Port Facility Cyber Security

Transcription

1 International Port Security Program Port Facility Cyber Security Cyber Security Assessment MAR'01 1

2 Lesson Topics ISPS Code Requirement The Assessment Process

3 ISPS Code Requirements What is the purpose of a Port Facility Security Assessment (PFSA)?

4 ISPS Code Requirements Who is able to conduct a Port Facility Security Assessment under the ISPS Code?

5 ISPS Code Requirements Who is responsible for reviewing and approving a Port Facility Security Assessment (PFSA) under the ISPS Code?

6 ISPS Code Requirements ISPS Code Part A Section 15.1: The port facility security assessment is an essential and integral part of the process of developing and updating the port facility security plan.

7 ISPS Code Requirements ISPS Code Part A Section 15.2: The port facility security assessment shall be carried out by the Contracting Government within whose territory the port facility is located. A Contracting Government may authorize a recognized security organization to carry out the port facility security assessment of a specific port facility located within its territory.

8 ISPS Code Requirements ISPS Code Part A Section : When the port facility security assessment has been carried out by a recognized security organization, the security assessment shall be reviewed and approved for compliance with this section by the Contracting Government within whose territory the port facility is located.

9 ISPS Code Requirements Responsible for PFSA May delegate to DA CG DA May conduct PFSA or delegate to an RSO May conduct PFSA Must return to DA for approval RSO

10 ISPS Code Requirements ISPS Code Part A Section 15.3: The persons carrying out the assessment shall have appropriate skills to evaluate the security of the port facility in accordance with this section, taking into account the guidance given in part B of this Code.

11 ISPS Code Requirements ISPS Code Part A Section 15.4: The port facility security assessments shall periodically be reviewed and updated, taking account of changing threats and/or minor changes in the port facility and shall always be reviewed and updated when major changes to the port facility take place.

12 ISPS Code Requirements Does the ISPS Code require the PFSA to cover telecommunication systems, including computer systems and networks?

13 ISPS Code Requirements ISPS Code Part A Section 15.5: The port facility security assessment shall include, at least, the following elements: Identification and evaluation of important assets and infrastructure it is important to protect;

14 ISPS Code Requirements Identification of possible threats to the assets and infrastructure and the likelihood of their occurrence, in order to establish and prioritize security measures; Identification, selection and prioritization of counter measures and procedural changes and their level of effectiveness in reducing vulnerability; and

15 ISPS Code Requirements Identification of weaknesses, including human factors in the infrastructure, policies and procedures.

16 ISPS Code Requirements ISPS Code Part B Section 15.3: A PFSA should address the following elements within a port facility: Physical security. Structural integrity. Personnel protection systems. Procedural policies.

17 ISPS Code Requirements Radio and telecommunication systems, including computer systems and networks. Relevant transportation infrastructure. Utilities. Other areas that may, if damaged or used for illicit observation, pose a risk to persons, property, or operations within the port facility.

18 The Assessment Process

19 Step 1: Identification of Assets To properly identify and evaluate important assets and infrastructure, it will first be necessary to have an understanding of: How the different assets support the port's operational use;

20 Step 1: Identification of Assets The criticality of different areas within the port/port facility; and The systems that support or protect these critical assets or areas.

21 Step 1: Identification of Assets From a cyber security perspective, the business critical and/or sensitive elements of a port are likely to include:

22 Step 1: Identification of Assets 1. Those assets that have been judged to have the potential to be used to significantly compromise the integrity of the port. Consideration should be given to: a) Cabling routes and their containment (for example, ducts and trunking);

23 Step 1: Identification of b) Configuration, identification and use of control systems; c) Critical permanent plant or machinery; Assets

24 Step 1: Identification of Assets d) Security or other control rooms, including guarding; e) Security, alarm and access control systems, CCTV and video processing.

25 Step 1: Identification of 2. Key spaces and facilities used by law enforcement and security service personnel operating in, or visiting, the port. Assets

26 Step 1: Identification of Assets 3. Port data relating to the location, identification, technical specification and operation of business critical and sensitive assets.

27 4. Port systems, wherever they are hosted, used for planning, scheduling and receipt of ships and cargo. Step 1: Identification of Assets

28 Step 1: Identification of Assets 5. Assets or systems upon which the business critical and/or sensitive elements are dependent for their normal operation and resilience.

29 The Assessment Process

30 Step 2: Identify Port Business Processes The operation of a port/port facility will depend upon a set of business processes that rely upon port data for the safe, secure and efficient movement of cargo through the port and enable supporting processes such as asset management, resource scheduling, financial and business planning, procurement, and the human resource processes.

31 Step 2: Identify Port Business Processes This information should be used to assess the criticality of assets and to understand the interdependencies of the data and systems within the overall business processes of the port. By so doing, the real impact of failure or compromise of individual components can be understood.

32 The Assessment Process

33 The next step in the process is to identify and access risks. Step 3: Identify and Access Risks

34 Step 3: Identify and Access Risks What elements make up Risk? Threat Vulnerability Consequences (Impact)

35 Step 3: Identify and Access Risks The potential threats should have already been identified in the PSA and PFSA. However, it will be necessary to understand the degree to which individual threats and combinations of them may impact on the cyber security of the port and/or port facility.

36 Step 3: Identify and Access Risks When considering threat scenarios and types of undesired events, the port/port facility operator should include incidents such as: Unauthorized access to sensitive port data (commercial, personal or security-related); Theft of sensitive port data; Deletion, unauthorized modification or corruption of port data;

37 Step 3: Identify and Access Infection with malware; Loss of service from systems due to loss of connectivity or power; Risks

38 Step 3: Identify and Access Risks Loss of service from systems due to software and hardware failures; Compromise of port security systems; Denial of service externally hosted systems;

39 Step 3: Identify and Access Risks The identification of vulnerabilities should include consideration of: The relationships between systems; The technical composition of systems in terms of hardware and software components and the builds or revisions that are being used;

40 Step 3: Identify and Access Risks Physical robustness of enclosures (for example, cabinets, ducts, trunking, etc.); The relationships between systems and associated business processes;

41 Step 3: Identify and Access Risks Reliance on automation of equipment; The level of resilience within the port/port facility, including the level of dependency of systems on infrastructure, for example, utilities;

42 Step 3: Identify and Access Risks Existing security measures and procedures, including the presence and permeability of any secure perimeter that prevents or limits access to the port, port facility and associated utilities, plant and machinery;

43 Step 3: Identify and Access Risks Any conflicting policies between safety and security measures and procedures; Any enforcement and personnel constraints; and Any deficiencies identified during daily operation, following incidents or alerts, the report of security concerns, the exercise of control measures, audits etc.

44 Step 3: Identify and Access Risks The risk assessment should consider the nature of harm that could be caused to: personnel and other occupants or users of the port and its services; the port and port assets; and/or the benefits the port exists to deliver, be they societal, environmental and/ or commercial.

45 Step 3: Identify and Access Risks The cyber security risk will depend on the likelihood that a threat actor can exploit one or more vulnerabilities and cause the nature of harm identified. Throughout the process it will be essential for the port and port facility to liaise with each other to identify common risks, as well as where a risk in one may compromise the security of the other.

46 The Assessment Process

47 Step 4: Identify and Access The next step in the assessment process is to identify and record possible mitigation or countermeasures for every cyber security vulnerability. Countermeasures

48 Step 4: Identify and Access Countermeasures The assessment of each countermeasure should identify and record: 1. The cost of the countermeasure and its implementation. 2. Other impacts the countermeasure might have, for example, on asset or system usability and efficiency, business processes and port operations.

49 Step 4: Identify and Access Countermeasures 3. Wherever possible, to support the business justification for investment in the countermeasure: a) The risk reduction that could be achieved; and b) The predicted cost saving.

50 Step 4: Identify and Access Countermeasures 4. The potential for the countermeasure to create further vulnerabilities. 5. Whether the countermeasure delivers any other business benefits, for example: a) Reduction of overall business risk; and b) Aiding the development of efficient, robust and repeatable business processes.

51 The Assessment Process

52 Step 5: Review Acceptability The final step in the process is to review and evaluate the remaining risks. of Overall Risk

53 Step 5: Review Acceptability of Overall Risk Was the port facility able to buy down risk to an acceptable level through the implementation of countermeasures? Who has the responsibility under the ISPS Code to determine what is an acceptable risk?

54 Summary

55 Cyber Security Seminar

56 Works Cited Code of Practice Cyber Security for Ports and Port Systems Authors: Hugh Boyes, Roy Isbell and Alexandra Luck Published by: Institution of Engineering and Technology, London, United Kingdom First published 2016