ABS CyberSafety. 27 July John Jorgensen Director, Cyber and Software American Bureau of Shipping

Transcription

1 2016 American Bureau of Shipping. All rights reserved. ABS CyberSafety 27 July 2016 John Jorgensen Director, Cyber and Software American Bureau of Shipping SOCP Webinar

2 Purpose of Today s Discussion Introduce ABS CyberSafety and the Guide for Cybersecurity Implementation Provide the ABS CyberSafety approach to cybersecurity for marine and offshore communities Guide Program standup Risk management program Bottom line up front: Corporate Governance that includes cybersecurity and risk management will provide CyberSafety in ship and corporate environments 2

3 Cybersecurity is on Everyone s Radar Cybersecurity is a safety issue. Every ship built has software that manages its engines; and that software is updated while the vessel is underway from the beach, and the Master doesn t even know that the software is being updated. Rear Admiral Paul Thomas, USCG 3

4 Maritime Cyber Security Progressed at MSC 96 Interim Guidelines on cyber risk management Refers to other guidance and standards to help users move forward Plenary decided to move ahead prior to final FAL input and agreement due to the urgent need to lead and publish on the subject Provides a certain footing for industry and allows IACS to develop consistent requirements Guidelines address maritime cyber risk: Extends concept of risk management normally associated with physical risk to cyber domain Recognizes that safety depends on Operational and Information technology aspects in an integrated system Examples of vulnerable systems conveys the scope of application

5 Safety Continuum: A New Dimension Cyber & Software 5

6 Marine: Growth of Interconnected Control Systems Interschalt Maritime Systems AG 6

7 Assets and Potential Threats Ship or Platform Systems Machinery control / equipment management Propulsion plant control Ship control / navigation Dynamic positioning Sensor management Alarm management Drilling system control Power distribution management Communications management Crew management Emission monitoring Ballast management Cargo management Digital Accesses Web-based systems and external-facing servers Endpoints or terminal systems Web browsers and system interfaces Data management systems Remote access methods or systems Control systems Sensors, devices and things Valuable data repositories (PII, customer data, etc.) Relevant Potential Threats Cross-site scripting SQL injection Malware, including ransomware Javascript malware Watering hole-based Trojans Keystroke loggers, poisoned links, toxic attachments Phishing and vishing Application exploits, esp. against complex apps Physical theft or compromise 7

8 Asset Decision Processes: Add Security ABS Certification Process ABS Certification Process Engineering Concept Engineering and Design Review Concept and Design Review Survey During Survey Construction During Construction Engineering Engineering/Survey and Survey Maintenance Maintenance Engineering/Survey Review Engineering and Review Survey Maintenance Maintenance Review Review Survey After Construction Survey After Construction Alternative Crediting CMS Crediting Alternative Special Survey Crediting Machinery CMS Crediting Special Survey Machinery Design Phase Activities Design Phase Activities Maintenance Development Maintenance Development Process Process Data Collection Data Data Collection to Information Data to Decision Information Support Decision Maintenance Support Sustainment Client Activity Client Activity Maintenance Reliability and Risk Tools in Design Condition/Performance Reliability and Risk Data Tools in Design Condition/Performance Data Reliability Based Maintenance In-service Reliability Maintenance Based Maintenance Plan In-service Maintenance Plan Manual Automated Manual Condition Automated Monitoring Performance Monitoring Spares Condition Management Monitoring Preventative Performance Maintenance Monitoring Condition Spares and Management Performance Trending Condition Preventative Based Maintenance Maintenance Validation Condition and Performance Trending Continuous Condition Improvement Based Maintenance Sustainment Continuous Improvement Source: D. Carlucci et.al., Data-centric Maintenance and Operational Knowledge and Its Impact on Classification, SNAME World Maritime Technology Conference, Nov Validation Additional Actions System Security Design Confidentiality, Integrity & Availability Integration Data & System Security Intellectual Property Security Operational Security Continuous Monitoring 8

9 ABS CyberSafety Addresses the Changing Technical Environment ABS CyberSafety : Measurable implementation of CyberSafety that tailors cybersecurity and systemic safety to assets in order to enable and encourage risk-based asset management as a systemic outcome. ABS CyberSafety will provide scalable, deterministic outcomes when implemented within managed environments that include appropriate processes, policies, system test and audit, and data management. 9

10 ABS CyberSafety Program Approach ABS CyberSafety develops a cybersecurity program as levels of capability* Focus on capabilities that support the business mission not specific procedures, tasks or assets. Organize capabilities into three similar but distinct types of functional knowledge/skills. Implement controls and develop more specialized (mature) capabilities as logical extensions of the basic capabilities. Create sustainability by embracing capabilities that are executable, measurable, and scalable. *Capability: The ability to execute a specified course of action. 10

11 ABS CyberSafety Engineering Approach Engineer the System of Systems, starting with the organization Build the Capability-Task-Assessment cycle Understand assets and potential gaps or vulnerabilities Develop the risk profile for assets and collections of assets Execute the work breakdown structure (WBS) for program and capability build project(s) 11

12 ABS Guidance Note Volume 1: Cybersecurity Starting to Link Systems Engineering and Cybersecurity This cybersecurity Guidance Notes provide selected cybersecurity best practices. The collected best practices represent basic safety and security recommendations for the marine and offshore industries. This is the first volume in the ABS CyberSafety series. The completed volumes provide the industry s first risk-based management program for four key cyber areas: (1) cybersecurity, (2) automated systems safety, (3) data management, and (4) software assurance. Available at: Cyber_Safety_Principles_Maritime_Operations/Cyber_Security_v1_GN_e.pdf 12

13 ABS Guide Volume 2: Cybersecurity Implementation Links Systems Engineering and Cybersecurity Guide for Cybersecurity Implementation provides Process specification IT specification OT specification Critical enabling factors to build the security program, and demonstrate compliance in a realistic and measurable way, are included Forthcoming in Summer

14 Capability Model 14

15 ABS CyberSafety Certification Process Levels of Notation build on foundation capabilities Company starts at baseline and builds capabilities based on Company needs, assets and ability to support 15

16 ABS CyberSafety Family of Documents

17 Program Characteristics Assessment Program Organization learns, trains and works across all areas in cybersecurity and CyberSafety Risk Threats and risk conditions recognized Conscious decisions made about risk factors Protective systems sufficient for meeting risks Parameters for incident response known and monitored Success measures known and monitored Assets / access Assets inventoried and known Software is whitelisted in systems Privileged accesses limited and monitored Assets kept up to date Minimum security baseline used uniformly 17

18 Conclusion Risk management for marine and maritime assets and systems must center on Functional assurance of heavily automated and integrated systems Well-considered engineering of data and control systems, including risk assessment across all functional operational and security areas Thorough testing of hardware, software and integration interfaces Performance monitoring using integrity and security indicators Measurable perception of safety and compliance using combined data-driven situational awareness and decision support Risks can be minor, but can cascade and rigorous system engineering is the best protection against unexpected consequences 18

19