Part ofMaritime Cyber Security Webinar Week4-6 August 2020

Cyber security: readying for the ISM Code’s 1 Jan 2021 requirements

5 August 2020 • 09:00-09:45 BST

Presentation & sponsors documents:Page 2: Kelly Malynn, BeazleyPage 11: Makiko Tani, ClassNKPage 22: Alex Soukhanov, Moran CyberPage 27: Rajeev Sukumaran, TÜV RheinlandPage 33: F-Secure company information

Premier Partner

Sponsored by

1

Insurers view of Maritime Cyber Risk and ISM Code requirements

Kelly MalynnBeazley Group PLC

Understand and Underwrite

2

3

What the new regulation requires

In Practice

If possible, use the same risk matrix and likelihood/consequence rating scales as for all safety/environmental risks onboard.

Allows comparison between cyber and non-cyber related risks and enables more efficient (cost-benefit) risk treatment.

• The IMO Resolution MSC.428(98), requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system.

• ISM Code already requires risk be handled with the IMO resolution cyber security as a risk and mandated verification of handling through the safety management system is mandatory, from the first annual DoC audit after 01.01.2021

• IMO also released Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) in July 2017.

4

Areas of Maritime Cyber Risk

Physical damage

Loss of availability

Extortion

Physical Damage VesselsRunning aground – collision

Loss of Hire Vessel not sea worthy / systems not operating

RansomVessel systems non operational via ransomware

‘Bricking’ Computer hardware onshore

Business Interruption IT system failure onshore

Ransom / Data lossIT system – extortion data exposure or theft

‘Shore side’Vessels

Putting it in to practice

5

Mitigate: Per-user Profiles & Passwords. Segment networks on-board into ‘subnetworks’. External media scanning on a standalone system pre installation to any shipboard network.

Transfer: Identify possible Insurance options for events outside appetite.

Accept: Readiness and resilience. Develop Cyber Incident Response Plan. Cyber Intelligence Threat Scan. Crew awareness and training.

Risk assessment:The IMO agreed that cyber risk management should be integrated into existing management systems under the ISM Code and ISPS Code. Auto Pilot SoftwareMalware corrupts integrated bridge system or alerts overridden

Power Systems Ransomware embedded within Automatic Voltage Regulator

Social Engineering Payment information intercepted and funds redirected

Electronic Chart Display & Information System Software update contains error causing system to lose reference

Email and Booking systemRansomware results in IT systems being unavailable

Potential Systemic Claims Scenarios

Recent Events

6

USCG ALERT – July 2019

• Deep draft vessel bound for Port of New York & New Jersey - significant incident impacting shipboard’s network.

• Interagency team of cyber experts lead by Coast guard attended.

• Unsegregated shipboard network.

• USCG safety alert and recommendations.

Denison Ransom – February 2020

• Bob Denison, of brokerage house Denison Yachting revealed details of their cyber incident impacting company website.

• Ransom demand was 15 Bitcoin, which at the time was about $150,000 USD.

• Threat to release sensitive information.

• Used experts to learn early on, many of the hacker’s threats were false.

• Denison report cyber event 100 per cent resolved and no sensitive client or financial information was stolen.

Compliance v’s Practical mitigations

7

Mitigate: Per-user Profiles & Passwords. Segment networks on-board into ‘subnetworks’. External media scanning on a standalone system pre installation to any shipboard network.

Transfer: Identify possible Insurance options for events outside risk tolerance.

Accept: Readiness and resilience. Develop Cyber Incident Response Plan. Cyber Intelligence Threat Scan. Crew awareness and training.

Risk assessment:The IMO agreed that cyber risk management should be integrated into existing management systems under the ISM Code and ISPS Code.

8

Kelly MalynnBeazley Group PLC

Cyber Risks and Maritime Insurance

9

Below are links to the sources of the events and the Beazley product page: -

• USCG Alert: - https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf

• USCG page:- https://www.us-cert.gov/ncas/current-activity/2019/07/08/us-coast-guard-releases-cybersecurity-measures-commercial-vessels

• CISA Alert: - https://www.us-cert.gov/ncas/alerts/aa20-049a

• Denison Event: - https://www.superyachtnews.com/technology/bob-denison-on-the-recent-cyber-attack

• Beazley product page:-https://www.beazley.com/london_market/marine/marine_cyber.html

References

2020/8/5 01

ClassNK Cyber Security Initiatives

Ⓒ Copyright by NIPPON KAIJI KYOKAI

August 2020

ClassNK Cyber Security Team

- What we can do to control cyber risks -

2020/8/5 01

Why do we need cyber security in the maritime industry?

2020/8/5 01

Document all

2020/8/5 01

Today’s panelists are…

01

ClassNK Cyber Security Approach (May 2019)

1. Ensuring safety of ships as the supreme objective

2. A multi-layered approach to control onboard cyber security

3. Update ourselves, update our guidelines

ClassNK’s fundamental policy to cyber security:

01

“ClassNK Guidelines for Designing Cyber Security Onboard Ships”

“ClassNK Cyber Security Management System for Ships”

“ClassNK Guidelines forSoftware Security Guidelines”

ClassNK Guidelines series on cyber security

Security-by-design equipment

Secure network building

People and process controls

Security policy and secure organization

01

• Alignment with IEC62443• Incorporates IACS Recommendation No.166

on Cyber Resilience

ClassNK Guidelines for Designing Cyber Security Onboard Ships

Published: July 2020 Version: 2nd editionApplicable to: new building shipsTarget readers: those who are responsible for shipbuilding and integrationOffers: NK Cyber Security Notation

01

• Alignment with ISO27001 and ISO27002

ClassNK Guidelines Cyber Security Management Systems Onboard ShipsPublished: April 2019 Version: 1st editionApplicable to: shipowners/companies and their shipsTarget readers: those who are responsible forestablishing cyber security management systems

ClassNK Guidelines Ships for Software Security

Published: May 2019 Version: 1st editionApplicable to: software and applicationsTarget readers: those who are responsible for establishing cyber security management systems

2020/8/5 01

ClassNK joined Maritime Transportation Systems ISAC (MTS-ISAC)

Formed as a nonprofit organization in Feb 2020 by maritime stakeholders A US-based maritime industry-specific organization that shares information

on cyber threats and facilitates its members to build an information-sharing community

On 7 July 2020, NK joined MTS-ISAC as the first classification society and the first non-US organization

2020/8/5 01

Ships today are increasingly leveraging cyberspace“Document all“ is the first important step ClassNK has resources available for you, to contribute

to delivery and operation of cyber secured shipsCollaboration and cooperation is the key to address

cyber security

Conclusions

2020/8/5 01

A call for collaboration!

Contact:ClassNK Cyber Security Team - Maritime Education and Training Certification Department e-mail: met@classnk.or.jp

Maritime Cybersecurity for Commercial Vessels

© 2020 Moran Cyber 1www.morancyber.com

Maritime Cybersecurity Webinar Week05 August 2020

Vessel Control Systems & Operational Technology

Modern Navigation Bridge

© 2020 Moran Cyber 2

Modern Engine Control Room

Increasing Automation, Integration, and Remote Access

Case Study

© 2020 Moran Cyber 3

ChallengeCustomer required assistance in performing asset discovery of marine OT systems followed by network segmentation from untrusted systems across the fleet

Solution• Established trust with Captains and Chief Engineers to

perform assessments and passive network asset discovery.• Implemented network segmentation solution • Cross-trained vessel officers and crew on segmentation

system operations

ResultsWithin a sailing for each vessel, increased asset visibility and reduced threat surface by segmenting critical OT assets from untrusted or semi-trusted assets

The Value of New Build Cybersecurity

Improve safety, resiliency, and reliability through security by design

Influence design by incorporating best practices

Continual collaboration extends through lifecycle of investment

© 2020 Moran Cyber 4

Copyright © 2017 Moran Shipping Industries, Inc. All Rights Reserved 5

Contact:Alex Soukhanovasoukhanov@morancyber.comOffice: +1 401 680 8975www.morancyber.com

“The Art of the Sailor is to Leave Nothing to Chance”

Navigating the diverse maturity spectrum in the Maritime Sector

Maritime Cybersecurity

Maritime Transport Systems Complex Ecosystem

• Marine Transportation Systems (MTS) can be complex. They include ships, port infrastructure, terminals and people, along with supporting information and data assets. And they are busier and under more pressure than ever.

• In 2017, global seaborne trade was estimated to be approximately 10.7 billion tons. This is expected to grow, despite challenging geopolitical and trade tensions

• At the same time, more efficient port services mean that ships are in port for shorter periods to load, unload, and then depart (UNCTAD, 2018)

• With an increasing reliance on just-in-time logistics, even a small disruption at a port facility can impact the manufacture and delivery of goods thousands of miles away. Imagine how far reaching and costly a serious attack – cyber or otherwise – could be?

8/5/2020 Please insert footnote2

Maritime CybersecurityKey Initiatives

• In December 2002 the International Maritime Organisation (IMO) adopted a new international instrument called the International Ship and Port Facility Security (ISPS) Code.

• This was an amendment to the Safety of Life at Sea (SOLAS) Convention (1974/1988) on minimum security arrangements for ships, ports and government agencies, and has now been enacted into law in many jurisdictions.

• Although it does not address cybersecurity directly, the IMO issued Interim guidelines on cybersecurity in the 2016 Maritime Safety Committee’s (MSC) Circular MSC.1/Circ.1526.

• In June 2017 the IMO adopted a Resolution (MSC.428(98)) on Maritime Cyber Risk Management in Safety Management Systems, and cyber risk management on board ships will be mandatory from 1 January 2021 with a view to ensuring that existing risk management practices are used to address the operational risks.

8/5/2020 Please insert footnote3

Maritime CybersecurityThreat Vectors that could affect the supply chain

• Ports• Ports often form the primary interface between international trading partners and consist of a complex infrastructure

that involves different types of infrastructure, multiple interconnections all of which require a complex underpinning IT infrastructure

• A Cyber attack to any of the supporting systems could cause a major disruption and impact the ability of the port to operate which in turn would have an impact on the overall supply chain

• Ships• Ships are increasingly reliant on digital and operational technology to control and manage multiple on-board systems• It makes then more efficient. But, without proper controls, a cyber-related incident could interrupt these systems and

disrupt the operation of the vessel which can result in the ship failing to meet sailing scheduling requirements, resulting in revenue loss

• Ship systems that are vulnerable to Cyberattacks are as below:• Bridge Systems• Cargo Management Systems • Propulsion, Steering and Power control• Communication Systems

8/5/2020 Please insert footnote4

Cyber Threats to Maritime Sector What is needed

• Cyber Threats to the Maritime Sector is more often targeted at commercial maritime business as this causes financial impact

• These threats can affect any part of the overall ecosystem thus causing a lot of damage both financially as well as in terms of the operational safety

• Cyber Security needs to be looked into holistically covering all the components of the Maritime ecosystem as also covering the ship builders, ship owners and ship operators

• “All in all, a Cybersecurity management system for ships would provide guidance on ensuring, implementing, maintaining, and continuously improving the security of companies and ships with the goal of safe navigation

8/5/2020 Please insert footnote5

THANK YOU

8/5/2020 Please insert footnote6

MARITIME SERVICES

F-Secure Consulting

Due to the importance of maritime

industry, the vessels, ports and related

systems are getting more and more

connected to make maritime supply

chains and operations more efficient.

The increased connectivity, more

automated and interconnected systems

have made cyber security an important

aspect of the day-to-day operations,

from malware protection and network

segregation to incident response and

readiness. Emerging technologies, from

blockchain to cloud based systems are

being adopted by the maritime industry

at an accelerating rate, and F-Secure’s

maritime cyber security team is here

to help you to be ready for the cyber

security challenges that come with

new technologies. We closely follow

the industry whether it is the trade

publications, conferences, manufacturers

or standardization. IMO and BIMCO

guidelines, type classification rulings,

IEC62443 and other documents are part

of the daily work of our maritime cyber

security consultants. We combine our

experience and what we have learned

from performing cyber-physical system

assessments, with the recommendations

from the vendors and international

standards to provide the best in breed

approach.

MARITIME IS NOT JUST ABOUT SAFETY ANYMORE

Around 90% of the global international trade is transported by the maritime industry.

2

We offer services and solutions in all

aspects of maritime, including ship and

port owners, ship and port operators,

cruise lines, ship builders, vendors,

manufacturers, OEMs and regulatory

bodies. New technologies with increased

attack surfaces are being used on

vessels and ports and it’s as much the

operator’s responsibility to make sure

these technologies are implemented

and operated in a secure way as it is of

the manufacturers. Legacy systems are

constantly upgraded to catch up with

market requirements, and these constant

upgrades make security more challenging.

International working groups are working

on new guidelines and design standards

to ensure that security is integrated in the

design phases in the maritime industry.

Applying security topics within the safety-

critical design process ensures that safety

and security functionalities are engineered

in compliance with top-level requirements

in all domains. F-Secure is in close

collaboration with these groups aiding in

the development of new guidelines and

standards.

IT’S NOT JUST VESSELS AND PORTS

F-Secure Maritime Services is more than just vessels and ports.

3

ASSESSMENTS PERFORMED WITH SPECIALIZED TEAM

When choosing F-Secure for assessing

your maritime environments you get

the some of the most experienced

people in the cyber security industry

and the most advanced proprietary

tools at your disposal.

The techniques and tools used in the

assessments and penetration testing

have been field tested in 3 different

continents and countless environments

from industrial control systems to

aviation and maritime, to assure their

fit for even the most challenging safety

critical environments.

F-Secure maritime cyber security

assessments give a holistic view on

how well an organization is doing

regarding knowing its maritime cyber

security risks and managing them

in practice. An organization’s cyber

security posture is a combination

of top management risk treatment

decisions, day-to-day management,

and secure technologies. The maritime

cyber security assessments provide

a way to make sure that there is no

disconnect between risks, security

management practices and technical IT

implementation.

We understand the challenging

maritime environments and the unique

challenges and risks they pose. Our

specialists have real-life expertise and

background in performing penetration

testing and assessing maritime systems

and environments. Each environment

is unique, and we understand that,

hence every assessment is fine tuned

for the specific facility, vessel, system

or goal. The delivery model has been

carefully tuned to uncover the most

critical vulnerabilities, issues and

problems specific to the maritime

environments while providing the

maximum value for the customer.

The results from the assessments are

combined to give recommendations

that are not limited to highlighting

individual problems but help to address

root causes to improve your maritime

cyber security standing.

4

WHEN IT COMES TO SAFETY, FAILURE IS NOT AN OPTION

Our extensive experience with the

maritime industry results in a deep

understanding of the interaction

between safety and security, software

and hardware. To ensure that safety

is never jeopardized, it is critical to

determine the actions compromised

firmware code could potentially take

in relation to accessible hardware. This

requires assessing all circuit paths from

firmware-controlled I/O and ensuring

role separation and isolation of all

safety-critical components. A mastery

of hardware and software convergence

is essential when assessing each layer,

thereby ensuring product safety

resilience and avoiding liability in worst-

case scenarios.

5

AN ENGINEERING PERSPECTIVE PRODUCES SOLUTIONS THAT ARE MEANINGFUL AND MANAGEABLE

To maximize the chances of security recommendations

being implemented within the customer processes, a

successful security assessment must identify mitigations

and solutions that are realistic, manageable and effective.

Years of helping companies around the world building

software and hardware products from the ground up

has instilled in our team an engineering perspective that

enables us to produce solutions that are not only effective,

but practical to implement.

6

OUR MARITIME CYBER SECURITY SERVICES PORTFOLIOMaritime cyber security services

Maritime cyber security assessments

Maritime cyber security factory acceptance testing (CFAT)

Maritime cyber security improvement programs

Vessel cyber security basic design

Shipyard cyber security services

Maritime red teaming

Maritime incident response

Maritime hardware assessments

Risk & security management services

7

Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response,

utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running

our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our

commitment to beating the world’s most potent threats.

Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need. Founded in

1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

f-secure.com | twitter.com/fsecure | linkedin.com/ f-secure