The Information Age has brought enormous

Similar documents
ANATOMY OF AN ATTACK!

ABB Process Automation, September 2014

Cyber risk management into the ISM Code

Cyber Security for Process Control Systems ABB's view

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

K12 Cybersecurity Roadmap

LESSONS LEARNED IN SMART GRID CYBER SECURITY

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Cyber Security Solutions Mitigating risk and enhancing plant reliability

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Lindström Tomas Cyber security from ABB System 800xA PA-SE-XA

Heavy Vehicle Cyber Security Bulletin

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Canada Life Cyber Security Statement 2018

Gujarat Forensic Sciences University

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HikCentral V.1.1.x for Windows Hardening Guide

Addressing Cyber Threats in Power Generation and Distribution

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

HikCentral V1.3 for Windows Hardening Guide

ST. VINCENT AND THE GRENADINES

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

IC32E - Pre-Instructional Survey

Cybersecurity Training

Plant Security Services Protecting productivity in the digital era October

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Process System Security. Process System Security

Control Systems Cyber Security Awareness

Top considerations for implementing secure backup and recovery. A best practice whitepaper by Zmanda

OA Cyber Security Plan FY 2018 (Abridged)

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

ACM Retreat - Today s Topics:

Authentication Methods

Simple and Powerful Security for PCI DSS

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

Secure Access & SWIFT Customer Security Controls Framework

Sage Data Security Services Directory

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Entertaining & Effective Security Awareness Training

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Express Monitoring 2019

Securing Industrial Control Systems

Checklist: Credit Union Information Security and Privacy Policies

IoT & SCADA Cyber Security Services

CYBER RISK AND SHIPS :PRACTICAL ISSUES FOLLOWING BIMCO GUIDELINE

AT&T Endpoint Security

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Continuous protection to reduce risk and maintain production availability

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

Digital Wind Cyber Security from GE Renewable Energy

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

Protecting productivity with Industrial Security Services

Security

Training and Certifying Security Testers Beyond Penetration Testing

Cybersecurity, safety and resilience - Airline perspective

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

Designated Cyber Security Protection Solution for Medical Devices

The Value of Automated Penetration Testing White Paper

Cyber Security: What s the Big Deal?

IT SECURITY FOR NONPROFITS

Introducing the 9202-ETS MTL Tofino industrial Ethernet security appliance

Practical SCADA Cyber Security Lifecycle Steps

Beyond the F.U.D. How to start securing your DCS network today.

Shifting focus: Internet of Things (IoT) from the security manufacturer's perspective

Must Have Items for Your Cybersecurity or IT Budget in 2018

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

QuickBooks Online Security White Paper July 2017

SECURING YOUR BUSINESS INFRASTRUCTURE Today s Security Challenges & What You Can Do About Them

EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

5. Execute the attack and obtain unauthorized access to the system.

Effective Threat Modeling using TAM

Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

IEC A cybersecurity standard approaching the Rail IoT

Cyber Security Requirements for Electronic Safety and Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

Cyber Risk for Maritime

Best Practices in ICS Security for System Operators

Maritime cyber risk management

Position Title: IT Security Specialist

BIG DATA INDUSTRY PAPER

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Cyber security - why and how

InterCall Virtual Environments and Webcasting

Security by Default: Enabling Transformation Through Cyber Resilience

Symantec Client Security. Integrated protection for network and remote clients.

Cybersecurity for Health Care Providers

IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice

IS Today: Managing in a Digital World 9/17/12

NEN The Education Network

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Keys to a more secure data environment

Transcription:

Cyber threat to ships real but manageable KAI hansen, akilur rahman If hackers can cause laptop problems and access online bank accounts or credit card information, imagine the havoc they can wreak on a ship s control systems. But is this a real threat or science fiction? The Information Age has brought enormous benefits. But progress typically brings new problems, and our dependence on computers raises the threat of hacking. This has led to the development of a body of technological processes and practices known as cyber security. Cyber security protects networks, computers, programs and data from attack, damage or unauthorized access. Vessels have also started to increasingly depend on information technology (IT), taking solutions that offer high functionality at moderate cost out of the office environment. This means we must also take cyber security in the marine sector seriously. EU and US government reports on security in the shipping and transport sectors confirm this view. Cyber security is much more than a simple technical fix that solves all problems, as it is sometimes portrayed in the media. It is just as much a question of culture and attitude as it is technology. The best encryption algorithms in the world are useless if someone writes the password on a Post-it note and leaves the door open. Security must be in focus during the product design, planning and engineering of a vessel, as well as during the commissioning of the IT equipment and operation of the ship. Cyber-threat proof solutions Even if the yard and the ship owner carry final responsibility, ABB takes security very seriously. We provide products and solutions that have been developed with security in mind and that, used correctly, provide a vessel with good protection against cyber threats. ABB can also evaluate the security level of a fleet to ensure it is cyber-threat proof. ABB also takes security into account during product development. Internal R&D processes have a checklist of questions on security, ABB has a dedicated robustness test center at its research center in Bangalore and the main systems have been tested at US cyber security laboratories. ABB also has processes in place to handle new security issues that may arise. One central concern when delivering electrical propulsion systems, electrical generation and protection equipment, and automation and advisory solutions is how all these are connected in a network 2 generations 1 13

1 Defense-in-depth with security zones applied to a vessel Satellite and Internet Firewall Ship Intranet Available to crew and passengers Firewall Ship technical net Connecting Automation, Advisory, Navigations ECDIS,... Available to crew Automation system Available to crew with authorization only (officers and engineers) Firewall architecture and how the network is connected with other systems on the ship and on land. The key word here is defense-in-depth, with security zones in place. Defense-in-depth refers to multiple, independent and redundant layers to compensate for potential human and mechanical failures so that no single layer, no matter how robust, is exclusively relied upon. Traditionally the different technical solutions have not been connected together in a proper computer network; this has been used to argue that cyber security is not relevant to vessels. This is only partially true. In a disconnected system, there is no risk of a problem occurring during normal operations. However, typically these systems will occasionally be connected to a maintenance computer, a USB stick or a modem. In these instances, the system is as vulnerable as a connected system. And if a security culture and measures are not in place, malicious code could end up disrupting the system. A better approach is to accept that security measures always have to be in place and take advantage of the increased functionality a connected system provides then take the effort to design good network architectures. Defining security zones The security zones illustrated in Figure 1 are a feature of the principle of network architecture. This is also called defense-in-depth because the more critical parts that need better protection there are located deeper into the core of the system you have to pass a barrier that typically includes a firewall to enter from an outer zone to an inner zone. A simple threat analysis should be done to define the security zone hierarchy for marine solutions. Critical systems include those that handle propulsion, and power that is part of the marine automation delivery. Typically, all these marine automation systems will be located in one inner security zone as indicated in Figure 1. Other equally important security zones could include the navigation system network. At the next level up, a zone connects some of the most critical areas, which could also include systems not as critical for running the ship safely. This zone is called the Ship Cyber security 3

2 Example of ABB systems with a network security zone structure on a vessel Internet ECDIS Radar Open Vessel Network and Remote Connection Advisory Systems, Optimization, Data collection,... Vessel Technical network Bridge HMI Engine Room HMI Demilitarized Zone Control Network Servers Power Vessel Emergency Management Management Shut Down System System Heat, Other Ventilation Control... and Air Condition Technical Net (see Figure 1). It could be connected through a firewall to an open ship network, which is then connected to the world through a satellite link. Many people access an open ship intranet, such as that of a cruise ship or ferry. On other vessels, off-duty crews use the network for getting news, contacting friends and family, etc. Such generic Internet traffic is valuable and should, of course, be used; however, use should be restricted to the part of the network where malicious code or simple mistakes cannot influence the operation of the vessel. Using the right firewall protection to secure zones can ensure that this does not happen. Figure 2 is a representation of the conceptual zones, shown in Figure 1, as boxes and links. Here a different type of zone, called a demilitarized zone in security language, has been added. This special type of security zone is suitable for systems that are less critical than those of core automation, but closely linked to the automation system. Maintaining a secure level Assuming a vessel is delivered with a state-of-the-art security design, it is equally important that there is a high security level in the operation of the ship. The crew needs to have a basic understanding of the rules and act accordingly. The vessel owner or operator should at least do the following: Have a policy for secure operation and maintenance of the system Not connect the secured network to any unknown network or point not in the original design of the plant network Not use portable media without virus scanning Update security patches and antivirus software as recommended by the vendor of the system Keep the ports and services not required for operation closed Have a process and system in place for system change management 4 generations 1 13

3 The SD3+C model used for ABB product development Secure by Design Security in Product Development Process: Requirements, Design, Implementation, Verification Secure by Default Default Installation with Minimal Attack Surface, Defense in Depth, uso of Least Privileges Secure in Deployment Product Support for Secure Configuration, Operation and Maintenance, Support for System Updating Communication Openly and responsibly communicate with users about detected security flaws: implications and how to mitigate them (corrections and workarounds) Back up the system and have a procedure to validate and recover the back-up Monitor the system for any suspected security risks, including user rights and activities Inform and get support from the system vendor for any security vulnerability and incident in the system It is not realistic to expect every vessel to have access to IT and cyber security expertise; however, most people today have some level of IT knowledge and security awareness through using their private computers. It is very much about awareness. For example, no crew member will install a computer game in the automation computer if he or she understands that this could increase the risk of a total blackout during a hurricane. Making sure a maintenance computer has an updated virus scanner before connecting it to the control network is a simple step but it must be remembered and may require a few minutes delay. It is not realistic to expect every vessel to have access to IT and cyber security expertise. Different industries have debated whether cyber security in the technical network is the responsibility of IT or automation experts. With more awareness in the maritime industry, ABB also expects this to become a hot topic. Who is responsible: the chief engineer, the bridge or someone else? There is no simple answer yet; it will be an interesting discussion. Cyber security 5

4 Overview of ABB Remote Access Platform (RAP) ABB Network Database Server Service Center Applications Server Communication Server Server Engineer SSH (S)FTP HTTP(S) SMTP Proprietary Internet (Satellite) Communication Outbound ONLY Port 443 SSL Encrypted Certificate Authentication Polling Vessel 1 Vessel 2 Vessel 3 Virtual Service Engineer (VSE) Designing robust products ABB s philosophy regarding security in product design and deployment is called SD3+C. This abbreviation reflects four key concepts: Secure by Design Secure by Default Secure in Deployment Communication ABB follows the Secure by Design principle when making a new product. This means carrying out the architecture with an understanding of security issues, and coding software in a way that minimizes the risk of bugs being introduced by hostile hackers. Conducting a threat analysis highlights the parts of the product that need special attention. Secure by Default implies that the product has an acceptable out of the box security level. Active engineering work will be necessary to enable features that are not always needed because using all additional functionality in a product increases vulnerability. Secure in Deployment indicates that the commissioning of equipment was done with security knowhow, that proper documentation was provided, and that functionality supporting operational needs is in place to maintain a high level of security. Communication is essential to security. Accepting that any system can have flaws is the most important step in a continuous improvement process; this is the only way to ensure a high level of security for ABB solutions. 6 generations 1 13

7 5 ABB s Security Fingerprint analysis Layers of Defense Cyber Security Risk Profile 24 25 26 1 2 3 4 Physical Security Procedures and Policies Firewalls and Architecture Computer Policies Account Management Security Updates Antivirus Solutions Protect Against Security Treats High risk 20 22 21 19 23 5 6 8 9 Procedures and Protocols Group Security Policies Computer Settings Low Risk 18 10 Control System 17 12 11 16 15 14 13 Offering secure remote access ABB offers secure access into a remote system. The well-proven solution is called Remote Access Platform (RAP) and is, for example, used in the Remote Diagnostic Service (RDS) that links a number of vessels to the ABB service support center. A sketch of the RAP is given in Figure 4. The core of this solution consists of an encrypted connection between the ABB Service Center through the open Internet and into the customer s technical network. In the customer network, software called Virtual Service Engineer ensures that only registered clients are allowed to access only predetermined parts of the system. This ensures that only ABB Service engineers have access to a vessel. The advantage is huge; complex problems with drives or switchboards can be solved directly without the need for an engineer to travel to a vessel. This saves both time and money for the customer without compromising cyber security. Providing security services ABB is a global company with long experience in security. ABB Marine and Cranes can access this experience through the wider company s resources worldwide. It can also offer direct service consultancy. The ABB Cyber Security Fingerprint identifies strengths and weaknesses for defending against a cyber attack within a vessel s control systems. It does this by gathering data from system configurations and key personnel and comparing this against best practices using ABB s proprietary analysis tool. The resulting analysis provides detailed recommendations for reducing cyber security vulnerabilities while helping to develop a focused and sustainable security strategy for control systems. The ABB Cyber Security Fingerprint reduces security risks by exposing gaps that could endanger employees, assets and uptime. ABB s approach compares customer security policies and settings to industry standards to establish a benchmark and ensure customer control systems have multiple layers of protection. Based on Security Fingerprint analysis, owner-operators can use ABB services to implement or improve the cyber security of a vessel or fleet. Some services available are: security policy for a vessel/fleet software patch update anti-virus update system hardening user management and network configuration Cyber security threats are real and growing. However, with a coordinated approach between owner-operators of marine vessels and vendors like ABB, the risks to business and stakeholders can be minimized. Security needs to be addressed not only as a one-off activity but should also be an ongoing process during the life of vessels, automation products, and systems. A security policy for vessel operation and security solutions and support from vendors will help achieve these security goals. Kai Hansen Technology Manager, ABB Vessel Information and Control Center of Excellence, Norway kai.hansen@no.abb.com Akilur Rahman Global head of Cross-BU Strategic Initiatives, ABB India akilur.rahman@in.abb.com Cybersecurity 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback