sami & imca maritime cyber security workshop development of cyber security guidelines aron...
TRANSCRIPT
SAMI & IMCA MARITIME CYBER SECURITY WORKSHOP
Development of cyber security guidelines
Aron Sorensen, Chief Marine Technical Officer
2
BIMCO at a glance
• Founded in 1905 - 2,300 members in
around 130 countries
• Membership – includes shipowners,
operators, managers, brokers and agents
• Developing industry standards, and
providing quality technical information,
advice and education
• Advocating the oppinion of our members at
IMO, ISO, IALA, IHO etc.
WWW.BIMCO.ORG
3
Today’s Cyber presentation
• Background for industry guidelines• What to consider and what not to do • Risk based guidelines
4
BIMCO’s work
• In 2013, the BIMCO Executive Committee highlighted the importance of cyber security
• 2013 – 2014 Information gathering• with the view to deal with cyber security needs
and challenges in the maritime sector
• In March 2014, cyber security added to the agenda of the Marine Committee and the Security Committee• Decided to develop industry guidance on cyber
security for ships
5
Risks on board ships
Insiders introducing malware by storage devices etc.
Outdated software
Remote attacks by criminals
Lack of software and system monitoring
Lack of access-control for computers and networks
Unprotected or badly designed hardware and networks
6
Ships are vulnerable to cyber attacks
• Ships chartered to 3rd party operators• The Shipowner does not have control over the IT
systems required by the charterer• Historically ships have been offline
• Today cyber security cannot be “controlled” through avoidance of connectivity
• Critical data pertaining to cargo is passed through numerous land-side entities• Penetration of just one entity can result in any data
element being compromised• A high reliability on IT systems related to safety
• ECDIS and satellite receivers make a ship susceptible to either penetration or jamming
7
Attacking a ship will not stop word trade
• A ship is an independent unit and a cyber attack may compromise safety of that ship, the marine environment and to some extent, the business continuity of the owner
• To a large extent the crew will use the same contingency plans as for any other emergency if the ship is compromised
8
Agility needed
• Cyber attacks techniques develop constantly so mitigating measurers will also have to change constantly
• IMO regulation would be too slow
• Type approval of software is not the way forward, as it is a static process
• We see industry best management practice as the way to cope with cyber security
9
Special attention
• Cyber security should be carefully considered:• When taking over a new building
and buying used tonnage • In connection with on-board
software maintenance• When dealing with an always
open on-line connection
10
It starts during construction of the ship
• Producer should have a QA system for software lifecycle activities, which specifies cyber-security considerations
• Ships networks should be configured to have controlled and uncontrolled networks
11
Risk based approach needed
• Some organisations, ships and systems may be more at risk than others, depending on the type and value of data stored
• To manage risks, ships’ personnel and owners should understand the probability for an event to occur and the resulting impact
12
The Industry Guidelines on Cyber Security on board Ships
• The guidance to ship owners and operators includes how to:• minimize the risk of a cyber-attack
through user access management• protect on board systems• develop contingency plans and• manage incidents if they do occur
13
Cyber mitigatio
n
Technical
Training and awareness
Remoteness
Procedures
14
IMO process started
• At MSC 94 (November 2014), USA and Canada recommended development of voluntary guidelines for ports, ships, and other parts of maritime transportation system • BIMCO informed that we were working on guidance for
shipowners and crew on operational aspects of cyber security on-board ships
• Update paper by BIMCO, ICS, INTERTANKO and INTERCARGO submitted to MSC 95 (June 2015)• Includes the scope of the industry guidance on cyber
security for ships• Intention to present the finalized guidelines to MSC 96
15
Related work
• Working with CIRM since 2013 on a draft industry standard for Maintenance and update of programmable electronic systems
• The cyber work and the CIRM work are interrelated and coordination is essential
• Industry stakeholders should develop, manage and update computer-based systems onboard ships in a secure way
16
Conclusions
• Awareness needed in the industry • Ships are exposed to cyber-threats calling for a risk
based approach • Industry Guidance will be submitted to MSC 96• Cyber crime is developing all the time and we need
to keep up• Cyber security considerations should start at the
software production stage and cyber robustness considerations should be made when the ship is constructed
Questions?