Maritime cyber risk management - Intertanko · Maritime cyber risk management Maritime Safety...
-
Upload
nguyennguyet -
Category
Documents
-
view
226 -
download
1
Transcript of Maritime cyber risk management - Intertanko · Maritime cyber risk management Maritime Safety...
Maritime cyber risk management
Maritime Safety Division
Javier YasnikouskiHead, Maritime Security
Sub-Division for Maritime Security and FacilitationMaritime Safety Division
2
IMO – the International Maritime Organization
Maritime Safety Division
IMO mission:
Safe, secure and efficient shipping on clean oceans
3
IMO – the International Maritime Organization
Maritime Safety Division
• Specialized UN agency• Headquarters in UK since 1958• Annual budget £30+ million• Secretariat – 265 staff, more than 50 nationalities
4
IMO – the International Maritime Organization
Maritime Safety Division
Panama £5.22m 17.33%Liberia £3.00m 9.98%Marshall Is. £2.41m 7.17%Singapore £1.62m 8.01% Bahamas £1.31m 4.35%UK £1.30m 4.29%Malta £1.29m 4.27%China £1.20m 3.98%Hong Kong, China £1.04m 3.46%Greece £1.01m 3.38%
Ten largest contributors to IMO in 2015. Assessed contributions based on flat base rate with additional components based on ability to pay and merchant fleet tonnage
5
IMO – Global coverage
Maritime Safety Division
o 171 Member States, three associate memberso IGOs and NGOs participate as observers
6
IMO – Structure
Maritime Safety Division
Assembly171 Member Governments
Council40 Member
Governments
Facilitation
Technical Cooperation
Legal
Maritime Safety
MarineEnvironment Protection
SHIP DESIGN AND CONSTRUCTION (SDC)SHIP DESIGN AND CONSTRUCTION (SDC)
SHIP SYSTEMS AND EQUIPMENT (SSE)SHIP SYSTEMS AND EQUIPMENT (SSE)
NAVIGATION, COMMUNICATION AND SEARCHAND RESCUE (NCSR)
NAVIGATION, COMMUNICATION AND SEARCHAND RESCUE (NCSR)
CARRIAGE OF CARGOES AND CONTAINERS (CCC)CARRIAGE OF CARGOES AND CONTAINERS (CCC)
POLLUTION PREVENTION AND RESPONSE (PPR) POLLUTION PREVENTION AND RESPONSE (PPR)
IMPLEMENTATION OF IMO INSTRUMENTS (III) IMPLEMENTATION OF IMO INSTRUMENTS (III)
HUMAN ELEMENT, TRAINING AND WATCHKEEPING (HTW)HUMAN ELEMENT, TRAINING AND WATCHKEEPING (HTW)
7
IMO – Progress of measures at IMO
Maritime Safety Division
Casualty/Review/
Technology
Proposal to IMO
Discuss, agree to refer on
Draft text
Proposals for new, or amendments to existing, mandatory instruments - a compelling need for such amendments should be demonstrated by the proponent(s), and an analysis of the implications of such amendments, particularly those with far-reaching implications and consequential proposals for other amendments, having regard to the costs to the maritime industry, the legislative and administrative burdens involved and benefits which would accrue therefrom, should be provided……
Adoption or
approval
8
IMO – Instruments
Maritime Safety Division
• Some 50 IMO Conventions and Protocols
• Hundreds of codes, guidelines and recommendations
• Almost every aspect of shipping covered:
§ Design§ Construction§ Equipment§ Maintenance§ Crew
9
IMO – World Maritime Day
Maritime Safety Division
The theme was chosen to focus on the critical link between shipping and global society and to raise awareness of the relevance of the role of IMO as the global regulatory body for international shipping.
29 September 2016
10
Maritime cyber risk management
Maritime Safety Division
The Maritime Safety Committee, at its ninety-sixth session(11 to 20 May 2016), considered the urgent need to raiseawareness on cyber risk threats and vulnerabilities andapproved Interim guidelines on maritime cyber riskmanagement (MSC.1/Circ.1526).
The Guidelines provide high-level recommendations onmaritime cyber risk management to safeguard shipping fromcurrent and emerging cyberthreats and vulnerabilitiesand include functional elements that support effective cyber riskmanagement.
11
Maritime cyber risk management
Maritime Safety Division
These Guidelines are primarily intended for all organizationsin the shipping industry, and are designed to encouragesafety and security management practices in the cyber domain.
For details and guidance related to the development andimplementation of specific risk management processes, usersof these guidelines should refer to specific MemberGovernments' and flag Administrations' requirements, aswell as relevant international and industry standards andbest practices.
12
Maritime cyber risk management
Maritime Safety Division
Additional guidance and standards may include:
Ø The Guidelines on Cyber Security on board Ships byBIMCO, CLIA, ICS, INTERCARGO and INTERTANKO.
Ø ISO/IEC 27001 standard on Information technology– Security techniques – Information security managementsystems – Requirements. Published jointly by theInternational Organization for Standardization (ISO) and theInternational Electrotechnical Commission (IEC).
Ø United States National Institute of Standards andTechnology's Framework for Improving CriticalInfrastructure Security (the NIST Framework).
13
Risk management
Maritime Safety Division
Ø Risk management is fundamental to safe and secureshipping operations.
Ø Traditionally focused on operations in the physicaldomain.
Ø Greater reliance on digitization, integration, automation andnetwork-based systems has created an increasing needfor cyber risk management in the shipping industry, notonly on board ships but also ashore.
14
Maritime cyber risk management
Maritime Safety Division
Maritime cyber risk refers to a measure of the extent towhich a technology asset is threatened by a potentialcircumstance or event, which may result in shipping-relatedoperational, safety or security failures as a consequence ofinformation or systems being corrupted, lost or compromised.
Cyber risk management means the process of identifying,analysing, assessing and communicating a cyber-relatedrisk and accepting, avoiding, transferring or mitigating itto an acceptable level, considering costs and benefits ofactions taken to stakeholders.
The Overall goal of maritime cyber risk management is tosupport safe and secure shipping, which is operationallyresilient to cyber risks.
15
Maritime cyber risk management
Maritime Safety Division
To address the rapidly evolving technologies and changingthreats, these Guidelines recommend a risk managementapproach to cyber risks that is resilient and evolves as a naturalextension of existing safety and security managementpractices established by this Organization.
16
Maritime cyber risk management
Maritime Safety Division
The International Ship and Port Facility Security (ISPS) Code is a mandatory instrument adopted under SOLAS chapter XI-2 on Special Measures to enhance maritime security.
It is the IMO's main legislative framework to address maritime security related matters.
Contains detailed security-related requirements for Governments, port authorities and shipping companies, and is divided into two sections, a mandatory Part A, and a series of guidelines on how to meet the requirements of Part A in a non-mandatory Part B.
17
Maritime cyber risk management
Maritime Safety Division
The International Safety Management (ISM) Code is a mandatory instrument adopted under SOLAS chapter IX Management for the safe operation of ships.
The purpose of this Code is to provide an international standard for the safe management and operation of ships and for pollution prevention.
The Code establishes safety-management objectives and requires a safety management system (SMS) to be established by "the Company", which is defined as the shipowner or any person, such as the manager or bareboat charterer, who has assumed responsibility for operating the ship.
18
Maritime cyber risk management
Maritime Safety Division
Cybertechnologies have become essential to the operationand management of numerous systems critical to the safetyand security of shipping and protection of the marineenvironment.
The vulnerabilities created by accessing, interconnecting ornetworking these systems can lead to cyber risks whichshould be addressed.
19
Maritime cyber risk management
Maritime Safety Division
Information Technology
Systems
Operational Technology
Systems
Use of data as information Use of data to control or monitor physical
processes
20
Maritime cyber risk management
Maritime Safety Division
Vulnerable systems onboard ships could include:
• Bridge systems;• Cargo handling and management systems;• Propulsion and machinery management and power control
systems;• Access control systems;• Passenger servicing and management systems;• Passenger facing public networks;• Administrative and crew welfare systems; and• Communication systems.
21
Maritime cyber risk management
Maritime Safety Division
Vulnerabilities can result from inadequacies in operation,design, integration and/or maintenance of cyber systems,as well as lapses in cyber discipline (e.g. inappropriate use ofremovable media such as a memory stick).
Vulnerabilities in operational and/or information technologiescan be exposed or exploited, either directly (e.g. weakpasswords leading to unauthorized access) or indirectly (e.g.the absence of network segregation).
This can have implications for security and the confidentiality,integrity and availability of information, but also for safety,particularly where critical systems are compromised (e.g. bridgenavigation or main propulsion systems).
22
Maritime cyber risk management
Maritime Safety Division
Cyber threats could be presented by:
• malicious actions (e.g. hacking or introduction of malware);or
• the unintended consequences of benign actions(e.g. software maintenance or user permissions).
Effective cyber risk management should consider both kinds of threat
23
Maritime cyber risk management
Maritime Safety Division
Who is involved?
Everybody should be involved (crew members, passengers,shipping companies, etc.). However, effective cyber riskmanagement should start at the senior managementlevel.
A culture of cyber risk awareness and discipline should beembedded into all levels of an organization. The level ofawareness and preparedness should be appropriate to roles andresponsibilities in the cyber risk management system.
A holistic and flexible cyber risk management regime should bein continuous operation and constantly evaluatedthrough effective feedback mechanisms.
24
Maritime cyber risk management
Maritime Safety Division
Functional elements to support effective cyber riskmanagement:
Identify: Define personnel roles and responsibilities forcyber risk management and identify the systems, assets, dataand capabilities that, when disrupted, pose risks to shipoperations.
Protect: Implement risk control processes and measures,and contingency planning to protect against a cyberevent andensure continuity of shipping operations.
Detect: Develop and implement activities necessary to detect acyber event in a timely manner.
25
Maritime cyber risk management
Maritime Safety Division
Functional elements to support effective cyber riskmanagement:
Respond: Develop and implement activities and plans toprovide resilience and to restore systems necessary forshipping operations or services impaired due to a cyberevent.
Recover: Identify measures to back-up and restore cybersystems necessary for shipping operations impacted by acyberevent.
26
Maritime cyber risk management
Maritime Safety Division
Data/Information
Intercepted
Modified/corrupted
Deleted/destroyed
SystemsModified/corrupted
Availability partially/fully affected
Take appropriate actions to secure your systems and data
27
What’s going on
Maritime Safety Division
Facilitation
• Implementation of Maritime Single Windows
• Electronic certificates
E-navigation
• PNT resilience
• Ship reporting
• VDEs
Review of the GMDSS
ECDIS implementation
4 Albert EmbankmentLondonSE1 7SRUnited Kingdom
Tel: +44 (0)20 7735 7611Fax: +44 (0)20 7587 3210Email: [email protected]
International Maritime Organization
twitter.com/imohq facebook.com/imohq youtube.com/imohq flickr.com/photos/imo-un/collections
www.imo.org
Maritime Safety Division