ABS 251-2016 GUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE AND OFFSHORE INDUSTRIES ABS CyberSafety VOLUME 2.pdf

1、 Guide for Cybersecurity Implementation for the Marine and Offshore Industries ABS CyberSafetyTMVolume 2 GUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE AND OFFSHORE INDUSTRIES ABS CyberSafetyTMVOLUME 2 SEPTEMBER 2016 American Bureau of Shipping Incorporated by Act of Legislature of the State

2、of New York 1862 2016 American Bureau of Shipping. All rights reserved. ABS Plaza 16855 Northchase Drive Houston, TX 77060 USA Foreword Foreword In the maritime world, safety and security are closely linked. The mission of ABS is to serve the public interest as well as the needs of our members and c

3、lients by promoting the security of life and property, and preserving the natural environment. For over 150 years, ABS has devoted its energies to promoting safe and efficient commerce by sea through the development and application of industry consensus standards. Initially, the emphasis was on safe

4、ty, and ABS applied its technology and knowledge to maintain safety through prevention of accidents caused by the forces of nature and human error. While the science of those causes is very complex and is continually being improved, they are amenable to analysis, understanding and prediction. Throug

5、h the dedication and diligence of everyone in the maritime industries, the safety record of shipping has steadily improved through the years. Cybersecurity introduces an additional element into the safety equation: security against deliberate actions intended to cause harm. Security has always been

6、a concern with naval ships, and the military routinely exercise precautions to maintain the security of their ships and offshore assets. Commercial vessels routinely employ special security measures under certain circumstances to prevent theft, piracy, smuggling or stowaways. Those crimes are usuall

7、y economically motivated, where destruction is not the goal. Acts of terror are usually politically motivated, and ships and offshore assets are prime targets because of their mobility and high potential for causing extensive damage to life, property, the environment, and the transportation and econ

8、omic infrastructure. The maritime community has come to the realization that ships and offshore assets must be made less vulnerable to security threats, both at sea and while in port. Perpetrators of such acts have moved toward cyber-attacks for similar purposes. Exposure to these threats has become

9、 pervasive due to the exponential growth of automation methods and increasingly, autonomy that has penetrated nearly all aspects of shipboard and offshore asset systems. Because these systems control multiple aspects of asset, ship or platform operations, they become integral parts of system and ope

10、rational safety. ABS supports the marine and offshore communities by developing the standard for marine and offshore cybersecurity, developing new methods and leading industry with best practices in a commitment to safety and security of life and property and preservation of the environment. Cyberse

11、curity refers to the security of information networks and control systems and the equipment and systems that communicate, store and act on data. Cybersecurity encompasses systems, ships and offshore assets, but includes third parties subcontractors, technicians, suppliers and external components suc

12、h as sensors and analytic systems that interface with networks and data systems. This includes human interaction of crews and other Company personnel, customers and potential threat players. In such a dynamic system, cybersecurity is an evolving set of capabilities inside the Company, developing and

13、 adapting as technology and threats evolve. Volume 1 of the ABS CyberSafety series provides best practices as a foundational element of overall safety and security within and across the marine and offshore communities. Cybersafety encompasses a number of elements including basic cyber systems operat

14、ions, system and system of systems requirements to enhance safety as well as cyber security in the interest of enhanced safety. This document is Volume 2 of the ABS CyberSafety series. It provides criteria for the assessment of corporate systems and asset readiness to prevent cyber events that may c

15、ompromise the safety and security of the data, systems and assets. ABS offers the optional CS series (CS1, CS2, and CS3) Class notation to ships and offshore assets that comply with ABS requirements contained in this Guide. The notation is available for all classed vessels complying with the IMO Int

16、ernational Safety Management (ISM) Code. While the notation is not required as a condition for ABS Class, ABS believes that the ABS CyberSafety Class notation is a useful indication of the due diligence applied by owners to better prepare for cybersecurity concerns affecting ships, offshore assets a

17、nd their associated shoreside facilities. The maritime cybersecurity area is evolving rapidly, and the International Maritime Organization (IMO), the International Association of Classification Societies (IACS), governmental authorities, and ABS are expected to add to the resources available to prep

18、are Owners of ships and/or offshore assets for the new security environment. ii ABSGUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE operational technology (OT) control systems; and their system interfaces and software on ships, offshore assets and the management systems of the associated shores

19、ide facilities. This Guide emphasizes implementation and verification of organizational processes and business rules (i.e., controls) through review and audit methods, and technical verification of system protective mechanisms and technical controls through system testing. Criteria for the hardware

20、and software integrity of computer-based control systems are given in other ABS Rules and Guides, such as the ABS Rules for Building and Classing Steel Vessels (Steel Vessel Rules), the ABS Guidance Notes on Failure Mode and Effects Analysis (FMEA) for Classification, the ABS Guide for Integrated So

21、ftware Quality Management (ISQM), and other applicable national and international standards. 3 Application and Scope 3.1 Application This Guide is intended for use by companies operating all types of ships and offshore assets. The Guides requirements are stated in general terms in order to apply to

22、a wide variety of ships and offshore assets and their operating Companies. The term “ships” includes passenger ships, cargo ships, mobile offshore units, and high speed craft. This Guide may also be used for fixed or floating offshore production assets. If requested by the owner, ABS will verify and

23、 certify the Cybersecurity program of any ship or vessel and its associated shoreside facilities in accordance with this Guide. In general, this Guide is intended to apply to vessels and their operating Company. A vessel may be certified without certifying the Company or its facilities so long as ap

24、propriate boundaries are defined and verified in accordance with this Guide. 3.3 Scope The requirements herein are applicable to standalone or integrated computer-based information technology and operational technology systems. Such systems may be installed on a ship, offshore unit, or land based Co

25、mpany facilities. Compliance with the procedures and criteria given in this Guide may result in issuance of a: CyberSafety Management System Certificate (CMSC) and Notation CS1, CS2, CS3, to an ABS classed ship or offshore asset upon request. Ships and offshore assets not classed by ABS can be issue

26、d a “Statement of Fact” when they are in conformance with the requirements of this Guide. Certificate of Cyber Compliance (CCC) for the Companys examined Facility; ABSGUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE that without operator alerts they cannot be accidentally or malevolently affect

27、ed in ways that impact human, system or environmental safety; and that OT is sustained and maintained across its lifecycle with proper care and diligent attention to keep both controls and their systems safe. Additional functions of the connected equipment are not included in the Notation unless det

28、ailed in the verification plan. 5 Certification 5.1 General Companies seeking certification to this Guide must, as a condition of certification, conform to the requirements of the ISM Code as relevant to the selected scope of their organizational management system. The scope of certification chosen

29、by the Company may include vessels, offshore assets, and/or the Companys facilities in combination(s) chosen by the Company. Vessel selection considers all vessels in the fleet but centers on the vessels considered highest priority by the Company. At least one vessel of each selected type is to be p

30、resented as a sample to be maintained at certification within the same scope of certification as required by the Company. The Company must provide evidence of verifiable similarity1among ships and offshore assets of specific types if any survey or test operations are to be abbreviated on the basis o

31、f identical installations or commonality across ships and offshore assets. Ships and offshore assets certified to the requirements of this Guide are, as a prerequisite, to be Classed by ABS or another International Association of Classification Societies (IACS) member to confirm CyberSafety builds o

32、n existing safe, monitored and managed assets. In the case of critical equipment or systems requested for specific review under the terms of this Guide, those systems must be Classed by ABS or another IACS member prior to consideration, for the same reasons as for ships and offshore assets Class req

33、uirements. Vessels shall be assessed on an annual basis, when there are major cyber-enabled, safety-related networked system configuration changes2, or with multi-year Class survey events when no major system configurations are changed. Annual Surveys are to be made within three months before or aft

34、er each anniversary date of the crediting of the previous Special Periodical Survey or original construction date. Surveys/Audits for Certification to this Guide will be harmonized with extant ABS Classification, Statutory and HQSE-En survey/audit cycles to the extent possible. A Companys Facility t

35、hat is assessed by ABS and found to meet the requirements specified in this Guide may be issued a corresponding Certificate of CyberSafety Compliance (CCC). Vessels operating under the Companys Cybersecurity Management System that are assessed by ABS and found to meet the requirements specified in t

36、his Guide may be issued a CyberSafety Management System Certificate (CMSC) as findings of the assessment, and corresponding private notation in the ABS Record3. The Notations and their meanings are listed below in Subsection 1/7. All certificates are subject to periodic and intermediate verification

37、s conducted at each certified location. All certifications are nontransferable. Assessments are based upon a sampling process. The absence of recorded nonconformities does not mean that none exist. Nothing contained herein or in any certificate, notation, or 1Similarity includes not just type design

38、 (unit 1, unit 2, of a series), but also similarity of control system construction and implementation. Programmable Logic Controllers (PLCs) used in specific systems must be shown as sufficiently similar across units with a ship type that understanding of control systems is possible through document

39、ation of those systems. 2Examples of changes sufficient to force reassessment of cyber-enabled, safety-related networked systems include major-version-number operating system or firmware changes in either OT or IT; control system changeouts in safety-critical systems; or combined configuration chang

40、es between or among two or more systems that control safety-critical systems. Other examples also apply. 3As stated in 1/3.3, non-ABS-classed vessels will be issued a Statement of Fact in place of the CMSC and Notation. 2 ABSGUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE a change in ownership

41、 or management will necessarily indicate a change in Company capability to support secure and effective operations in vessel or asset systems. 5.11 Limitation of Liability ABS shall not be liable or responsible in any respect for any inaccuracy or omission in this Guide or any other publication or d

42、ocument issued by ABS related to this Guide. Every owner, builder, or operator must understand their systems in order to tailor the application of security controls and requirements, filling gaps in their security where needed by specific situations. This Guide is not meant to address every possible

43、 contingency, but rather provide a means by which owner/builder/operator may execute a security program that may, in operations, reveal needs for tailored or unique security controls. 4 ABSGUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE Organization ISO 9001:2015, ISO 14001:2015, ISO 50001:201

44、1, and OHSAS 18001:2007. For Government-owned vessels in non-commercial service, the Naval Administration is to be considered the Company. Company Information Security Officer (CISO). The individual responsible for information systems, control systems and data security within the Companys enterprise

45、. Continual Improvement. Recurring process of enhancing the management system in order to achieve improvements in overall performance. Control System. Set of devices that manages, commands, directs or regulates the behavior of other devices or systems according to user inputs, settings or configurat

46、ions. Correction. Action to eliminate a detected non-conformity. Corrective Action. Action to eliminate the cause of a detected nonconformity or other undesirable situation. Cyber-Enabled System. Computerized or programmable system built to provide significant degrees of automation in operational fu

47、nction, system monitoring and management, or data communications. Cybersecurity Management System. An organizational tool for the identification, prioritization, execution and monitoring of the Companys cybersecurity policies, processes and procedures CyberSafety Management System Certificate (CMSC)

48、. Certificate of compliance provided for a vessels successful assessment of capabilities and practices required for CyberSafety under this Guide, complementing the Notation provided on the vessels ABS Record. 6 ABSGUIDE FOR CYBERSECURITY IMPLEMENTATION FOR THE MARINE represents how important the fun

49、ction is to the operation of the overall system. Internal Audit. Systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the management system audit criteria set by the Company are fulfilled Interested Parties. Person or group, inside or outside the workplace, concerned with or affected by the performance of the Company. ISM. International Management Code for the Safe Operation of Ships and for Pollution Prevention as adopted by the formal body that determines these safety rul