ABS 221-2016 GUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE AND OFFSHORE OPERATIONS VOLUME 1 CYBERSECURITY.pdf

1、 Guidance Notes on the Application of Cyber Safety Principles to Marine and Offshore Operations GUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE AND OFFSHORE OPERATIONS VOLUME 1: CYBERSECURITY FEBRUARY 2016 American Bureau of Shipping Incorporated by Act of Legislature of the

2、State of New York 1862 Copyright 2016 American Bureau of Shipping ABS Plaza 16855 Northchase Drive Houston, TX 77060 USA Foreword Foreword ABS recognizes that automation methods and increasingly, autonomy have penetrated nearly all aspects of shipboard and platform systems. Because these systems con

3、trol multiple aspects of asset, ship or platform operations, they become integral parts of system and operational safety. ABS supports our community by compiling best practices, deriving new methods, and developing the standard for marine and offshore cybersecurity in a commitment to safety and secu

4、rity of life and property and preservation of the environment. This document is Volume 1 of the ABS CyberSafety series. It provides best practices for cybersecurity, as a foundational element of overall safety and security within and across the marine and offshore communities. The best practices are

5、 meant to provide insights for operations, maintenance and support of cyber-enabled systems, to better assure safety and security in those systems. These Guidance Notes become effective on the first day of the month of publication. Users are advised to check periodically on the ABS website www.eagle

6、.org to verify that this version of these Guidance Notes is the most current. We welcome your feedback. Comments or suggestions can be sent electronically by email to rsdeagle.org. ii ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE White House Cyberspace Policy Review, May

7、 2009. Source: https:/niccs.us-cert.gov/glossary) Information Technology (IT): Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception

8、 of data or information. (From: NIST SP 800-53 Rev 4 (glossary). Source: http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf0 Operational Technology (OT): An information system used to control industrial processes such as manufacturing, product handling, production, and distribu

9、tion. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes. (Adapted f

10、rom: NIST SP 800-53 Rev 4. Source: http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Smart Asset: Marine and offshore assets built with significant degrees of automated control of vessel or platform operations, system management and monitoring, and data communications. Automat

11、ion provides labor-saving capabilities; augments human strength; augments human decision-making and error-checking processes; provides operational situational awareness; enables multiple simultaneous system control and management; and provides for controlled data storage. A Smart Asset may possess a

12、utomated or autonomous processes that operate without routine human intervention. 2 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE even so, the listed practices are primarily based on lessons learned by implementers that have paved the way in cybersecurity program develop

13、ment and can arguably enable a practitioner to stand up a functional cybersecurity program more rapidly and logically than would be possible without this or similar guidance These Guidance Notes are organized as best practices and recommendations for each of the Capabilities shown in the preceding c

14、ybersecurity program graphics. The Basic Capability list deemed to be essential to a nascent program is provided first, followed by the Developed Capability list. 4.1 Basic Capability 1. Exercise Best Practices 2. Build the Security Organization 3. Provision for Employee Awareness and Training 4. Pe

15、rform Risk Assessment 5. Provide Perimeter Defense 6. Prepare for Incident Response and Recovery 7. Provide Physical Security 8. Execute Access Management 9. Ensure Asset Management 4.2 Developed Capability 10. Perform Policy Management 11. Provide Standards and Governance 12. Provide and Guide Cybe

16、rsecurity Hygiene 13. Gather and Use Threat Intelligence 14. Perform Vulnerability Assessment 15. Perform Risk Management 16. Provide Data Protection 17. Protect Operational Technology (OT) 18. Perform System and Security Continuous Monitoring (SCM) 19. Plan for Disaster Recovery (DR) 20. Provide Un

17、ified Identity Management 21. Perform System, Software and Application Test 22. Perform System and Application Patch and Configuration Management 23. Execute Change Control as an Enterprise Process Each Capability section contains a series of identified recommendations and best practices that minima

18、lly satisfy the Capability, a short discussion of the section, and a list of references that are useful for further reading and understanding. 6 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE for security contract management; and, for system output analysis and use. It al

19、so should also consider a look forward for employees and their skills by anticipating the changes in threat and risk environments, skills needed in the future, and career development enhancers that keep security personnel fresh, interested, and intellectually stimulated. An important part of buildin

20、g the organization and the personnel is placing of expectations. Capability assessments for the organization, with status reports and plans for development, help keep personnel involved as the organization builds capabilities and matures. 2.1 References i) United States National Institute of Standar

21、ds and Technology (NIST) National Initiative for Cybersecurity Education (NICE), http:/csrc.nist.gov/nice/ ii) European Union Agency for Network and Information Security (ENISA), Training Material for SMEs, https:/www.enisa.europa.eu/publications/archive/training-material-SMEs iii) Health Informatio

22、n Trust Alliance (HITRUST), “Building an Information Security Organization,” https:/ iv) United States National Institute of Standards and Technology (NIST), Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, SP 800-84, Sep 2006. http:/csrc.nist.gov/publications/nistpubs/8

23、00-84/SP800-84.pdf 3 Provision for Employee Awareness and Training a) The organization has an acceptable use policy that spells out to relevant personnel the permitted uses for information technology, operational technology, and organizational data and assets. b) The organization has enforcement mec

24、hanisms in place to confirm that acceptable use policies are trained, acknowledged, monitored and enforced throughout the enterprise. c) The organization conducts periodic cybersecurity awareness training so that all personnel understand organizational policies, procedures, and safeguards needed to

25、minimize threats. User (employee, contractor, consultant, or visitor) training for anyone who accesses organizational assets is essential in order to enable employees to handle threats and risks, contemplated and unforeseen. Initial and refresher training programs that periodically review the in-pla

26、ce cybersecurity policies and prescriptions or proscriptions are critical for employees and contractors. The mechanics of this training should be considered as well. Many training systems require particular provisioning or licensing on end-user machines. This can be an impediment or disincentive for

27、 occasional users (e.g., outside contractors) to access or use the training. 8 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE Notification lists for those personnel needed to understand the incident, or to take part in the response to it; Communications plan for internal

28、personnel that provides continued operations while dispelling fear; Communications plan for external agencies and personnel to maintain the organizational perspective; Control plan for hazards that may affect personnel or systems; Control plan for hazards that may spill from the organizations bounda

29、ries into the surrounding environment (i.e., affect neighbors or otherwise foment liability); and Recovery plan for establishing a known set of conditions, consolidating those conditions for safety of personnel, systems, ship/platform/facility, and environment, and moving back to full operational ca

30、pabilities. b) The organization conducts periodic and cyber incident drills that rehearse actions and reactions employed to recognize, control, and recover from a cybersecurity event that affects critical systems, data, and functions. The company or agency can plan for how to control and recover fro

31、m threats based on its knowledge of the organization structure, employee capabilities, the organizations remediation capabilities, its current risk position and threats, and its deployed boundary defenses,. It is vital that this be a collaborative, inclusive activity that involves all parties concer

32、ned with operations and operational characteristics of the company. Lessons learned from ones own efforts, and from experiences of others, are important multipliers for achieving better, faster results. The communications plans for both internal and external personnel and contacts are worked out in

33、advance so as to avoid on-the-fly decisions, mistakes, and omissions when pressured by crisis conditions. Crisis control plans must target safety for personnel and systems, protect against environmental or surrounding organizational harms, and provide a basis for reporting to compliance organization

34、s. 6.1 References i) European Union Agency for Network and Information Security (ENISA), Good Practice Guide for Incident Management, https:/www.enisa.europa.eu/activities/cert/support/incident-management/files/good-practice-guide-for-incident-management/at_download/fullReport ii) United States Nati

35、onal Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, SP 800-61 Rev 2, Aug 2012. http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf iii) United States National Cybersecurity Center of Excellence (NCCoE), “Data Integrity: Reducing the Impa

36、ct of an Attack,” Draft, 23 Nov 2015. https:/nccoe.nist.gov/sites/default/files/nccoe/NCCoE_Data_Integrity_Project_Description.pdf iv) United States National Institute of Standards and Technology (NIST), Guide to Integrating Forensic Techniques Into Incident Response, SP 800-86, Aug 2006. http:/csrc

37、.nist.gov/publications/nistpubs/800-86/SP800-86.pdf ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE and (2) non-trivial and cryptologically strong. d) The organization has considered risks associated with computationally-enabled physical security equipment so that inadvert

38、ent login failures and/or lockouts, loss of power, reboot events, and the like will not impact safety-critical operations. e) The organization safeguards its systems and device infrastructure with physical security and other means to limit access to critical equipment or safety-related equipment to

39、authorized personnel, with appropriate accesses and means, only. f) The organization regularly tests physical and environmental control and security sensors, devices, systems, appliances and applications, in accordance with both manufacturer and owner direction or guidance, to keep these systems in

40、peak, known operational states. Physical security for marine ships and platforms is a well-established area, but the addition of information technology (IT) and operational technology (OT) systems can change the needs in unexpected ways. Owners and operators must keep in mind that cyber-enabled safe

41、ty and security equipment can be attacked and suborned/disabled, as can other IT and OT systems. Data systems, computational equipment, and data storage must be safeguarded from all but authorized access, no matter the location, and safeguards must include physical blocking/locking devices and appli

42、ances, as well as spaces for such equipment and systems. 7.1 References i) Cisco: “Network Security Policy: Best Practices White Paper,” Oct 2005. http:/ ii) Kane, Douglas R. and Paul Viollis, checklists adapted from Silent Safety: Best Practices for Protecting the Affluent, American Institute of CP

43、As (AICPA). http:/www.aicpa.org/publications/personalfinancialplanning/downloadabledocuments/checklist_operational%20security.pdf iii) United States Department of Transportation, Maritime Administration. Maritime Security for Vessel Personnel with Specific Security Duties, Model Course MTSA 04-01, D

44、ec 2004. http:/www.marad.dot.gov/wp-content/uploads/pdf/MTSA_VPSSD_MODEL_COURSE_MTSA_04-01.pdf iv) International Maritime Organization (IMO). Guide to Maritime Security and the ISPS Code, 2012 Edition. http:/www.imo.org/en/Publications/Documents/Newsletters%20and%20Mailers/Mailers/IA116E.pdf#search=

45、ISPS 8 Execute Access Management a) The organization screens personnel for security issues prior to onboarding. b) The organization allows no group login credentials, and shared credentials/sharing of credentials are prohibited. c) The organization requires two-factor authentication to access sensit

46、ive resources or assets, or to access networked assets remotely. 12 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE it is also critical to understanding and controlling risk within the organization. 9.1 References i) United States National Cybersecurity Center of Excellenc

47、e (NCCoE), IT Asset Management, SP 1800-5, Practice Guide for Financial Services, Oct 2015, https:/nccoe.nist.gov/projects/use_cases/financial_services_sector/it_asset_management 14 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE portable device data protections; data-in-m

48、otion (i.e., transmission security) protections; data-at-rest (i.e., stored data) protections; and training for organizational personnel on handling of data in both logical and physical forms. Classification of data is important to help people understand the priorities and protections accorded to da

49、ta, and the relative importance associated with the data property that belongs to the company. Successful classification efforts are key to data loss prevention (DLP) efforts, which, when implemented, will change habits and culture in favor of data protection in the enterprise. Third-party partners and customers, contractors, and consultants must be considere