Cyber security: readying for the ISM Code’s 1 Jan 2021 ...€¦ · Cyber Security . Webinar Week....
Transcript of Cyber security: readying for the ISM Code’s 1 Jan 2021 ...€¦ · Cyber Security . Webinar Week....
Part ofMaritime Cyber Security Webinar Week4-6 August 2020
Cyber security: readying for the ISM Code’s 1 Jan 2021 requirements
5 August 2020 • 09:00-09:45 BST
Presentation & sponsors documents:Page 2: Kelly Malynn, BeazleyPage 11: Makiko Tani, ClassNKPage 22: Alex Soukhanov, Moran CyberPage 27: Rajeev Sukumaran, TÜV RheinlandPage 33: F-Secure company information
Premier Partner
Sponsored by
1
Insurers view of Maritime Cyber Risk and ISM Code requirements
Kelly MalynnBeazley Group PLC
Understand and Underwrite
2
3
What the new regulation requires
In Practice
If possible, use the same risk matrix and likelihood/consequence rating scales as for all safety/environmental risks onboard.
Allows comparison between cyber and non-cyber related risks and enables more efficient (cost-benefit) risk treatment.
• The IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system.
• ISM Code already requires risk be handled with the IMO resolution cyber security as a risk and mandated verification of handling through the safety management system is mandatory, from the first annual DoC audit after 01.01.2021
• IMO also released Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) in July 2017.
4
Areas of Maritime Cyber Risk
Physical damage
Loss of availability
Extortion
Physical Damage VesselsRunning aground – collision
Loss of Hire Vessel not sea worthy / systems not operating
RansomVessel systems non operational via ransomware
‘Bricking’ Computer hardware onshore
Business Interruption IT system failure onshore
Ransom / Data lossIT system – extortion data exposure or theft
‘Shore side’Vessels
Putting it in to practice
5
Mitigate: Per-user Profiles & Passwords. Segment networks on-board into ‘subnetworks’. External media scanning on a standalone system pre installation to any shipboard network.
Transfer: Identify possible Insurance options for events outside appetite.
Accept: Readiness and resilience. Develop Cyber Incident Response Plan. Cyber Intelligence Threat Scan. Crew awareness and training.
Risk assessment:The IMO agreed that cyber risk management should be integrated into existing management systems under the ISM Code and ISPS Code. Auto Pilot SoftwareMalware corrupts integrated bridge system or alerts overridden
Power Systems Ransomware embedded within Automatic Voltage Regulator
Social Engineering Payment information intercepted and funds redirected
Electronic Chart Display & Information System Software update contains error causing system to lose reference
Email and Booking systemRansomware results in IT systems being unavailable
Potential Systemic Claims Scenarios
Recent Events
6
USCG ALERT – July 2019
• Deep draft vessel bound for Port of New York & New Jersey - significant incident impacting shipboard’s network.
• Interagency team of cyber experts lead by Coast guard attended.
• Unsegregated shipboard network.
• USCG safety alert and recommendations.
Denison Ransom – February 2020
• Bob Denison, of brokerage house Denison Yachting revealed details of their cyber incident impacting company website.
• Ransom demand was 15 Bitcoin, which at the time was about $150,000 USD.
• Threat to release sensitive information.
• Used experts to learn early on, many of the hacker’s threats were false.
• Denison report cyber event 100 per cent resolved and no sensitive client or financial information was stolen.
Compliance v’s Practical mitigations
7
Mitigate: Per-user Profiles & Passwords. Segment networks on-board into ‘subnetworks’. External media scanning on a standalone system pre installation to any shipboard network.
Transfer: Identify possible Insurance options for events outside risk tolerance.
Accept: Readiness and resilience. Develop Cyber Incident Response Plan. Cyber Intelligence Threat Scan. Crew awareness and training.
Risk assessment:The IMO agreed that cyber risk management should be integrated into existing management systems under the ISM Code and ISPS Code.
8
Kelly MalynnBeazley Group PLC
Cyber Risks and Maritime Insurance
9
Below are links to the sources of the events and the Beazley product page: -
• USCG Alert: - https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf
• USCG page:- https://www.us-cert.gov/ncas/current-activity/2019/07/08/us-coast-guard-releases-cybersecurity-measures-commercial-vessels
• CISA Alert: - https://www.us-cert.gov/ncas/alerts/aa20-049a
• Denison Event: - https://www.superyachtnews.com/technology/bob-denison-on-the-recent-cyber-attack
• Beazley product page:-https://www.beazley.com/london_market/marine/marine_cyber.html
References
2020/8/5 01
ClassNK Cyber Security Initiatives
Ⓒ Copyright by NIPPON KAIJI KYOKAI
August 2020
ClassNK Cyber Security Team
- What we can do to control cyber risks -
2020/8/5 01
Why do we need cyber security in the maritime industry?
2020/8/5 01
Document all
2020/8/5 01
Today’s panelists are…
01
ClassNK Cyber Security Approach (May 2019)
1. Ensuring safety of ships as the supreme objective
2. A multi-layered approach to control onboard cyber security
3. Update ourselves, update our guidelines
ClassNK’s fundamental policy to cyber security:
01
“ClassNK Guidelines for Designing Cyber Security Onboard Ships”
“ClassNK Cyber Security Management System for Ships”
“ClassNK Guidelines forSoftware Security Guidelines”
ClassNK Guidelines series on cyber security
Security-by-design equipment
Secure network building
People and process controls
Security policy and secure organization
01
• Alignment with IEC62443• Incorporates IACS Recommendation No.166
on Cyber Resilience
ClassNK Guidelines for Designing Cyber Security Onboard Ships
Published: July 2020 Version: 2nd editionApplicable to: new building shipsTarget readers: those who are responsible for shipbuilding and integrationOffers: NK Cyber Security Notation
01
• Alignment with ISO27001 and ISO27002
ClassNK Guidelines Cyber Security Management Systems Onboard ShipsPublished: April 2019 Version: 1st editionApplicable to: shipowners/companies and their shipsTarget readers: those who are responsible forestablishing cyber security management systems
ClassNK Guidelines Ships for Software Security
Published: May 2019 Version: 1st editionApplicable to: software and applicationsTarget readers: those who are responsible for establishing cyber security management systems
2020/8/5 01
ClassNK joined Maritime Transportation Systems ISAC (MTS-ISAC)
Formed as a nonprofit organization in Feb 2020 by maritime stakeholders A US-based maritime industry-specific organization that shares information
on cyber threats and facilitates its members to build an information-sharing community
On 7 July 2020, NK joined MTS-ISAC as the first classification society and the first non-US organization
2020/8/5 01
Ships today are increasingly leveraging cyberspace“Document all“ is the first important step ClassNK has resources available for you, to contribute
to delivery and operation of cyber secured shipsCollaboration and cooperation is the key to address
cyber security
Conclusions
2020/8/5 01
A call for collaboration!
Contact:ClassNK Cyber Security Team - Maritime Education and Training Certification Department e-mail: [email protected]
Maritime Cybersecurity for Commercial Vessels
© 2020 Moran Cyber 1www.morancyber.com
Maritime Cybersecurity Webinar Week05 August 2020
Vessel Control Systems & Operational Technology
Modern Navigation Bridge
© 2020 Moran Cyber 2
Modern Engine Control Room
Increasing Automation, Integration, and Remote Access
Case Study
© 2020 Moran Cyber 3
ChallengeCustomer required assistance in performing asset discovery of marine OT systems followed by network segmentation from untrusted systems across the fleet
Solution• Established trust with Captains and Chief Engineers to
perform assessments and passive network asset discovery.• Implemented network segmentation solution • Cross-trained vessel officers and crew on segmentation
system operations
ResultsWithin a sailing for each vessel, increased asset visibility and reduced threat surface by segmenting critical OT assets from untrusted or semi-trusted assets
The Value of New Build Cybersecurity
Improve safety, resiliency, and reliability through security by design
Influence design by incorporating best practices
Continual collaboration extends through lifecycle of investment
© 2020 Moran Cyber 4
Copyright © 2017 Moran Shipping Industries, Inc. All Rights Reserved 5
Contact:Alex [email protected]: +1 401 680 8975www.morancyber.com
“The Art of the Sailor is to Leave Nothing to Chance”
Navigating the diverse maturity spectrum in the Maritime Sector
Maritime Cybersecurity
Maritime Transport Systems Complex Ecosystem
• Marine Transportation Systems (MTS) can be complex. They include ships, port infrastructure, terminals and people, along with supporting information and data assets. And they are busier and under more pressure than ever.
• In 2017, global seaborne trade was estimated to be approximately 10.7 billion tons. This is expected to grow, despite challenging geopolitical and trade tensions
• At the same time, more efficient port services mean that ships are in port for shorter periods to load, unload, and then depart (UNCTAD, 2018)
• With an increasing reliance on just-in-time logistics, even a small disruption at a port facility can impact the manufacture and delivery of goods thousands of miles away. Imagine how far reaching and costly a serious attack – cyber or otherwise – could be?
8/5/2020 Please insert footnote2
Maritime CybersecurityKey Initiatives
• In December 2002 the International Maritime Organisation (IMO) adopted a new international instrument called the International Ship and Port Facility Security (ISPS) Code.
• This was an amendment to the Safety of Life at Sea (SOLAS) Convention (1974/1988) on minimum security arrangements for ships, ports and government agencies, and has now been enacted into law in many jurisdictions.
• Although it does not address cybersecurity directly, the IMO issued Interim guidelines on cybersecurity in the 2016 Maritime Safety Committee’s (MSC) Circular MSC.1/Circ.1526.
• In June 2017 the IMO adopted a Resolution (MSC.428(98)) on Maritime Cyber Risk Management in Safety Management Systems, and cyber risk management on board ships will be mandatory from 1 January 2021 with a view to ensuring that existing risk management practices are used to address the operational risks.
8/5/2020 Please insert footnote3
Maritime CybersecurityThreat Vectors that could affect the supply chain
• Ports• Ports often form the primary interface between international trading partners and consist of a complex infrastructure
that involves different types of infrastructure, multiple interconnections all of which require a complex underpinning IT infrastructure
• A Cyber attack to any of the supporting systems could cause a major disruption and impact the ability of the port to operate which in turn would have an impact on the overall supply chain
• Ships• Ships are increasingly reliant on digital and operational technology to control and manage multiple on-board systems• It makes then more efficient. But, without proper controls, a cyber-related incident could interrupt these systems and
disrupt the operation of the vessel which can result in the ship failing to meet sailing scheduling requirements, resulting in revenue loss
• Ship systems that are vulnerable to Cyberattacks are as below:• Bridge Systems• Cargo Management Systems • Propulsion, Steering and Power control• Communication Systems
8/5/2020 Please insert footnote4
Cyber Threats to Maritime Sector What is needed
• Cyber Threats to the Maritime Sector is more often targeted at commercial maritime business as this causes financial impact
• These threats can affect any part of the overall ecosystem thus causing a lot of damage both financially as well as in terms of the operational safety
• Cyber Security needs to be looked into holistically covering all the components of the Maritime ecosystem as also covering the ship builders, ship owners and ship operators
• “All in all, a Cybersecurity management system for ships would provide guidance on ensuring, implementing, maintaining, and continuously improving the security of companies and ships with the goal of safe navigation
8/5/2020 Please insert footnote5
THANK YOU
8/5/2020 Please insert footnote6
MARITIME SERVICES
F-Secure Consulting
Due to the importance of maritime
industry, the vessels, ports and related
systems are getting more and more
connected to make maritime supply
chains and operations more efficient.
The increased connectivity, more
automated and interconnected systems
have made cyber security an important
aspect of the day-to-day operations,
from malware protection and network
segregation to incident response and
readiness. Emerging technologies, from
blockchain to cloud based systems are
being adopted by the maritime industry
at an accelerating rate, and F-Secure’s
maritime cyber security team is here
to help you to be ready for the cyber
security challenges that come with
new technologies. We closely follow
the industry whether it is the trade
publications, conferences, manufacturers
or standardization. IMO and BIMCO
guidelines, type classification rulings,
IEC62443 and other documents are part
of the daily work of our maritime cyber
security consultants. We combine our
experience and what we have learned
from performing cyber-physical system
assessments, with the recommendations
from the vendors and international
standards to provide the best in breed
approach.
MARITIME IS NOT JUST ABOUT SAFETY ANYMORE
Around 90% of the global international trade is transported by the maritime industry.
2
We offer services and solutions in all
aspects of maritime, including ship and
port owners, ship and port operators,
cruise lines, ship builders, vendors,
manufacturers, OEMs and regulatory
bodies. New technologies with increased
attack surfaces are being used on
vessels and ports and it’s as much the
operator’s responsibility to make sure
these technologies are implemented
and operated in a secure way as it is of
the manufacturers. Legacy systems are
constantly upgraded to catch up with
market requirements, and these constant
upgrades make security more challenging.
International working groups are working
on new guidelines and design standards
to ensure that security is integrated in the
design phases in the maritime industry.
Applying security topics within the safety-
critical design process ensures that safety
and security functionalities are engineered
in compliance with top-level requirements
in all domains. F-Secure is in close
collaboration with these groups aiding in
the development of new guidelines and
standards.
IT’S NOT JUST VESSELS AND PORTS
F-Secure Maritime Services is more than just vessels and ports.
3
ASSESSMENTS PERFORMED WITH SPECIALIZED TEAM
When choosing F-Secure for assessing
your maritime environments you get
the some of the most experienced
people in the cyber security industry
and the most advanced proprietary
tools at your disposal.
The techniques and tools used in the
assessments and penetration testing
have been field tested in 3 different
continents and countless environments
from industrial control systems to
aviation and maritime, to assure their
fit for even the most challenging safety
critical environments.
F-Secure maritime cyber security
assessments give a holistic view on
how well an organization is doing
regarding knowing its maritime cyber
security risks and managing them
in practice. An organization’s cyber
security posture is a combination
of top management risk treatment
decisions, day-to-day management,
and secure technologies. The maritime
cyber security assessments provide
a way to make sure that there is no
disconnect between risks, security
management practices and technical IT
implementation.
We understand the challenging
maritime environments and the unique
challenges and risks they pose. Our
specialists have real-life expertise and
background in performing penetration
testing and assessing maritime systems
and environments. Each environment
is unique, and we understand that,
hence every assessment is fine tuned
for the specific facility, vessel, system
or goal. The delivery model has been
carefully tuned to uncover the most
critical vulnerabilities, issues and
problems specific to the maritime
environments while providing the
maximum value for the customer.
The results from the assessments are
combined to give recommendations
that are not limited to highlighting
individual problems but help to address
root causes to improve your maritime
cyber security standing.
4
WHEN IT COMES TO SAFETY, FAILURE IS NOT AN OPTION
Our extensive experience with the
maritime industry results in a deep
understanding of the interaction
between safety and security, software
and hardware. To ensure that safety
is never jeopardized, it is critical to
determine the actions compromised
firmware code could potentially take
in relation to accessible hardware. This
requires assessing all circuit paths from
firmware-controlled I/O and ensuring
role separation and isolation of all
safety-critical components. A mastery
of hardware and software convergence
is essential when assessing each layer,
thereby ensuring product safety
resilience and avoiding liability in worst-
case scenarios.
5
AN ENGINEERING PERSPECTIVE PRODUCES SOLUTIONS THAT ARE MEANINGFUL AND MANAGEABLE
To maximize the chances of security recommendations
being implemented within the customer processes, a
successful security assessment must identify mitigations
and solutions that are realistic, manageable and effective.
Years of helping companies around the world building
software and hardware products from the ground up
has instilled in our team an engineering perspective that
enables us to produce solutions that are not only effective,
but practical to implement.
6
OUR MARITIME CYBER SECURITY SERVICES PORTFOLIOMaritime cyber security services
Maritime cyber security assessments
Maritime cyber security factory acceptance testing (CFAT)
Maritime cyber security improvement programs
Vessel cyber security basic design
Shipyard cyber security services
Maritime red teaming
Maritime incident response
Maritime hardware assessments
Risk & security management services
7
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response,
utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running
our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our
commitment to beating the world’s most potent threats.
Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need. Founded in
1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
f-secure.com | twitter.com/fsecure | linkedin.com/ f-secure