Cybersecurity Risk and Options Considered by IMO

Transcription

1 Cybersecurity Risk and Options Considered by IMO John Jorgensen October 18, 2017 INTERTANKO North American Panel, Houston, TX 2017 American Bureau of Shipping. All rights reserved

2 Agenda for Today s Discussion Maritime regulatory environment Risk assessment methods to satisfy expected requirements Ways forward for cybersecurity implementation in afloat units and assets 2 Cybersecurity Risk and Options Considered by IMO

3 Maritime Regulatory Environment International Maritime Organization (IMO) Maritime Security Committee (MSC) 96, June 2016, Circ Interim guidelines on cyber risk management extends concept of risk management normally associated with physical risk to cyber domain IMO s MSC 98, June Initial direction to include cybersecurity in risk assessments not later than Jan. 1, 2021 (supersedes MSC 96 Circ.1526) USCG - CG-5P letter, December 2016: guidance for reporting of cyber breaches and suspicious cyber activity - NVIC draft, July 2017: instruction to include cyber-related vulnerability information in Facility Security Assessment (FSA) for MTSA-regulated facilities 3 Cybersecurity Risk and Options Considered by IMO

4 IMO Requirements for Jan. 1, 2021 Source: FAL 41/17, Annex 1 High-level guidance is meant to start the process of including cyberenabled systems in ship and ship system risk assessments 4 Cybersecurity Risk and Options Considered by IMO

5 IMO Requirements for Jan. 1, 2021 Safeguard shipping from threats and vulnerabilities to automated systems Risks can result from operation, integration, maintenance and design not just malicious action Consider risk from IT system connections Source: FAL 41/17, Annex 1 5 Cybersecurity Risk and Options Considered by IMO

6 IMO Requirements for Jan. 1, 2021 Source: FAL 41/17, Annex 1 Risk mgmt approach should extend existing safety and security mgmt Safe, secure, resilient shipping Assess and compare current risk posture with desired state to shape cyber risk management plan 6 Cybersecurity Risk and Options Considered by IMO

7 IMO Requirements for Jan. 1, 2021 Risk mgmt functional elements include I-P-D-R-R from NIST Cyber Security Framework (CSF) Source: FAL 41/17, Annex 1 7 Cybersecurity Risk and Options Considered by IMO

8 USCG Policy Letter CG-5P No For illustrative purposes only Source: USCG Homeport (specific access required) REPORTING SUSPICIOUS ACTIVITY AND BREACHES OF SECURITY The target and intent of malicious cyber activity can be difficult to discern. The fact that business and administrative systems may be connected to operational, industrial control and security systems further complicates this matter. The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate any such connections. 8 Cybersecurity Risk and Options Considered by IMO

9 USCG NVIC (Draft) For illustrative purposes only Source: USCG Homeport (specific access required) Navigation and Vessel Inspection Circular (NVIC) 05-17: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities - Promulgated in request for public comments Defines policies and procedures to mitigate cybersecurity risks at regulated facilities Seeks to clarify cybersecurity risks as part of MTSA foundation Provides guidance on inclusion of cybersecurity risks as part of Facility Security Assessment (FSA) 9 Cybersecurity Risk and Options Considered by IMO

10 Risk Assessment Methods Not easy but it CAN be done in a way that people understand! 10 Cybersecurity Risk and Options Considered by IMO

11 Risk Assessment Requirements Asset Types - Processes and functions - Cyber-physical systems - Logical assets, including IP, regulated data, performance data - Physical systems, including IT, OT, physical ships, offshore assets, facilities, ports 11 Cybersecurity Risk and Options Considered by IMO

12 ABS Cyber-Enabled Systems Risk Method Multi-phase, multidimensional assessment process Connect organizational capabilities with priority operational and monitoring requirements Asset inventory is critical to understanding potential for interrelated effects Decompose system into recognizable functions and asset types Document all methods of connections and all identities with access to the assets Include all types of assets: cyber-physical, logical, physical and function 12 Cybersecurity Risk and Options Considered by IMO

13 Ways Forward for Cybersecurity Implementation Cybersecurity implementation means reducing risks to the ship, its crew, the company and the environment Objectives of cybersecurity implementation include - Understanding and managing risks in cyber-enabled systems; - Supervising and controlling connections where risks may share across domains (cyber-enabled to conventional); - Maintaining a safe and predictably secure environment for work and for commerce; and - Meeting compliance requirements as specified. 13 Cybersecurity Risk and Options Considered by IMO

14 Tanker Management and Self Assessment (TMSA), Third Ed. (2017) New edition adds Element 13, Maritime Security 13.1: Security plans, procedures to recognize threats, mitigation actions, reporting procedures 13.2: Risk assessments, training for security personnel, policies and procedures, awareness training for employees 13.3: Travel policy, security procedure updates, security program covered by internal audit 13.4: Assessments of security measures, contracted assistance for efforts outside company capabilities, vessel security and monitoring equipment, security enhancements as part of refit, testing of innovative technologies 14 Cybersecurity Risk and Options Considered by IMO

15 ABS CyberSafety Frames Functional Security Building and maintaining a cybersecurity program requires grouping, monitoring and managing functional security areas Organizing for Security 13.4 Data Security Access Mgmt 13.1 Reliability, Control & Resilience Risk Assessment Architecture Protections Incident Response & Recovery Management Of Change (MoC) / Software MoC Asset Mgmt 13.4 Physical Security 13.4 Continuous Monitoring 15 Cybersecurity Risk and Options Considered by IMO

16 Organizational Strategy for IT and Cybersecurity Interoperability and integration pre-conditions Life cycle management of technology base Protective functions and expected threat sources Risk posture measurement System operational test (SOT) capabilities in monitoring, with reporting Compliance reporting requirements Incident recognition and response capabilities BC/DR support Schedule for revisit of risk posture 16 Cybersecurity Risk and Options Considered by IMO

17 Implementing the Cybersecurity Program Risk assessment Asset inventory Vulnerability assessment Security threat awareness Process inventory / audit Emergency response plan Contractor / supplier / third party vetting procedures Cyber hygiene training for employees and third parties Threat-risk assessment plan (to gauge sufficiency in risk assessment) Know your posture before you have to know your posture! 17 Cybersecurity Risk and Options Considered by IMO

18 WBS Functional Competency Composition Asset Mgmt 9-Asset Mgmt 31-Certificate Mgmt Control Requirements (Tasks from control catalog) Conformance Criteria (Checklist assessment items) Owner-Builder Complementary Action Requirements (Mutual expectations) Functional Security Competencies combine - Contributing capabilities; - Controls directly adding to the functional area; - Conformance criteria that demonstrate positive presence of the component Complementary task specifications - Inform the owner and the builder what to expect from the other in that area 18 Cybersecurity Risk and Options Considered by IMO

19 Questions and Discussion? amasterphotographer / Shutterstock 19 Cybersecurity Risk and Options Considered by IMO

20 Contact John M. Jorgensen, CISSP-ISSAP - Chief Scientist, Cybersecurity and Software (office) (cell) - JohnJorgensen@eagle.org 20 Cybersecurity Risk and Options Considered by IMO

21 Thank You American Bureau of Shipping. All rights reserved