DNV GL © SAFER, SMARTER, GREENERDNV GL ©
DNV GL Cyber Security Seminar
1
Cyber Security Threats for the Maritime Industry – Are you prepared?
Maritime Cyber Security Seminar
DNV GL ©
Maritime & Offshore trends – Growing complexity creates new challenges
2
Software & Automation
Interconnectivity
Crew size
Maritime Cyber Security Seminar
DNV GL ©
Reported incidents around is increasing, even with lack of transparency
3
GPS jamming
and spoofing
VSAT hacking using
common login
Loss of fuel control and
ballast water valves due to ECDIS update
PMS system shore and
vessel attack
Pirate attack supported by cyber attack
Loss of main switchboard
due to ransomware
AIS spoofing
Hacking of cargo
tracking system for smuggling purposes
Hackers took “full control” of navigation systems for
10 h
ECDIS ransomware
and chart spoofing
Malware allows full access to
vessel systems
NotPetya caused
Maersk up to USD 300m
loss
Maritime Cyber Security Seminar
DNV GL ©
1. Retrofitting existing ship to make it a “Smartship”; Implementation of new data streams
Remote support (IT, engines, machinery) E-mail and internet use ECDIS chart updates Planned Maintenance system Software updates
2. Ransomware affecting OT systems
3. Daily requests for Bitcoins…
Latest ‘War story’: Ransomware on cruise ship migrated to control systems
4
Maritime Cyber Security Seminar
DNV GL ©
Cyber risk issues are present and migrating to the operational technology world
5
2,000
1,000
0
400
600
200
1,200
1,400
1,600
1,800
2,200
2,400
2,600
800
2014 2015 2016
+110%
2013
Attacks on industrial control systems
Operational technology (OT)Information technology (IT)
Source: AV-TEST Institute, Germany & IBM Managed Security ServicesOT: Operational Technology such as Industrial Control Systems, SCADA, PLCs, SensorsSCADA : Supervisory Control and Data Acquisition (Operator control and monitoring systems)
Maritime Cyber Security Seminar
DNV GL ©
The “next” future holds more… with further increase of the attack surfaces
Digital wearables for crew
Enhancing passenger experience
6
Maritime Cyber Security Seminar
DNV GL ©
Regulatory developments
7
Maritime Cyber Security Seminar
DNV GL ©
Cyber security regulations are evolving…i.e. IMO Resolution MSC.428(98)
AFFIRMS that … safety management system should take into account cyber risk management in accordance with the ... ISM Code.
Where to start: MSC-FAL.1/Circ.3
– IT and OT systems
– Identify – Protect – Detect – Respond – Recover
– referring to international best practices
However, not addressing:
– how to assess the risk,
– prescriptive or goal-based safety requirements,
– requirements for incidents management
8
Impact:Cyber risks should be addressed in safety management systems no later than the first annual verification of DoC after 1 January 2021. This is a non-mandatory requirement.
Outcome: MSC 98 adopted the recommendatory MSC-FAL.1/Circ.3 superseding the interim guidelines
Maritime Cyber Security Seminar
DNV GL ©
EU, USCG and regional regulatory requirements are being introduced
9
Directive (EU)2016/1148 concerning measures for a high common level of security of network and information systems across the Union (May 2016) – Applicable for ports but not vessels
Regulation (EU) 2016/679 - General Data Protection Regulation (GDPR) (April 2016) - Applicable for vessels from May 2018
USCG develops requirements and guidelines:
– USCG Cyber Strategy (June 2015)
– Maritime Bulk Liquids Transfer Cybersecurity Framework Profile (Nov 2016)
– Draft of Cybersecurity Framework Profile for Offshore Operations (May 2017)
– Draft of Passenger Operations Cybersecurity Framework Profile (July 2016)
– Draft navigation and vessel inspection circular no. 05-17 (July 2017)Subj: Guidelines for addressing cyber risks at maritime transportation security act (MTSA) regulated facilities
– Require cyber security incident reporting since (Dec 2016)CG-5P Policy Letter 08-16
Best Practices for Cyber Security On-board Ships (Oct 2016)
Recommendations on maritime cyber security (Jan 2017)
IT-Sicherheitsgesetz (June 2015) – includes ports but not ships
Code of Practice - Cyber Security for Ports and Port Systems (June 2016)
Code of Practice - Cyber Security for Ships (Sep 2017)
Norwegian Maritime Authorities’ report “Digital vulnerabilities in the maritime sector” by DNV GL (Oct 2015)
Data Processing and Cybersecurity Notification Obligation Act (Jan 2016)
– Applicable for ports and vessels (Dutch Flag)
….
Maritime Cyber Security Seminar
DNV GL ©
Insurance companies and shipping organisations are examples of further stakeholder developments
The cyber security exclusion clause in insurance (Clause 380) is being challenged:
Owners expect complete insurance coverage
Underwriters need to properly manage their risks
10
Rating by charters through:
Tanker Management and Self Assessment (TMSA) No. 3
and
Inspection and Assessment Report For Dry Cargo Ships (FOD06) 11
Maritime Cyber Security Seminar
DNV GL ©
How DNV GL support building Cyber Resilience
11
Maritime Cyber Security Seminar
DNV GL ©
All Three Pillars of Cyber Security needs to be addressed to ensure an holistic cyber resilience
Training & Awareness
Professional skills & qualifications
Emergency drills
Authorizations & authentication
Physical Security
Management Systems
Governance Frameworks
Policies & procedures
Vendor/Third party contracts-follow up
Audit regimes
System design
Hardening of connections
Software configuration
Encryption protocols
Jamming & spoofing
Detection & monitoring
People
Process
Technology
12
Maritime Cyber Security Seminar
DNV GL ©
How to build Cyber Security resilience?
13
Predictive & Proactive
Cyb
er Secu
rity Matu
rity
Cyber Security Improvement Roll-out
Reactive
Security Testing (e.g. pentesting)
Annual or n-year Inspections / Audits
Risk assessment
ISMS Gap analysis
ISMS Certification
Corrective actions/ Roll-out of Cyber Security
Management System
Cyber Secure Class Notation / Letter of
Compliance to DNVGL-RP-0496
Verification of corrective actions
Assess Improve Verify
Maritime Cyber Security Seminar
DNV GL ©
Industry has responded with Cyber Security guidance….…and DNV GL has follow-up with additional support
14
Wha
t
Maritime Cyber Security Seminar
DNV GL ©
DNV GL Cyber Secure Class NotationDNVGL-RU-SHIP Pt.6 Ch.5 Sec.21
15
DNV GL ©
Cyber secure class notation
16
The additional class notation Cyber secure set requirements to cyber security on the vessel, intending to protect the safety of the vessel, crew and passengers.
For Basic and Advanced option, specified systems shall be addressed including propulsion, steering, navigation, power generation and others. Requirements are based on international recognized standards.
Option + is intended for system(s) not specified for Basic and Advanced.
Cyber secure(Basic) Minimum security level
Primarily intended for sailing vessels where security will be implemented in procedures and existing systems
Cyber secure(Advanced)Higher security level
Primarily intended for new builds, where security will be integrated into the design of the vessel
Cyber secure(+)Security level based on risk assessment
Target system(s) can be freely selected to address different needs. Can combined with Basic and Advanced
DNV GL ©
Steps in building Cyber Security ResilienceOur advisory support
17
Maritime Cyber Security Seminar
DNV GL ©
DNV GL supports you with advisory support in improving all three cyber security resilience pillars through assessment, improvement and verification
18
Maritime Cyber Security Seminar
DNV GL ©
Our Advisory support building Cyber Security resilience and e.g. prepare Cyber Secure Class Notation – Typically start with Cyber Security Gap Analyses
Based on requirements from IEC 62443-3-3, including: Identification and authentication
Use control
Systems integrity
Data confidentiality
Restricted data flow
Timely response to events
Resource availability
Based on requirements from IEC 62443-2-1, including e.g.: Organizing for security
Staff training and security awareness
System inventory, major devices, segmentation and physical location
Physical and environmental security
Network segmentation
Access control: Account administration and Authentication
Incident planning and response
Business continuity plan
23
Technical Design Management System
Cyber Secure Class Notation Support
Maritime Cyber Security Seminar
DNV GL ©
…and continues with four other elements required to achieve compliance with the Cyber Secure Class Notation
24
Cyber Secure Class Notation Support
Maritime Cyber Security Seminar
High Level Risk Assessment Identification of zones and conduits
Definition of Security Target Levels (SL-T)Support building of Cyber Security Management System (CSMS)
DNV GL ©
Penetration testing of OT systems
OT penetration testing:
− Deep system and domain knowledge necessary
− Tailored configurations and bespoke protocols
− Often fragile and safety critical systems
29
Vulnerability spot-checking
of most critical IT/OT systems using white/grey box testing
Maritime Cyber Security Seminar
DNV GL ©
Penetration testing of IT systems
Seeking vulnerabilities in the data centre…
30
Maritime Cyber Security Seminar
DNV GL ©
Symphony of the Seas Celebrity Edge
“Using the proposed methodology, we can address cyber security threats together with the vendors, and that is something we were never able to do before. This is the first time in this industry that we can achieve this level of communication and collaboration from
the yard and the vendors to effectively resolve cyber-security-related questions and issues during newbuilding, and do this as an integrated team.”Will Perez, Cyber Security Director for Royal Caribbean Cruises
Supplier
System integrator
Owner
Independent verifier
Cyber Security verification project of RCL mega cruise ships
Newbuilding
Maritime Cyber Security Seminar
31
DNV GL ©
Resources available
Maritime Cyber Security Seminar
32
DNV GL ©
SAFER, SMARTER, GREENER
www.dnvgl.com
The trademarks DNV GL®, DNV®, the Horizon Graphic and Det Norske Veritas®
are the properties of companies in the Det Norske Veritas group. All rights reserved.
Thank you very much for you attention!
35
Maritime Cyber Security Seminar
Peter Nyegaard Hoffmann, Head of Section
DNV GL Maritime Advisory North [email protected]
+47 99 64 90 47
Jarle Blomhoff, Team LeaderDNV GL Maritime Advisory West [email protected]
+49 175 727 8992
Mate Csorba, Global Service Line LeaderDNV GL Digital [email protected]
+47 486 03 646
Olav Haugehåtveit, Senior EngineerDNV GL Maritime, Control [email protected]
+47 905 87 032
Kay Erik Stokke, Business developmentDNV GL Maritime Advisory North [email protected]
+47 950 88 158