dnv gl cyber security seminar - blue maritime cluster dnv gl cyber security seminar 1 ... vsat...

DNV GL © SAFER, SMARTER, GREENERDNV GL ©

DNV GL Cyber Security Seminar

1

Cyber Security Threats for the Maritime Industry – Are you prepared?

Maritime Cyber Security Seminar

DNV GL ©

Maritime & Offshore trends – Growing complexity creates new challenges

2

Software & Automation

Interconnectivity

Crew size


DNV GL ©

Reported incidents around is increasing, even with lack of transparency

3

GPS jamming

and spoofing

VSAT hacking using

common login

Loss of fuel control and

ballast water valves due to ECDIS update

PMS system shore and

vessel attack

Pirate attack supported by cyber attack

Loss of main switchboard

due to ransomware

AIS spoofing

Hacking of cargo

tracking system for smuggling purposes

Hackers took “full control” of navigation systems for

10 h

ECDIS ransomware

and chart spoofing

Malware allows full access to

vessel systems

NotPetya caused

Maersk up to USD 300m

loss


DNV GL ©

1. Retrofitting existing ship to make it a “Smartship”; Implementation of new data streams

Remote support (IT, engines, machinery) E-mail and internet use ECDIS chart updates Planned Maintenance system Software updates

2. Ransomware affecting OT systems

3. Daily requests for Bitcoins…

Latest ‘War story’: Ransomware on cruise ship migrated to control systems

4


DNV GL ©

Cyber risk issues are present and migrating to the operational technology world

5

2,000

1,000

0

400

600

200

1,200

1,400

1,600

1,800

2,200

2,400

2,600

800

2014 2015 2016

+110%

2013

Attacks on industrial control systems

Operational technology (OT)Information technology (IT)

Source: AV-TEST Institute, Germany & IBM Managed Security ServicesOT: Operational Technology such as Industrial Control Systems, SCADA, PLCs, SensorsSCADA : Supervisory Control and Data Acquisition (Operator control and monitoring systems)


DNV GL ©

The “next” future holds more… with further increase of the attack surfaces

Digital wearables for crew

Enhancing passenger experience

6


DNV GL ©

Regulatory developments

7


DNV GL ©

Cyber security regulations are evolving…i.e. IMO Resolution MSC.428(98)

AFFIRMS that … safety management system should take into account cyber risk management in accordance with the ... ISM Code.

Where to start: MSC-FAL.1/Circ.3

– IT and OT systems

– Identify – Protect – Detect – Respond – Recover

– referring to international best practices

However, not addressing:

– how to assess the risk,

– prescriptive or goal-based safety requirements,

– requirements for incidents management

8

Impact:Cyber risks should be addressed in safety management systems no later than the first annual verification of DoC after 1 January 2021. This is a non-mandatory requirement.

Outcome: MSC 98 adopted the recommendatory MSC-FAL.1/Circ.3 superseding the interim guidelines


http://www.imo.org/Pages/home.aspx

DNV GL ©

EU, USCG and regional regulatory requirements are being introduced

9

Directive (EU)2016/1148 concerning measures for a high common level of security of network and information systems across the Union (May 2016) – Applicable for ports but not vessels

Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR) (April 2016) - Applicable for vessels from May 2018

USCG develops requirements and guidelines:

– USCG Cyber Strategy (June 2015)

– Maritime Bulk Liquids Transfer Cybersecurity Framework Profile (Nov 2016)

– Draft of Cybersecurity Framework Profile for Offshore Operations (May 2017)

– Draft of Passenger Operations Cybersecurity Framework Profile (July 2016)

– Draft navigation and vessel inspection circular no. 05-17 (July 2017)Subj: Guidelines for addressing cyber risks at maritime transportation security act (MTSA) regulated facilities

– Require cyber security incident reporting since (Dec 2016)CG-5P Policy Letter 08-16

Best Practices for Cyber Security On-board Ships (Oct 2016)

Recommendations on maritime cyber security (Jan 2017)

IT-Sicherheitsgesetz (June 2015) – includes ports but not ships

Code of Practice - Cyber Security for Ports and Port Systems (June 2016)

Code of Practice - Cyber Security for Ships (Sep 2017)

Norwegian Maritime Authorities’ report “Digital vulnerabilities in the maritime sector” by DNV GL (Oct 2015)

Data Processing and Cybersecurity Notification Obligation Act (Jan 2016)

– Applicable for ports and vessels (Dutch Flag)

….


http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG

http://eur-lex.europa.eu/eli/reg/2016/679/oj

https://www.uscg.mil/SENIORLEADERSHIP/DOCS/cyber.pdf

http://www.dco.uscg.mil/Portals/9/CG-FAC/Documents/Maritime_BLT_CSF.pdf?ver=2017-07-19-070544-223

http://www.dco.uscg.mil/Portals/9/CG-FAC/Documents/Content%20Preview%20of%20Offshore%20Profile.pdf?ver=2017-07-19-070239-550

http://www.dco.uscg.mil/Portals/9/CG-FAC/Documents/Passenger%20Vessel%20Preview%20SHARED%208-2-2017.pdf?ver=2017-08-03-100854-993

https://homeport.uscg.mil/cgi-bin/st/portal/uscg_docs/MyCG/Editorial/20170117/CG-5P%20Policy%20Letter%2008_16.pdf?id=7c8f480c66de4c8f9e087e57f6e3bad1ede03be8

http://www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/

https://www.ssi.gouv.fr/uploads/2017/06/best-practices-for-cyber-security-on-board-ships_anssi.pdf

https://www.ecologique-solidaire.gouv.fr/sites/default/files/Guide%202%20-%20Cyber%20securit%C3%A9%20-%20Renforcer%20la%20protection%20des%20syst%C3%A8mes%20industriels%20du%20navire.pdf

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Broschueren/IT-Sicherheitsgesetz.pdf?__blob=publicationFile&v=7

https://www.gov.uk/government/publications/ports-and-port-systems-cyber-security-code-of-practice

https://www.gov.uk/government/publications/ship-security-cyber-security-code-of-practice

https://www.regjeringen.no/contentassets/fe88e9ea8a354bd1b63bc0022469f644/no/sved/7.pdf

https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boetebeleidsregels_autoriteit_persoonsgegevens_staatscourant_2016-2043_0.pdf

DNV GL ©

Insurance companies and shipping organisations are examples of further stakeholder developments

The cyber security exclusion clause in insurance (Clause 380) is being challenged:

Owners expect complete insurance coverage

Underwriters need to properly manage their risks

10

Rating by charters through:

Tanker Management and Self Assessment (TMSA) No. 3

and

Inspection and Assessment Report For Dry Cargo Ships (FOD06) 11


DNV GL ©

How DNV GL support building Cyber Resilience

11


DNV GL ©

All Three Pillars of Cyber Security needs to be addressed to ensure an holistic cyber resilience

Training & Awareness

Professional skills & qualifications

Emergency drills

Authorizations & authentication

Physical Security

Management Systems

Governance Frameworks

Policies & procedures

Vendor/Third party contracts-follow up

Audit regimes

System design

Hardening of connections

Software configuration

Encryption protocols

Jamming & spoofing

Detection & monitoring

People

Process

Technology

12


DNV GL ©

How to build Cyber Security resilience?

13

Predictive & Proactive

Cyb

er Secu

rity Matu

rity

Cyber Security Improvement Roll-out

Reactive

Security Testing (e.g. pentesting)

Annual or n-year Inspections / Audits

Risk assessment

ISMS Gap analysis

ISMS Certification

Corrective actions/ Roll-out of Cyber Security

Management System

Cyber Secure Class Notation / Letter of

Compliance to DNVGL-RP-0496

Verification of corrective actions

Assess Improve Verify


DNV GL ©

Industry has responded with Cyber Security guidance….…and DNV GL has follow-up with additional support

14

Wha

t


DNV GL ©

DNV GL Cyber Secure Class NotationDNVGL-RU-SHIP Pt.6 Ch.5 Sec.21

15

DNV GL ©

Cyber secure class notation

16

The additional class notation Cyber secure set requirements to cyber security on the vessel, intending to protect the safety of the vessel, crew and passengers.

For Basic and Advanced option, specified systems shall be addressed including propulsion, steering, navigation, power generation and others. Requirements are based on international recognized standards.

Option + is intended for system(s) not specified for Basic and Advanced.

Cyber secure(Basic) Minimum security level

Primarily intended for sailing vessels where security will be implemented in procedures and existing systems

Cyber secure(Advanced)Higher security level

Primarily intended for new builds, where security will be integrated into the design of the vessel

Cyber secure(+)Security level based on risk assessment

Target system(s) can be freely selected to address different needs. Can combined with Basic and Advanced

DNV GL ©

Steps in building Cyber Security ResilienceOur advisory support

17


DNV GL ©

DNV GL supports you with advisory support in improving all three cyber security resilience pillars through assessment, improvement and verification

18


DNV GL ©

Our Advisory support building Cyber Security resilience and e.g. prepare Cyber Secure Class Notation – Typically start with Cyber Security Gap Analyses

Based on requirements from IEC 62443-3-3, including: Identification and authentication

Use control

Systems integrity

Data confidentiality

Restricted data flow

Timely response to events

Resource availability

Based on requirements from IEC 62443-2-1, including e.g.: Organizing for security

Staff training and security awareness

System inventory, major devices, segmentation and physical location

Physical and environmental security

Network segmentation

Access control: Account administration and Authentication

Incident planning and response

Business continuity plan

23

Technical Design Management System

Cyber Secure Class Notation Support


DNV GL ©

…and continues with four other elements required to achieve compliance with the Cyber Secure Class Notation

24

Cyber Secure Class Notation Support


High Level Risk Assessment Identification of zones and conduits

Definition of Security Target Levels (SL-T)Support building of Cyber Security Management System (CSMS)

DNV GL ©

Penetration testing of OT systems

OT penetration testing:

− Deep system and domain knowledge necessary

− Tailored configurations and bespoke protocols

− Often fragile and safety critical systems

29

Vulnerability spot-checking

of most critical IT/OT systems using white/grey box testing


DNV GL ©

Symphony of the Seas Celebrity Edge

“Using the proposed methodology, we can address cyber security threats together with the vendors, and that is something we were never able to do before. This is the first time in this industry that we can achieve this level of communication and collaboration from

the yard and the vendors to effectively resolve cyber-security-related questions and issues during newbuilding, and do this as an integrated team.”Will Perez, Cyber Security Director for Royal Caribbean Cruises

Supplier

System integrator

Owner

Independent verifier

Cyber Security verification project of RCL mega cruise ships

Newbuilding


31

DNV GL ©

SAFER, SMARTER, GREENER

www.dnvgl.com

The trademarks DNV GL®, DNV®, the Horizon Graphic and Det Norske Veritas®

are the properties of companies in the Det Norske Veritas group. All rights reserved.

Thank you very much for you attention!

35


Peter Nyegaard Hoffmann, Head of Section

DNV GL Maritime Advisory North [email protected]

+47 99 64 90 47

Jarle Blomhoff, Team LeaderDNV GL Maritime Advisory West [email protected]

+49 175 727 8992

Mate Csorba, Global Service Line LeaderDNV GL Digital [email protected]

+47 486 03 646

Olav Haugehåtveit, Senior EngineerDNV GL Maritime, Control [email protected]

+47 905 87 032

Kay Erik Stokke, Business developmentDNV GL Maritime Advisory North [email protected]

+47 950 88 158

mailto:[email protected]



