1、 Guidance Notes on the Application of Cyber Safety Principles to Marine and Offshore Operations ABS CyberSafetyTM Volume 1 GUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE AND OFFSHORE OPERATIONS ABS CyberSafetyTMVOLUME 1 SEPTEMBER 2016 American Bureau of Shipping Incorporated
2、 by Act of Legislature of the State of New York 1862 2016 American Bureau of Shipping. All rights reserved. ABS Plaza 16855 Northchase Drive Houston, TX 77060 USA Foreword Foreword ABS recognizes that automation methods and increasingly, autonomy have penetrated nearly all aspects of shipboard and p
3、latform systems. Because these systems control multiple aspects of asset, ship or platform operations, they become integral parts of system and operational safety. ABS supports our community by compiling best practices, deriving new methods, and developing the standard for marine and offshore cybers
4、ecurity in a commitment to safety and security of life and property and preservation of the environment. This document is Volume 1 of the ABS CyberSafety series. It provides best practices for cybersecurity, as a foundational element of overall safety and security within and across the marine and of
5、fshore communities. The best practices are meant to provide insights for operations, maintenance and support of cyber-enabled systems. These Guidance Notes have been updated to align with Volume 2 of this series, ABS Guide for Cybersecurity Implementation for the Marine and Offshore Operations ABS C
6、yberSafety Volume 2. It has been expanded to reflect the full set of 37 Capabilities that define competencies for the ABS CyberSafety environment. These Guidance Notes become effective on the first day of the month of publication. Users are advised to check periodically on the ABS website www.eagle.
7、org to verify that this version of these Guidance Notes is the most current. We welcome your feedback. Comments or suggestions can be sent electronically by email to rsdeagle.org. ii ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE White House Cyberspace Policy Review, May
8、2009. Source: https:/niccs.us-cert.gov/glossary) Information Technology (IT): Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception
9、of data or information. (From: NIST SP 800-53 Rev 4 (glossary). Source: http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) Operational Technology (OT): An information system used to control industrial processes such as manufacturing, product handling, production, and distribut
10、ion. Industrial control systems include supervisory control and data acquisition (SCADA) systems used to control geographically dispersed assets, as well as distributed control systems (DCSs) and smaller control systems using programmable logic controllers to control localized processes. (Adapted fr
11、om: NIST SP 800-53 Rev 4. Source: http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf) Smart Asset: Marine and offshore assets built with significant degrees of automated control of vessel or platform operations, system management and monitoring, and data communications. Automat
12、ion provides labor-saving capabilities; augments human strength; augments human decision-making and error-checking processes; provides operational situational awareness; enables multiple simultaneous system control and management; and provides for controlled data storage. A Smart Asset may possess a
13、utomated or autonomous processes that operate without routine human intervention. 2 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE it is the training and documentation of processes and procedures that help insure against these categories of errors. For natural disasters,
14、we plan for business continuity, designing resilience into systems, processes and assets. The first step to improved cybersecurity is knowledge of the approaches developed and implemented by other practitioners in the field who have gained and shared valuable experiences and lessons learned. This do
15、cument contains practical information that has been researched and vetted for application to the marine and offshore industries. It is a collection of best practices deemed to be useful both to novice specialists just beginning to establish cybersecurity programs, and to seasoned experts who want to
16、 review the best practices of others in order to continue improving their cybersecurity programs and implementations. 3 Best Practices (1 September 2016) ABS CyberSafety is the ABS process for adding cybersecurity rigor to both the operational systems aboard ships and platforms, and to the linked bu
17、siness systems that support their missions. The best practices in these Guidance Notes will help the reader understand how to frame and prioritize cybersecurity work efforts in going about building rigor, security and safety into systems. This volume concentrates on the establishment of Basic and De
18、veloped Capabilities that fully enable a cybersecurity work effort. In this context, a Capability is broad in that it includes people, systems, data, and processes. A Company builds these Capabilities incrementally based on security needs, staff competencies, available acquisition resources, and org
19、anizational maturity in cybersecurity. Capabilities built according to this method become the Companys support framework for security controls, policies and procedures. The program laid out in this way becomes an overlay that can be used with any compliance frameworks security controls, or it can be
20、 a measurable compliance set in its own right. The arrangement of the Capabilities is consciously structured to provide supportability and life cycle management inside the personnel structures built and maintained by the Company, for both cybersecurity and system safety. Section 2, Figure 1 illustra
21、tes the most basic Capabilities that are required to build a cyber-safe program to support cyber-secure systems. At the core of the program are the baseline controls and tasks the information technology fundamentals commonly employed to support a business or operational (shipboard, offshore or port
22、facility) system. Surrounding this baseline are Capabilities needed to shape an environment that is ready to sustain a robust cybersecurity program. 4 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE even so, the listed practices are primarily based on lessons learned by im
23、plementers that have paved the way in cybersecurity program development and can arguably enable a practitioner to stand up a functional cybersecurity program more rapidly and logically than would be possible without this or similar guidance These Guidance Notes are organized as best practices and re
24、commendations for each of the Capabilities shown in the preceding cybersecurity program graphics. The Basic Capability list deemed to be essential to a nascent program is provided first, followed by the Developed Capability list. 4.1 Basic Capability 1. Exercise Best Practices 2. Build the Security
25、Organization 3. Provision for Employee Awareness and Training 4. Perform Risk Assessment 5. Provide Perimeter Defense 6. Prepare for Incident Response and Recovery 7. Provide Physical Security 8. Execute Access Management 9. Maintain Asset Management ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECU
26、RITY PRINCIPLES TO MARINE for security contract management; and, for system output analysis and use. It also should also consider a look forward for employees and their skills by anticipating the changes in threat and risk environments, skills needed in the future, and career development enhancers t
27、hat keep security personnel fresh, interested, and intellectually stimulated. An important part of building the organization and the personnel is placing of expectations. Capability assessments for the Company, with status reports and plans for development, help keep personnel involved as the organi
28、zation builds capabilities and matures. 2.1 References i) United States National Institute of Standards and Technology (NIST) National Initiative for Cybersecurity Education (NICE), http:/csrc.nist.gov/nice/ ii) European Union Agency for Network and Information Security (ENISA), Training Material fo
29、r SMEs, https:/www.enisa.europa.eu/publications/archive/training-material-SMEs iii) Health Information Trust Alliance (HITRUST), “Building an Information Security Organization,” https:/ iv) United States National Institute of Standards and Technology (NIST), Guide to Test, Training, and Exercise Pro
30、grams for IT Plans and Capabilities, SP 800-84, Sep 2006. http:/csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf 3 Provision for Employee Awareness and Training a) The organization has an acceptable use policy that spells out to relevant personnel the permitted uses for information technology
31、, operational technology, and organizational data and assets. b) The organization has enforcement mechanisms in place to confirm that acceptable use policies are trained, acknowledged, monitored and enforced throughout the enterprise. c) The organization conducts periodic cybersecurity awareness tra
32、ining so that all personnel understand organizational policies, procedures, and safeguards needed to minimize threats. User (employee, contractor, consultant, or visitor) training for anyone who accesses Company assets is essential in order to enable employees to handle threats and risks, contemplat
33、ed and unforeseen. Initial and refresher training programs that periodically review the in-place cybersecurity policies and prescriptions or proscriptions are critical for employees and contractors. The mechanics of this training should be considered as well. Many training systems require particular
34、 provisioning or licensing on end-user machines. This can be an impediment or disincentive for occasional users (e.g., outside contractors) to access or use the training. 10 ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE Notification lists for those personnel needed to un
35、derstand the incident, or to take part in the response to it; Communications plan for internal personnel that provides continued operations while dispelling fear; Communications plan for external agencies and personnel to maintain the organizational perspective; Control plan for hazards that may aff
36、ect personnel or systems; Control plan for hazards that may spill from the Companys boundaries into the surrounding environment (i.e., affect neighbors or otherwise foment liability); and Recovery plan for establishing a known set of conditions, consolidating those conditions for safety of personnel
37、, systems, ship/platform/facility, and environment, and moving back to full operational capabilities. b) The organization conducts periodic and cyber incident drills that rehearse actions and reactions employed to recognize, control, and recover from a cybersecurity event that affects critical syste
38、ms, data, and functions. The company or agency can plan for how to control and recover from threats based on its knowledge of the Company structure, employee capabilities, the Companys remediation capabilities, its current risk position and threats, and its deployed boundary defenses. It is vital th
39、at this be a collaborative, inclusive activity that involves all parties concerned with operations and operational characteristics of the company. Lessons learned from ones own efforts, and from experiences of others, are important multipliers for achieving better, faster results. The communications
40、 plans for both internal and external personnel and contacts are worked out in advance so as to avoid on-the-fly decisions, mistakes, and omissions when pressured by crisis conditions. Crisis control plans must target safety for personnel and systems, protect against environmental or surrounding org
41、anizational harms, and provide a basis for reporting to compliance organizations. 6.1 References i) European Union Agency for Network and Information Security (ENISA), Good Practice Guide for Incident Management. https:/www.enisa.europa.eu/activities/cert/support/incident-management/files/good-pract
42、ice-guide-for-incident-management/at_download/fullReport ii) United States National Institute of Standards and Technology (NIST), Computer Security Incident Handling Guide, SP 800-61 Rev 2, Aug 2012. http:/nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf iii) United States National
43、 Cybersecurity Center of Excellence (NCCoE), “Data Integrity: Reducing the Impact of an Attack,” Draft, 23 Nov 2015. https:/nccoe.nist.gov/sites/default/files/nccoe/NCCoE_Data_Integrity_Project_Description.pdf iv) United States National Institute of Standards and Technology (NIST), Guide to Integrat
44、ing Forensic Techniques Into Incident Response, SP 800-86, Aug 2006. http:/csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf ABSGUIDANCE NOTES ON THE APPLICATION OF CYBERSECURITY PRINCIPLES TO MARINE and (2) non-trivial and cryptologically strong. d) The organization has considered risks assoc
45、iated with computationally-enabled physical security equipment so that inadvertent login failures and/or lockouts, loss of power, reboot events, and the like will not impact safety-critical operations. e) The organization safeguards its systems and device infrastructure with physical security and ot
46、her means to limit access to critical equipment or safety-related equipment to authorized personnel, with appropriate accesses and means, only. f) The organization regularly tests physical and environmental control and security sensors, devices, systems, appliances and applications, in accordance wi
47、th both manufacturer and owner direction or guidance, to keep these systems in peak, known operational states. Physical security for marine ships and platforms is a well-established area, but the addition of information technology (IT) and operational technology (OT) systems can change the needs in
48、unexpected ways. Owners and operators must keep in mind that cyber-enabled safety and security equipment can be attacked and suborned/disabled, as can other IT and OT systems. Data systems, computational equipment, and data storage must be safeguarded from all but authorized access, no matter the lo
49、cation, and safeguards must include physical blocking/locking devices and appliances, as well as spaces for such equipment and systems. 7.1 References i) Cisco: “Network Security Policy: Best Practices White Paper,” Oct 2005. http:/ ii) Kane, Douglas R. and Paul Viollis, checklists adapted from Silent Safety: Best Practices for Protecting the Affluent
