Maritime cyber risk management

Transcription

1 Javier Yasnikouski Head Maritime Security Sub-Division for Maritime Security and Facilitation

2 The International Maritime Organization IMO mission: Safe, secure and efficient shipping on clean oceans 2

3 Cyber Security 3

4 MSC.1/Circ.1526 on Interim guidelines on maritime cyber risk management The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyberthreats and vulnerabilities and include functional elements that support effective cyber risk management. 4

5 Maritime cyber risk Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised. Maritime Cyber Risk 5

6 Cyber risk management means the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders. The Overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks. 6

7 Vulnerable systems onboard ships Bridge systems Cargo handling and management systems Propulsion and machinery management and power control systems Access control systems Passenger servicing and management systems Passenger facing public networks Administrative and crew welfare systems and Communication systems 7

8 Information technology systems Operational technology systems Use of data as information Use of data to control or monitor physical processes 8

9 Vulnerabilities can result from: inadequacies in operation, design, integration and/or maintenance of cyber systems; or lapses in cyber discipline (e.g. inappropriate use of removable media such as a memory stick). 9

10 Vulnerabilities in operational and/or information technologies can be exposed or exploited, either: directly (e.g. weak passwords leading to unauthorized access) or indirectly (e.g. the absence of network segregation) 10

11 Cyber threats could be presented by: malicious actions (e.g. hacking or introduction of malware); or the unintended consequences of benign actions (e.g. software maintenance or user permissions). Effective cyber risk management should consider both kinds of threat 11

12 Some recent developments (some of them not too recent!) Ship reporting E-navigation Ship communications ECDIS Electronic certificates Maritime Single Window AIS > VDEs Electronic data exchange Access to internet 12

13 Software quality assurance MSC.1/Circ.1512 on Guideline on Software Quality Assurance and Human-Centred Design for e-navigation: Approved by MSC 95 in June SQA focuses on defining and testing software quality and how that helps meet user requirements to ensure that high quality, robust, testable and stable software is used in e-navigation systems. The basic premise of HCD is that systems are designed to suit the characteristics of intended users and the tasks they perform, rather than requiring users to adapt to a system. 13

14 The Guidelines are primarily intended for all organizations in the shipping industry, and are designed to encourage safety and security management practices in the cyber domain. Ships Ship Companies Ship Agents /operators Port authorities Administrations 14

15 Who is involved? Everybody should be involved (crew members, passengers, shipping companies, etc.). However, effective cyber risk management should start at the senior management level. A culture of cyber risk awareness and discipline should be embedded into all levels of an organization. The level of awareness and preparedness should be appropriate to roles and responsibilities in the cyber risk management system. A holistic and flexible cyber risk management regime should be in continuous operation and constantly evaluated through effective feedback mechanisms. 15

16 To address the rapidly evolving technologies and changing threats, the Guidelines recommend a risk management approach to cyber risks that is resilient and evolves as a natural extension of existing safety and security management practices established by this Organization. 16

17 The International Ship and Port Facility Security (ISPS) Code is a mandatory instrument adopted under SOLAS chapter XI-2 on Special Measures to enhance maritime security. It is the IMO's main legislative framework to address maritime security related matters. Contains detailed security-related requirements for Governments, port authorities and shipping companies, and is divided into two sections, a mandatory Part A, and a series of guidelines on how to meet the requirements of Part A in a non-mandatory Part B. 17

18 The International Safety Management (ISM) Code is a mandatory instrument adopted under SOLAS chapter IX Management for the safe operation of ships. The purpose of this Code is to provide an international standard for the safe management and operation of ships and for pollution prevention. The Code establishes safety-management objectives and requires a safety management system (SMS) to be established by "the Company", which is defined as the shipowner or any person, such as the manager or bareboat charterer, who has assumed responsibility for operating the ship. 18

19 Functional elements to support effective cyber risk management: Identify Protect Detect Respond Recover 19

20 Additional guidance and standards may include: The Guidelines on Cyber Security on board Ships by BIMCO, CLIA, ICS, INTERCARGO and INTERTANKO. ISO/IEC standard on Information technology Security techniques Information security management systems Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). United States National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Security (the NIST Framework). 20

21 Further considerations: - FAL 41 (3-7 April 2017) on shore-side aspects of cyber security; and - MSC 98 (7 to 16 June 2017). 21

22 International Maritime Organization 4 Albert Embankment London SE1 7SR United Kingdom Tel: +44 (0) Fax: +44 (0) info@imo.org twitter.com/imohq facebook.com/imohq youtube.com/imohq flickr.com/photos/ imo-un/collections