Attention of Developing The Plan - ESTABLISH CONTINGENCY PLANS

CHAPTER 7 ESTABLISH CONTINGENCY PLANS

7.1 Attention of Developing The Plan

CHAPTER 7 ESTABLISH CONTINGENCY PLANS

7.1 Attention of Developing The Plan

7.1.1 When developing contingency plans for implementation onboard ships, it is important to understand the significance of any cyber incident, particularly for IT and OT systems and prioritise response actions accordingly.

7.1.2 Any cyber incident should be assessed in accordance with the CIA model (see chapter 5) to estimate the impact on operations, assets etc. In most cases, a loss of IT systems on board, including a data breach of confidential information, will be a business continuity issue and should not have any impact on the safe operation of the ship. In the event of a cyber incident affecting IT systems only, the priority may be the immediate implementation of an investigation and recovery plan.

7.1.3 The loss of OT systems may have a significant and immediate impact on the safe operation of the ship. Should a cyber incident result in the loss or malfunctioning of OT systems, it will be essential that effective actions are taken to ensure the immediate safety of the crew, ship and protection of the marine environment. In general, appropriate contingency plans for cyber incidents, including the loss of critical systems and the need to use alternative modes of operation, should be addressed by appropriate operational and emergency procedures included in the safety management system. Some of the existing procedures in the ship's safety management system will already cover such cyber incidents.

7.1.4 The safety management system will already include procedures for reporting accidents or hazardous situations and define levels of communication and authority for decision making. Where appropriate, such procedures should be amended to reflect communication and authority in the event of a cyber incident.

7.1.5 The following is a non-exhaustive list of the actions in response to the type of cyber incidents, which should be addressed in contingency plans on board:

(a) loss of availability of electronic navigational equipment or loss of integrity of navigation related data;

(b) loss of availability or integrity of external data sources, including but not limited to GNSS

(c) loss of essential connectivity with the shore, including but not limited to the availability of Global Maritime Distress and Safety System (GMDSS) communications

(d) loss of availability of industrial control systems, including propulsion, auxiliary systems and other critical systems, as well as loss of integrity of data management and control

(e) the event of a ransomware or denial or service incident.

7.1.6 It is important that onboard personnel understand that the loss of OT systems due to a cyber incident must be treated like any other equipment failure. Furthermore, it is important to ensure that a loss of equipment or reliable information due to a cyber incident does not make existing emergency plans and procedures redundant. It is crucial that contingency plans, and related information, are available in a non-electronic form as some types of cyber incidents can include the deletion of data and shutdown of communication links.

7.1.7 There may be occasions when responding to a cyber incident may be beyond the competencies on board or at head office due to the complexity or severity of such incidents. In these cases, external expert assistance may be required (for example post event forensic analysis and clean-up).

CHAPTER 8 RESPOND TO AND RECOVER FROM CYBER SECURITY INCIDENTS

8.1 General

CHAPTER 8 RESPOND TO AND RECOVER FROM CYBER SECURITY INCIDENTS

8.1 General

It is important to understand that cyber incidents may not disappear by themselves. If for example the ECDIS has been infected with malware, starting up the back-up ECDIS may cause another cyber incident. It is, therefore, recommended to plan how to carry out the cleaning and restoring of infected systems.

Knowledge about previous identified cyber incidents should be used to improve the response plans of all ships in the company's fleet and an information strategy for such incidents may be considered.

8.2 Effective Response

8.2.1 A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all aspects of the response.

8.2.2 An effective response should at least consist of the following steps:

(a) Initial assessment: To ensure an appropriate response, it is essential that the response team find out:

(i) how the incident occurred;

(ii) which IT and/or OT systems were affected and how;

(iii) the extent to which the commercial and/or operational data is affected;

(iv) to what extent any threat to IT and OT remains.

(b) Recover systems and data: Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored, so far as is possible, to an operational condition by removing threats from the system and restoring software. The content of a recovery plan is covered in 8. 3.

(c) Investigate the incident: To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate. The information from an investigation will play a significant role in preventing a potential recurrence. Investigations into cyber incidents are covered in 8.4.

(d) Prevent a re-occurrence: Considering the outcome of the investigation mentioned above, actions to address any inadequacies in technical and/or procedural protection measures should be considered, in accordance with the company procedures for implementation of corrective action.

8.2.3 When a cyber incident is complex, for example if IT and/or OT systems cannot be returned to normal operation, it may be necessary to initiate the recovery plan alongside onboard contingency plans. When this is the case, the response team should be able to provide advice to the ship on:

(a) whether IT or OT systems should be shut down or kept running to protect data

(b) whether certain ship communication links with the shore should be shut down

CHAPTER 8

RESPOND TO AND RECOVER FROM CYBER SECURITY INCIDENTS 8.3 Recovery Plan

(d) the extent to which the incident has compromised IT or OT systems beyond the capabilities of existing recovery plans.

8.3 Recovery Plan

8.3.1 Recovery plans should be available in hard copy on board and ashore. The purpose of the plan is to support the recovery of systems and data necessary to restore IT and OT to an operational state. To ensure the safety of onboard personnel, the operation and navigation of the ship should be prioritised in the plan. The recovery plan should be understood by personnel responsible for cyber security. The detail and complexity of a recovery plan will depend on the type of ship and the IT, OT and other systems installed on board.

8.3.2 As explained in section 6.2, a data recovery capability is a valuable technical protection measure. Data recovery capabilities are normally in the form of software backup for IT data. The availability of a software backup, either on board or ashore, should enable recovery of IT to an operational condition following a cyber incident.

8.3.3 Recovery of OT may be more complex especially if there are no backup systems available and recovery may involve assistance from ashore. Details of where this assistance is available and by whom, should be part of the recovery plan, for example by proceeding to a port to obtain assistance from a service engineer.

8.3.4 If qualified personnel are available on board, more extensive diagnostic and recovery actions may be performed.

Otherwise, the recovery plan will be limited to obtaining quick access to technical support.

8.4 Investigating Cyber Incidents

8.4.1 Investigating a cyber incident can provide valuable information about the way in which a vulnerability was exploited. Companies should, wherever possible, investigate cyber incidents affecting IT and OT on board in accordance with company procedures. A detailed investigation may require external expert support.

8.4.2 The information from an investigation can be used to improve the technical and procedural protection measures on board and ashore. It will also provide the wider maritime industry with a better understanding of maritime cyber risks. Any investigation should result in¹⁷:

(a) a better understanding of the potential cyber risks facing the maritime industry both on board and ashore;

(b) identification of lessons learned, including improvements in training to increase awareness;

8.5 Losses Arising From a Cyber Incident

8.5.1 Insurance issue

For insurers, the term “cyber” includes many different aspects and it is important to distinguish between them and their effects on insurance cover. Also, it is important to note that according to the general understanding of insurers, there is

17 Based on CREST, Cyber Security Incident Response Guide, Version 1.

CHAPTER 8 RESPOND TO AND RECOVER FROM CYBER SECURITY INCIDENTS

8.5 Losses Arising From a Cyber Incident

no systemic risk to ships arising from a cyber incident and the impact of an incident is expected to be most likely confined to a single ship.

Companies will be aware that specific non-marine insurance cover may be available to cover data loss and the resulting fines and penalties resulting from equipment failure.

Companies should be able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and protecting the ship from any damage that may arise from a cyber incident.

8.5.2 Cover for property damage

Generally, in many markets offering marine property insurance, the policy may cover loss or damage to the ship and its equipment caused by a shipping incident such as grounding, collision, fire or flood, even when the underlying cause of the incident is a cyber incident. It may be noted that currently in some markets exclusion clauses for cyber attacks exist.

If the marine policy contains an exclusion clause for cyber attacks, the loss or damage will not be covered.

Companies are recommended to check with their insurers / brokers in advance whether their policy covers claims caused by cyber incidents and/or by cyber attacks.

Guidelines for the market have been published, in which marine insurers are recommended to ask questions about company cyber security awareness and non-technical procedures. Companies should, therefore, expect a request for non-technical information regarding their approach to cyber security from insurers.

The limited data on the frequency, severity of loss or probability of physical damage resulting from a cyber incident, represents a challenge and means that standard pricing is not available.

8.5.3 Cover for liability

It is recommended to contact the P&I (Protection and Indemnity) Club for detailed information about cover provided to shipowners and charterers in respect of liability to third parties (and related expenses) arising from the operation of ships.

An incident caused, for example by malfunction of a ship's navigation or mechanical systems because of a criminal act or accidental cyber attack, does not in itself give rise to any exclusion of normal P&I cover.

It should be noted that many losses, which could arise from a cyber incident are not in the nature of third-party liabilities arising from the operation of the ship. For example, financial loss caused by ransomware, or costs of rebuilding scrambled data would not be identified in the coverage.

Normal cover, in respect of liabilities, is subject to a war risk exclusion and cyber incidents in the context of a war or terror risk, will not normally be covered.

CHAPTER 9 AUDIT 9.1 Type of Audit

CHAPTER 9 AUDIT

9.1 Type of Audit

The types of audit for registeration and maintenance of class notation "Cyber-S" are specified in the following 9.1.1 to 9.1.3:

9.1.1 Initial Audit (refer to 9.3)

9.1.2 Renewal Audit (hereinafter referred to as “Periodical Audit”)

9.1.3 Annual Audit (hereinafter referred to as “Periodical Audit”)

9.1.4 Occasional Audit

9.2 Timing of Audits

Audits are to be carried out in accordance with the following requirements given in 9.2.1 and 9.2.2.

9.2.1 Initial audits are to be carried out at the time an application for registration of "Cyber-S" notation is made.

9.2.2 Periodical audits are to be carried out in (a) through (c) below.

However, periodical audits may be omitted for ships where cyber security measures of the ship are effectively implemented, managed and maintained in accordance with requirements set out in other guidelines or standards, etc.

considered as equivalent by the Society.

(a) Renewal Audits are to be carried out within 3 months prior to the due date of Special Surv ey as specified in 1.6.4 of Part I of the Rules for Steel Ship.

(b) Annual Audits are to be carried out at the intervals specified in 1.6.5(a) of Part I of the Rules for Steel Ships

(c) Occasional Audits are to be carried out at a timing when any of (i) to (iii) mentioned below takes place but does not fall within the schedules of Renewal Audits or Annual Audits.

(i) In case where any computer based system has been damaged, repaired or renewed.

(ii) In case where any computer based system is modified or altered.

(iii) In case where considered necessary by the Society.

9.3 Initial Audit

An owner who intends to apply "Cyber-S" notation is to conduct a meeting upon building contract in which a tripartite agreement is to be made amongst owner, builder and class that the owner is to define the scope of computer based systems to which the Guidelines applies and provide information necessary for the inventory by the time of the defined date in the contract.

9.3.1 Drawing and data

CHAPTER 9 AUDIT 9.4 Renewal Audit

Before the integrator designs detailed sytems and networks, following plans and documents are to be submitted to the Society for approval, if applicable.

(a) Inventory of onboard systems as specified in 4.2.

(b) Onboard networks (refer to Annex 2).

(d) Company plans and procedures for cyber risk management as specified in 2.2.

(e) The results of identifing threats and vulnerabilities as specified in Chapter 3 and Chapter 4.

(f) Risk assessment report as specified in Chapter 5.

(g) Protection and detection measures as specified in Chapter 6.

(h) Established contingency plans as specified in Chapter 7.

(i) Recovery plan as specified in Chapter 8.

Upon approval of the above drawings and documents by the Society, the integrator is to develop the following plans and documents which are to be submittes for approval by the Society.

(j) Cyber security testing plans

The timing and the method of testings on cyber security features should be planned and implemented.

(g) Documents governing remote access (control procedures etc.), where the ship has remote access capabilities.

9.3.2 Testing after installation onboard

(a) The attending auditor confirms on board the ship that the measures to control the identified risks submitted by the integrator has been fully and effectively implemented onboard.

(b) Security tests is to be carried out with the attendance of the auditor. If it is difficult for the auditors to attend the security tests, they can be replaced by submission of test reports issued by a testi ng company with sufficient capabilities and experiences.

9.3.3 Documents to be maintained onboard

At the completion of an initial audit, the drawing and data specified in 9.3.1 should be maintained and properly managed onboard.

9.4 Renewal Audit

Following documents are to be submitted to the Society by the owner for renewal audits.

CHAPTER 9 AUDIT 9.5 Annual Audit

9.4.1 Results of security tests specified in 9.3.1(j)

9.4.2 Documents which indicates that the documents specified in 9.3.1 are properly maintained and managed

9.5 Annual Audit

Following documents are to be submitted to the Society by the owner for annual audits.

9.5.1 Documentation which indicates that the documents specified in 9.3.1 are properly maintained and maintained

9.6 Occasional Audits

Where an occasional audit is found necessary, the owner or the management company is to submit documents required by the Society for the examination.

ANNEX 1 TARGET SYSTEMS, EQUIPMENT AND TECHNOLOGIES A1.1 Communication Systems

ANNEX 1 TARGET SYSTEMS, EQUIPMENT AND TECHNOLOGIES

This annex provides a summary of potentially vulnerable systems and data onboard ships to assist companies with assessing their cyber risk exposure. Vulnerable systems, equipment and technologies may include:

A1.1 Communication Systems

A1.1.1 Integrated communication systems

A1.1.2 Satellite communication equipment

A1.1.3 Voice Over Internet Protocols (VOIP) equipment

A1.1.4 Wireless networks (WLANs)

A1.1.5 Public address and general alarm systems.

A1.2 Bridge Systems

A1.2.1 Integrated navigation system

A1.2.2 Positioning systems (GPS, etc.)

A1.2.3 Electronic Chart Display Information System (ECDIS)

A1.2.4 Dynamic Positioning (DP) systems

A1.2.5 Systems that interface with electronic navigation systems and propulsion/manoeuvring systems

A1.2.6 Automatic Identification System (AIS)

A1.2.7 Global Maritime Distress and Safety System (GMDSS)

A1.2.8 Radar equipment

A1.2.9 Voyage Data Recorders (VDRs)

A1.2.10 Other monitoring and data collection systems.

A1.3 Propulsion and Machinery Management and Power Control Systems

A1.3.1 Engine governor

A1.3.2 Power management

ANNEX 1 TARGET SYSTEMS, EQUIPMENT AND TECHNOLOGIES A1.4 Access Control Systems

A1.3.3 Integrated control system

A1.3.4 Alarm system

A1.3.5 Emergency response system.

A1.4 Access Control Systems

A1.4.1 Surveillance systems such as CCTV network

A1.4.2 Bridge Navigational Watch Alarm System (BNWAS)

A1.4.3 Shipboard Security Alarm Systems (SSAS)

A1.4.4 Electronic “personnel-on-board” systems.

A1.5 Cargo Management Systems

A1.5.1 Cargo Control Room (CCR) and its equipment

A1.5.2 Level indication system

A1.5.3 Valve remote control system

A1.5.4 Ballast water systems

A1.5.5 Water ingress alarm system.

A1.6 Passenger Servicing and Management Systems

A1.6.1 Property Management System (PMS)

A1.6.2 Electronic health records

A1.6.3 Financial related systems

A1.6.4 Ship passenger/seafarer boarding access systems

A1.6.5 Infrastructure support systems like domain naming system (DNS) and user authentication/authorisation systems.

A1.7 Passenger-Facing Networks

A1.7.1 Passenger Wi-Fi or LAN internet access

ANNEX 1 TARGET SYSTEMS, EQUIPMENT AND TECHNOLOGIES A1.8 Core infrastructure systems

A1.7.2 Guest entertainment systems

A1.7.3 Passenger Wi-Fi or Local Area Network (LAN) internet access, for example where onboard personnel can connect their own devices¹⁸.

A1.7.4 Guest entertainment systems.

A1.8 Core infrastructure systems

A1.8.1 Security gateways

A1.8.2 Routers

A1.8.3 Switches

A1.8.4 Firewalls

A1.8.5 Virtual Private Network(s) (VPN)

A1.8.6 Virtual LAN(s) (VLAN)

A1.8.7 Intrusion prevention systems

A1.8.8 Security event logging systems.

A1.9 Administrative and Crew Welfare Systems

A1.9.1 Administrative systems

A1.9.2 Crew Wi-Fi or LAN internet access, for example where onboard personnel can connect their own devices.

18 This is not considered as Bring Your Own Device (BYOD). Devices are not used to access protected information.

They can only be used for an individual’s personal, non-company, use.

ANNEX 2 ONBOARD NETWORKS A2.1 Physical Layout

ANNEX 2 ONBOARD NETWORKS

A secure network depends on the IT/OT set up onboard the ship, and the effectiveness of the company policy based on the outcome of the risk assessment. Control of entry points and physical network control on an existing ship may be limited because cyber security had not been considered during the ship's construction. It is recommended that network layout and network control should be planned for all new buildings.

Direct communication between an uncontrolled and a controlled network should be prevented. Furthermore, several protection measures should be added:

(a) implement network separation and/or traffic management

(b) manage encryption protocols to ensure correct level of privacy and commercial communication

In general, only equipment or systems that need to communicate with each other over the network should be able to do so. The overriding principle should be that the networking of equipment or systems is determined by operational need.

A2.1 Physical Layout

The physical layout of the network should be carefully considered. It is important to consider the physical location of essential network devices, including servers, switches, firewalls and cabling. This will help restrict access and maintain the physical security of the network installation and control of entry points to the network.

A2.2 Network Management

Any network design will need to include an infrastructure for administering and managing the network. This may include installing network management software on dedicated workstations and servers providing file sharing, email and other services to the network.

A2.3 Network Segmentation

Onboard networks should normally accommodate the following:

(a) necessary communication between OT equipment

(b) configuration and monitoring of OT equipment

(d) recreational internet access for crew and/or passengers.

ANNEX 2 ONBOARD NETWORKS A2.4 Monitoring Data Activity

Effective network segmentation is a key aspect of “defence in depth”. OT, IT and public networks should be separated or segmented by appropriate protection measures. The protection measures used may include, but are not limited to an appropriate combination of the following:

(a) a perimeter firewall between the onboard network and the internet

在文檔中 CR CLASSIFICATION SOCIETY GUIDELINES FOR CYBER SECURITY ONBOARD SHIPS (頁 41-0)