Cyber and information security applicable for the maritime sector

Transcription

1 MARITIME Cyber and information security applicable for the maritime sector Svante Einarsson 1 SAFER, SMARTER, GREENER

2 Introduction 2

3 The tip of the iceberg 2015: 64,199 reported IT Security incidents just the tip of the iceberg 1 89% of breaches had a financial or espionage motive New threats arise: Widespread ransomware Orchestrated attacks on industrial control systems Attacks can be rented as a service, lowering the entry bar Government-sponsored attacks widespread Cyber terrorism There are only two types of companies: those that have been hacked, and those that will be. Robert Mueller, FBI director 1 Source: 2016 Data Breach Investigations Report, Verizon 3

4 Information vs Cyber Security Information Information Technology People Cyber Documents, records etc. Operation Technology 4

5 A primer on information security the CIA model Availability Information is available when it is needed Confidentiality Confidentiality Information is not made available or disclosed to unauthorized individuals, entities, or processes Availability Integrity Integrity Information cannot be modified in an unauthorized or undetected manner 5

6 Threats can be (un)intended and (un)targeted malware ransomware intentional credit card fraud backdoors Spear-phishing Disgruntled employee untargeted Supply chain sabotage targeted User error Built-in software weaknesses Falling victim to social engineering unintentional Escaped proof-of-concept, runaway pentest 6

7 There are many attack vectors USB storage devices, and web surfing are well known. But let s not forget social engineering, direct (wire/wlan) access and devices connected just for charging! 7

8 Incident examples: GPS Jamming A vessel was confused off the coast of India by a GPS jammer, such as those used by drivers to hide their driving habits and/or rest hour violations In 2012, North Korea used Russianmade, truck mounted GPS jammers with an operating radius of up to 50 nm. Hundreds of ships and fishing boats in the West Sea confirmed loss of GPS position fixes. Jamming signals were traced to the North Korean border city of Kaeson (Korea Herald) Client reports loss of GPS signal in proximity of naval vessel 8

9 Example of weakness: Crew circumvents firewall 9

10 Regulations, Standards and Best Practices 10

11 IMO present requirements Cyber Security brought into ISM/ISPS audits: ISM Code The objectives of the Code are to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment, and to property. ISM Code Safety management objectives of the Company should, inter alia: 1. provide for safe practices in ship operation and a safe working environment; 2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and 3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection. ISM Code The safety and management system should ensure: 1. compliance with mandatory rules and regulations; and 2. that applicable codes, guidelines and standards recommended by the Organization, Administrations, classification societies and maritime industry organizations are taken into account Conclusion: If Cyber Risks exist, the ISM and ISPS Codes contain mandatory requirements 11

12 IMO ongoing work in 2016 and possible future Facilitation Committee (4-8 April) and Maritime Safety Committee (11-20 May) MSC 96/WP.9 Annex 2 - Draft Guidelines On Maritime Cyber Risk Management. Recommendation (non-mandatory) Application: to encourage safety and security management practices Addresses both IT and OT systems Cyber Risk: Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). Cyber Risk Management: Identify Protect Detect Respond - Recover May expect that some flags make the IMO guidelines mandatory (e.g. from 2018) 12

13 BIMCO The Guidelines on Cyber Security On-board Ships Aim: offer guidance to shipowners and operators on how to assess their operations and put in place the necessary procedures and actions to maintain the security of cyber systems onboard their ships. Scope: Understanding the cyber threat (types and stages) Determination of vulnerability for IT and OT systems (CIA) Risk assessments (self made and third party) Technical cyber security control measures (e.g. network devices) Procedural control measures (e.g. training) Contingency planning (response, recovery, investigation) Conclusion: Useful high-level introduction, comprehensive scope, but no specific how to guidance 13

14 Information security standards landscape Organizational Standards Technical Standards ISA/IEC FOR IEC CPNI Process control and SCADA security BSI TR Cigre Security Standards US Coastguard Cyber Strategy DNV GL Guidelines BSI 100 NIST Framework ISO ISF Framework ABS / LR Guidelines IEEE 1686 IEC /104 Enisa BIMCO Guidelines IEC IEC IMO Guidelines IEC Risk based Standards 14

15 Defense and Mitigation 15

16 Recommended Practice: Cyber Security Resilience Management For Ships and Mobile Offshore Units in Operation (DNV GL, September 2016) Content Introduction Purpose and stakeholders Assessments Self-Checks Initial countermeasure assessment In depth assessments Verification and Validation Information Security Management System (ISMS) Third party testing Appendixes with examples and specifics Terms and Definitions, typical IT/OT systems, barrier management, DNV GL security requirement profiles for OT and IT systems, ISMS verification, Best Practice, etc. 16

17 DNV GL Self Check (soon to be released) What is it: Questionnaire to self-assess own assets For who: C-level (COO, CEO but also CIO, CFO) Benefit: Gives first indication of cyber security maturity Creates awareness of potential gaps/vulnerabilities Gives general recommendations how to proceed How does it work: Uploaded to MyDNVGL Seven categories: Identify, Protect, Detect, Response, Recover, Report, Continuity Yes/No/Unknown questions Cost: Free of charge 17

18 In-depth assessments, verifications and validations Exploitation of remote maintenance connections Social engineering attacks PSWD lifetime restrictions for human users (IEC , SR 1.7 RE 1) Awareness training Dual Approval (IEC , SR 2.1 RE 4) Periodic user behaviour assessments Critical System Compromised Security functionality verification (IEC , SR 3.3 RE1,2) Remote session termination (IEC , SR 2.6) Outdated control systems on installations Obsolescence management 18

19 Possible future and solution Information security will not go away only change focus USB-sticks Social Engineering Smart ships Autonomous ships How to deal with it: Define goals and information security strategy lead-by-example from C-level Assess what risks are present Compare actual and desired situation Implement meaningful measures Monitor and verify that they work Review and repeat A living Information Security Management System (ISMS) is essential to ensure information security today and in the future 19

20 The next cyber affine generation is coming... Svante Einarsson Sven Matho SAFER, SMARTER, GREENER 20