CHAPTER 1 GENERAL
1.1 Introduction
Ships are increasingly using systems that rely on digitisation, digitalisation, integration, and automation, which call for cyber risk management on board. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together and more frequently connected to the internet.
This brings the greater risk of unauthorised access or malicious attacks to ships' systems and networks. Risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media.In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS). The Resolution stated that an approved SMS should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code. It further encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021. The same year, IMO developed guidelines 1 that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. As also highlighted in the IMO guidelines, effective cyber risk management should start at the senior management level.
Senior management should embed a culture of cyber risk awareness into all levels and departments of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
1.1.1 MSC.428(98)
Recognizing the urgent need to raise awareness on cyber risk threats and vulnerabilities to support safe and secure shipping, which is operationally resilient to cyber risks.
Encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company's Document of Compliance after 1 January 2021
1.1.2 ISM (International Safety Management) Code 1.2.2
Safety management objectives of the Company should, inter alia […] assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards.
1.1.3 ISPS (International Ship and Port Facility Security) Code Part B, 8.3
A Ship Security Assessment (SSA) should address the important elements including radio and telecommunication systems, as well as computer systems and networks, on board or within the ship.
1.1.4 MSC-FAL.1/Circ.3 on Guidelines on maritime cyber risk management
(a) Stakeholders should take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to digitization, integration and automation of processes and systems in shipping.
(b) Risk management is fundamental to safe and secure shipping operations. Risk management has traditionally been focused on operations in the physical domain, but greater reliance on digitization, int egration, automation and network-based systems has created an increasing need for cyber risk management in the shipping industry.
1 MSC-FAL.1/Circ.3 on Guidelines on maritime cyber risk management.
CHAPTER 1 GENERAL 1.2 Application
(c) Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organisation and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms.
(d) Vulnerabilities created by accessing, interconnecting or networking numerous systems can lead to cyber risks which should be addressed. Vulnerable systems could include, but are not limited to systems list in 3.2.
1.1.5 More guidance on how to incorporate cyber risk management into the company's SMS can be found in Annex 3 of the Guidelines.
1.2 Application
The Guidelines on Cyber Security Onboard Ships (hereinafter referred to as the Guidelines) are intended to offer guidance to shipowners and operators on procedures and actions to maintain the security of cyber systems in the company and onboard the ships. In addition, the Guidelines are intended to help IT and industrial automation control system professionals to join their efforts towards building and maintaining cyber security resilience of the total set of the assets and processes employed to conduct the company's business.
The Guidelines are not intended to provide a basis for, and should not be interpreted as, calling for external auditing or vetting the individual company's and ship's approach to cyber risk management.
1.2.1 Approaches to cyber security will be company- and ship-specific, but should be guided by appropriate standards and the requirements of relevant national, international and flag state regulations. The Guidelines provide a risk-based approach to identifying and responding to cyber threats. Following a risk based approach, the decisions of what is critical and high priority is then left at the discretion of the organisation. An important aspect is that relevant personnel should have training in identifying the typical modus operandi of cyber attacks.
1.2.2 Different members of the management team might have different exposure and levels of responsibility towards cyber security. Depending on different needs and organization size, the security level may differ from high level management, basic capabilities to comprehensive, very technical in depth. Assessment, protection, as well as improvement activities can be scaled accordingly.
1.2.3 Class notation
For ship complying with the requirements of the Guidelines, the class notation Cyber-S will be assigned to the ship.
Any suffix and description may be added in the curly bracket after the notation, e.g.: "Cyber-S{...}".
1.3 Best Practices for Implementation of Cyber Risk Management
1.3.1 The approach to cyber risk management described herein provides a foundation for better understanding and managing cyber risks, thus enabling a risk management approach to address cyber threats and vulnerabilities. For detailed guidance on cyber risk management, users of the Guidelines should also refer to Member Governments' and Flag Administrations' requirements, as well as relevant international and industry standards and best practices.
1.3.2 Additional guidance and standards may include, but are not limited to:
(a) NIST framework
United States National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity. NIST aims to help understand, manage and express cyber security risks both internally and externally, for example within a ship's organisation. It can help to identify and prioritise actions
CHAPTER 1 GENERAL 1.4 Definition
for reducing cyber security risks. It is also a tool for aligning policy, business and technological approaches to manage the risks.
(b) CIS Controls
The Center for Internet Security (CIS) Controls consist of 20 key actions, called Critical Security Controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give no-nonsense, actionable recommendations for cyber security, written in language that 's easily understood by IT personnel.
(c) ISO/IEC 27001, CNS 27001
Standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27001 certification involves 114 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and most importantly personnel controls.
(d) IACS Rec. No. 166
Recommendation on Cyber Resilience, which consolidates IACS' previous 12 Recommendations related to cyber resilience (Nos. 153 to 164) and applies to the use of computer-based systems which provide control, alarm, monitoring, safety or internal communication functions, and provides:
(1) guidance for mitigating the risk related to events affecting onboard computer-based systems, and (2) goals for design and construction, functional requirements, technical requirements and verification
testing.
1.3.3 Reference should be made to the most current version of any guidance or standards utilized.
1.4 Definition
1.4.1 Access control is selective limiting of the ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains or to control system components and functions.
1.4.2 Back door is a secret method of bypassing normal authentication and verification when accessing a system. A back door is sometimes created by hidden parts of the system itself or established by separate software.
1.4.3 Bring your own device (BYOD): allows employees to bring personally owned devices (laptops, tablets, and smart phones) to the ship and to use those devices to access privileged information and applications for business use.
1.4.4 Cyber attack is any type of offensive manoeuvre that targets IT and OT systems, computer networks, and/or personal computer devices attempting to compromise, destroy or access company and ship systems and data.
1.4.5 Cyber incident is an occurrence, which actually or potentially results in adverse consequences to an onboard system, network and computer or the information that they process, store or transmit, and which may require a response action to mitigate the consequences.
1.4.6 Cyber risk management means the process of identifying, analysing, assessing, and communicating a cyber- related risk and accepting, avoiding, transferring, or mitigating it to an acceptable level; taking into consideration the costs and benefits of actions taken by stakeholders.
CHAPTER 1 GENERAL 1.4 Definition
1.4.7 Cyber system is any combination of facilities, equipment, personnel, procedures and communications integrated to provide cyber services; examples include business systems, control systems and access control systems.
1.4.8 Defence in breadth is a planned, systematic set of activities that seek to identify, manage, and reduce exploitable vulnerabilities in IT and OT systems, networks and equipment at every stage of the system, network, or sub-component life cycle. Onboard ships this approach will generally focus on network design, system integration, operations and maintenance.
1.4.9 Defence in depth is an approach which uses layers of independent technical and procedural protection measures to protect IT and OT on board.
1.4.10 Executable software includes instructions for a computer to perform specified tasks according to encoded instructions.
1.4.11 Firewall is a logical or physical break designed to prevent unauthorised access to IT infrastructure and information.
1.4.12 Firmware is software imbedded in electronic devices that provides control, monitoring and data manipulation of engineered products and systems. They are normally self-contained and not accessible to user manipulation.
1.4.13 Flaw is unintended functionality in software.
1.4.14 Intrusion Detection System (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
1.4.15 Intrusion Prevention Systems (IPSs), also known as Intrusion Detection and Prevention Systems (IDPSs), are network security appliances that monitor network and/or system activities for malicious activity.
1.4.16 Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data, or information, including all hardware, software and peripheral equipment.
1.4.17 Local Area Network (LAN) is a computer network that interconnects computers within a limited area such as a home, ship or office building, using network media.
1.4.18 Malware is a generic term for a variety of malicious software which can infect computer systems and impact on their performance.
1.4.19 Operational technology (OT) includes devices, sensors, software and associated networking that monitor and control onboard systems.
1.4.20 Patches are software designed to update software or supporting data to improve the software or address security vulnerabilities and other bugs in operating systems or applications.
1.4.21 Phishing refers to the process of deceiving recipients into sharing sensitive information with a third-party.
1.4.22 Principle of least privilege refers to the restriction of user account privileges only to those with privileges that are essential to perform its intended function.
CHAPTER 1 GENERAL 1.4 Definition
1.4.23 Producer is the entity that manufactures the shipboard equipment and associated software.
1.4.24 Recovery refers to the activities after an incident to restore essential services and operations in the short and medium term and fully restore all capabilities in the longer term.
1.4.25 Removable media is a collective term for all methods of storing and transferring data between computers. This includes laptops, USB memory sticks, CDs, DVDs and diskettes.
1.4.26 Risk assessment is the process which collects information and assigns values to risks for informing priorities, developing or comparing courses of action, and informing decision making.
1.4.27 Risk management is the process of identifying, analysing, assessing and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.
1.4.28 Sandbox is an isolated environment, in which a program may be executed without affecting the underlying system (computer or operating system) and any other applications. A sandbox is often used when executing untrusted software.
1.4.29 Service provider is a company or person who provides and performs software maintenance.
1.4.30 Social engineering is a method used to gain access to systems by tricking a human into revealing confidential information.
1.4.31 Software whitelisting means specifying the software which may be present and active on an IT or OT system.
1.4.32 Virtual Local Area Network (VLAN) is the logical grouping of network nodes. A virtual LAN allows geographically dispersed network nodes to communicate as if they were physically on the same network.
1.4.33 Virtual Private Network (VPN) enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, thereby benefiting from the functionality, security and management policies of the private network.
1.4.34 Virus is a hidden, self-replicating section of computer software that maliciously infects and manipulates the operation of a computer program or system.
1.4.35 Wi-Fi is all short-range communications that use some type of electromagnetic spectrum to send and/or receive information without wires.
CHAPTER 2 CYBER SECURITY AND SAFETY MANAGEMENT