reeds 10:30 – 10:45 Regulations, Standards and Best Practices Jan Andersen 10:45 – 11:00 Cyber Security Assessment Approach Craig Reeds 11:00 – 11:30 Questions, Discussion & Closing All speakers Ungraded 3 DNV GL © 2018 October 2018 Our leading position on Maritime Cyber Security is built and ensured through a competent cross-unit DNV GL team Key building blocks Maritime Class Leading class on Cyber Security (CS) with ISDS (Integrated Software Dependent Systems) class notation and CS RP, CS Type Approval,… Digital Solutions Cyber security competence centre with resource pool of expert supporting growth Maritime Advisory Complete picture with maritime domain knowledge & hands-on experience and Ungraded close customer contact as an advisor 4 DNV GL © 2018 October 2018 Training Overview Overview • Learn about maritime cyber security Cyber Security – Intro why is it regulations suddenly an • Understand cyber issue? security terminology • Recognize malware types Typical threats User • Be able to identify and how to Awareness recognize them threats or vulnerabilities • Learn how to organize Methods, tools awareness measures Analysis and best for own company and and practices to eliminate risks from mitigation assess and social engineering mitigate the risks Ungraded 5 DNV GL © 2018 October 2018 Cyber risks on ships and mobile offshore units The context Ungraded 6 DNV GL © 2018 October 2018 Pirates 1.0 4.0 Ungraded 7 DNV GL © 2018 October 2018 Being the early adopter… Hugo Gernsback (1884-1967) Luxembourgish-American inventor, writer, editor, publisher, Ungraded best known for publications including the first science fiction magazine. 8 DNV GL © 2018 October 2018 Maritime & Offshore trends Software & Automation Crew size Interconnectivity Ungraded 9 DNV GL © 2018 October 2018 Trends . Cyber security threats are progressing and becoming a part of our daily business ? 2018 +: What will the future bring ? . Regulations are evolving: IMO MSC. 428(98) - FAL.1/Circ.3 5 July 2017 2016: Bulk carrier … Stakeholders should take the necessary steps to safeguard switchboard shuts down-ransomware shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes and systems in shipping… 2014: U.S. Port hacker attack . The cyber security exclusion clause in insurance (Clause 380) is being challenged: 2013: Hacking of – Owners expect complete insurance coverage cargo tracking system – Underwriters need to properly manage their risks 2012: GPS jamming/spoofing – Charterers through TMSA 3.0 & VIQ 7 (vetting) 2011: Pirate Cyber Attack 2010: Drilling rig infected with malware Ungraded 10 DNV GL © 2018 October 2018 Risk misconception and industry lack of understanding . Difficulty in calculating risks linked RISK to the thinking of the human = IMPACT criminal mind X LIKELYHOOD <-? . Disbelief “… a hacker gained control of a vessel…” “Yeah Right, there are too many barriers to get through…” Ungraded 11 DNV GL © 2018 October 2018 Transparency VS Awareness… “There are two types of companies in Misha Glenny, British journalist who specialises in the world: those that know they've cybersecurity been hacked, and those that don't”. Cyber security incidents are more common than officially admitted.. Ungraded 12 DNV GL © 2018 October 2018 You may not know yet, but you are under attack . 2015: 64,199 reported IT Security incidents – just the tip of the iceberg1 – 89% of breaches had a financial or espionage motive . New threats arise: – Widespread ransomware – Orchestrated attacks on industrial control systems – Attacks can be rented as a service, lowering the entry bar – Government-sponsored attacks widespread – Cyber terrorism Ungraded 1 Source: 2016 Data Breach Investigations Report, Verizon 13 DNV GL © 2018 October 2018 Information technology (IT) Operational technology (OT) 800,000,000 +110% 700,000,000 2,600 Attacks on industrial control systems 2,400 600,000,000 2,200 The AV-Test 2,000 1,800 500,000,000 Institute registered 1,600 approx. 14,000,000 1,400 400,000,000 new malicious 1,200 programs during 1,000 300,000,000 800 the month of April 600 400 200,000,000 2018 alone… 200 0 100,000,000 2013 2014 2015 2016 0 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Sources: AV-TEST Institute, Germany IBM Managed Security Services - 2016 report “Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent” Ungraded 14 DNV GL © 2018 October 2018 WannaCry: Largest ransomware attack to date Known affected organisations: • Spain - Telefonica, power firm Iberdrola, utility provider Gas Natura and more large firms • USA - FedEx, • France - Renault, • Germany - Deutsche Bahn • Jakarta- Two hospitals • Russian Interior Ministry • Britain’s National Health Service, Nissan car plant “The latest count is over 200,000 victims in at least 150 countries” - Rob Wainwright, Europol Executive Director Ungraded 17 DNV GL © 2018 October 2018 Maritime can also affected Ungraded 18 DNV GL © 2018 October 2018 NotPETYA: Heavily impacting maritime industry players . Arrived via an update to an accounting system in Ukraine (ME Doc) . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was released on March 14th (MS17-010) . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master File Tree) tables for NTFS partitions . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet . Prevents victims from booting their computer “Big hack at Maersk puts Rotterdam's container terminal flat” Ungraded David Bremmer and Leon van Heel, AD, NL 19 DNV GL © 2018 October 2018 NotPETYA: Heavily impacting maritime industry players . Arrived via an update to an accounting system in Ukraine (ME Doc) Software Configuration management ? . Spread like a worm from an infected machine . Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was releasedSoftware on March Patch14th (MS17 management-010) ? . Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC . Encrypts MFT (Master ObsolescenceFile Tree) tables for NTFS management partitions ? . Overwrites the MBR (Master Boot Record) with a custom bootloader . Shows a ransom note demanding USD 300, same bitcoin wallet General situation in Maritime ? . Prevents victims from booting their computer “Big hack at Maersk puts Rotterdam's container terminal flat” Ungraded David Bremmer and Leon van Heel, AD, NL 20 DNV GL © 2018 October 2018 Video -Jim Hagemann Snabe, A.P. Møller-Maersk CEO, at World Economic Forum Ungraded 21 DNV GL © 2018 October 2018 and in the Maritime industry. German-owned 8,250 teu container . Vessel en route from Cyprus to Djibouti for 10 hours. “Suddenly the captain could not manoeuvre,” . The attack was carried out by “pirates” who gained full control of the vessel’s navigation system intending to steer it to an area where they could board and take over. Bild source: ARATINO, generic container vessel. Source: FAIRPLAY- Tanya Blake, editor, Safety at Sea | 22 November 2017 Ungraded 22 DNV GL © 2018 October 2018 Cyber Security is not just a technical problem . Top management is not involved or not walking the talk . Vendors sell tools, not solutions . It won’t happen to us, because… – We’re too small to be a target – Ships are not (always) connected to the internet – It never happened before – We have great antivirus/firewalls/snake oil technology in place – Only stupid companies get hit, we are not stupid – We make people change their passwords often . Balance between security and convenience – if it is hard to do it securely, people will be people . Social engineering is the psychological manipulation of people into performing actions or divulging confidential information; and it is boosted by privately used social media/networks . Social engineering, social spam, phishing, like-jacking,... they all target on people not on computer systems Ungraded 23 DNV GL © 2018 October 2018 Maritime Cyber risk - Fast changing trends Why? Ungraded 24 DNV GL © 2018 October 2018 Safety in shipping today heavily depends on cyber systems Information Technology