1、Designation: F3286 17Standard Guide forCybersecurity and Cyberattack Mitigation1This standard is issued under the fixed designation F3286; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in paren
2、theses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This guide addresses the company or government orga-nizational need to mitigate the likelihood of cyberattacks andreduce the extent of potential cyber
3、attacks, which can leavesensitive personal data, corporate information, and criticalinfrastructure vulnerable to attackers.1.2 These recommendations are meant to serve as a guide-line for corporate and government organizations to adopt forthe protection of sensitive personal information and corporat
4、edata against hackers.1.3 Cybersecurity and cyberattacks are not limited to themaritime industry. With greater advancement in computer andinformation technology (IT), cyberattacks have increased infrequency and intensity over the past decade. These advance-ments provide hackers with more significant
5、 tools to attackvulnerable data and communication infrastructures. Cyberat-tacks have become an international issue to all governmentsand companies that interact with each other.1.4 Cybersecurity and the safety of cyber-enabled systemsare among the most prevailing issues concerning the maritimeindus
6、try as well as the global economy. Cyberattacks couldaffect the flow of trade or goods, but operator errors incomplex, automated systems may also cause disruptions thatmay be mitigated with proper policies and personnel training.1.5 This guide is meant to provide strategies for protectingsensitive d
7、ata onboard vessels and offshore operations.1.6 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsibility of the user of this standard to establish appro-priate safety, health, and environmental practices and deter-mine the applicab
8、ility of regulatory limitations prior to use.1.7 This international standard was developed in accor-dance with internationally recognized principles on standard-ization established in the Decision on Principles for theDevelopment of International Standards, Guides and Recom-mendations issued by the
9、World Trade Organization TechnicalBarriers to Trade (TBT) Committee.2. Referenced Documents2.1 Federal Standards:246 CFR 140.910 Equipment3. Terminology3.1 Definitions:3.1.1 access control, npractice of selective limiting of theability and means to communicate with or otherwise interactwith a system
10、, use system resources to handle information,gain knowledge of the information the system contains, orcontrol system components and functions.3.1.2 application programming interface, API, nset ofroutines, protocols, and tools for building software and appli-cations.3.1.3 botnet, nnumber of internet-
11、connected computerscommunicating with other similar machines in which compo-nents located on networked computers communicate andcoordinate their actions by command and control or by passingmessages to one another.3.1.4 capability, nability to execute a specified course ofaction.3.1.5 communications,
12、 nmeans for a vessel to communi-cate with another ship or an onshore facility.3.1.6 compression, nreduction in the number of bitsneeded to store or transmit data.3.1.7 cybersafety, nguidelines and standards forcomputerized, automated, and autonomous systems that ensurethose systems are designed, bui
13、lt, operated, and maintained soas to allow only predictable, repeatable behaviors, especially inthose areas of operation or maintenance that can affect human,system, enterprise, or environmental safety.3.1.8 cybersecurity, nactivity or process, ability orcapability, or state whereby information and
14、communicationsystems and the information contained therein are protectedfrom and defended against damage, unauthorized use ormodification, or exploitation.1This guide is under the jurisdiction of ASTM Committee F25 on Ships andMarine Technology and is the direct responsibility of Subcommittee F25.05
15、 onComputer Applications.Current edition approved Dec. 1, 2017. Published January 2018. DOI: 10.1520/F3286-17.2Available from U.S. Government Printing Office, Superintendent ofDocuments, 732 N. Capitol St., NW, Washington, DC 20401-0001, http:/www.access.gpo.gov.Copyright ASTM International, 100 Bar
16、r Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United StatesThis international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for theDevelopment of International Standards, Guides and Recomm
17、endations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.13.1.9 data assurance, nperception or an assessment ofdatas fitness and integrity to serve its purpose in a givencontext.3.1.10 data, nquantities, characters, or symbols on whichoperations are performed by a
18、 computer being stored andtransmitted in the form of electrical signals and recorded onmagnetic, optical, or mechanical recording media.3.1.11 detection processes, nmethods of detecting intru-sions into computers and networks.3.1.12 encryption, nconversion of electronic data intoanother form called
19、ciphertext, which cannot be easily under-stood by anyone except authorized parties.3.1.13 exposure, nmeasure of a system at risk that isavailable for inadvertent or malicious access.3.1.14 firewall, nlogical or physical break designed toprevent unauthorized access to information technology (IT)infra
20、structure and information.3.1.15 file transfer protocol, FTP, nstandard networkprotocol used to transfer computer files between a client andserver on a computer network.3.1.16 flaw, nunintended opening or access point in anysoftware.3.1.17 human system, ninteraction and contact between ahuman user a
21、nd a computer system.3.1.18 hypertext transfer protocol, HTTP, nprimary tech-nology protocol on the web that allows linking and browsing.3.1.19 hypertext transfer protocol over secure socket layer,HTTPS, nprotocol to transfer to encrypted data over the web.3.1.20 information technology, IT, nequipme
22、nt or inter-connected system or subsystem of equipment that is used in theautomatic acquisition, storage, manipulation, management,movement, control, display, switching, interchange,transmission, or reception of data or information.3.1.21 internet of things, IoT, ninternetworking of physi-cal device
23、s, such as vessels, vehicles, buildings and other itemsembedded with electronics, software, sensors, actuators, andnetwork connectivity that enable these objects to collect andexchange data.3.1.22 information security management system, ISMS,nset of policies with information security management orIT
24、-related risks.3.1.23 local area network, LAN, ncomputer network thatinterconnects computers within a particular area and does notconnect to the internet; this applies to onboard ship networks.3.1.24 machinery control systems, MCS, nIT systems thatreport operating parameters or control operation of
25、equipment,which commonly use programmable logic controllers (forexample, fuel tank level indicators or throttle control systems).3.1.25 network, ninfrastructure that allows computers toexchange data by wireless or cable wireless network interac-tions.3.1.26 operational technology, OT, ninformation s
26、ystemused to control industrial processes such as manufacturing,product handling, production, and distribution.3.1.26.1 DiscussionIndustrial control systems include su-pervisory control and data acquisition (SCADA) systems usedto control geographically dispersed assets, as well as distrib-uted contr
27、ol systems (DCSs) and smaller control systems usingprogrammable logic controllers to control localized processes.3.1.27 original equipment manufacturer, OEM,ncompany that makes parts or subsystems that are used inanother companys end product.3.1.28 phishing, vsending e-mails to a large number ofpote
28、ntial targets asking for particular pieces of sensitive orconfidential information.3.1.28.1 DiscussionSuch an e-mail may also request thatan individual visits a fake website using a hyperlink includedin the e-mail.3.1.29 programmable logic controller, PLC, ndigital com-puter used for automation of i
29、ndustrial electromechanicalprocesses.3.1.30 ransomware, nmalware that encrypts data on sys-tems until the distributor decrypts the information.3.1.31 remote desktop protocol, RDP, nproprietary proto-col developed by Microsoft that provides a user with agraphical interface to connect to another compu
30、ter over anetwork connection.3.1.32 resilience, ncharacteristics that enable a system toresist disruption and adapt to minimize the impact of disrup-tions.3.1.33 risk, npotential or threat of undesired conse-quences occurring to personnel, assets, or the environment as aresult of vulnerabilities in
31、systems, staff, or assets.3.1.34 risk assessment, nprocess that collects informationand assigns values to risks for informing priorities, developingor comparing courses of action, and informing decision mak-ing.3.1.35 risk management, nprocess of identifying,analyzing, assessing, and communicating r
32、isk and accepting,avoiding, transferring, or controlling it to an acceptable levelconsidering associated costs and benefits of any actions taken.3.1.36 router, ndevice that forwards data from one net-work to another network regardless of physical location.3.1.37 scanning, vprocedure for identifying
33、active hostsor potential points of exploit or both on a network, either forthe purpose of attacking them or network security assessment.3.1.38 sensitive information, nany digital data that can beclassified as private or corporate not meant for public access.3.1.39 social engineering, nnontechnical t
34、echnique usedby potential cyberattackers to manipulate insider individualsinto breaking security procedures, typically, but notexclusively, through interaction via social media.3.1.40 social media, ncomputer-mediated online toolsthat allow people, companies, and other organizations, includ-ing nonpr
35、ofit organizations and governments, to create, share,or exchange information, career interests, ideas, and pictures/videos in virtual communities and networks.F3286 1723.1.41 software, nintellectual creation that represents thereal world as data and uses logic, that, when translated intoelectronical
36、ly readable code and run on a computer, processesthe data, allowing the requirements placed on the software tobe realized in the real world.3.1.42 Subchapter M, nU.S. Coast Guard (USCG) regu-lations that legally define rules for the inspection, standards,and safety policies of towing vessels.3.1.43
37、transportation worker identification credential,TWIC, nprovides a tamper-resistant biometric credential tomaritime workers requiring unescorted access to secure areasof port facilities, outer continental shelf facilities, and vesselsregulated under the Maritime Transportation Security Act of2002 (MT
38、SA) and all USCG credentialed merchant mariners.3.1.44 water holing, vestablishing a fake website or com-promising a genuine site to exploit visitors.3.1.45 wide area network, WAN, nnetwork that can crossregional, national, or international boundaries.3.1.46 wi-fi, nall short-range communications th
39、at useelectromagnetic spectrum to send and receive informationwithout wires.4. Summary of Guide4.1 The maritime industry is globalized. Shipping occursacross the world, transporting goods to different nations andcontinents. Technology integration onboard seagoing ships andvessels has increased the q
40、uality and reliability ofcommunications, data recording, navigation, and record keep-ing. Wherever ships and marine craft go, there is a potential forcyber-enabled systems to impact ship operations and crewsafety.At times, these impacts can emerge from human error ordeliberate actions.4.2 Commercial
41、 pressures and demands for efficiency andspeed, as well as more control over shipboard systems, createthe need for integrated systems that may be subject to misuse,abuse, or illicit access. Table 1 provides an overview of themotivation and impacts of a cyberattack.4.3 Companies and governments that
42、operate or own sea-going vessels should adopt measures and practices that willshape personnel and system access according to job require-ments and need to know. For good practice, human andmachine access to sensitive information should be kept to aminimum level. Access needs for third parties (for e
43、xample,maintenance personnel, consultants, service engineers, and anynon-crew personnel) should be addressed in company orgovernment policies and procedures, or both.4.4 Companies and governments may use cybersecuritytraining programs to educate the shoreside employees andmariners of the organizatio
44、n. Training programs and materialsshould provide useful tools and strategies to:4.4.1 Reduce or prevent human errors in automated systemsoperations that could affect safety, correct system function, orship data; and4.4.2 Identify when a cybersecurity event occurs and how tostop or prevent one from h
45、appening.4.5 Any implemented training program should apply to allmembers, shoreside employees, and mariners of a governmentor company operating seagoing vessels. Training programsshould begin at the top of an organization and work through tothe bottom thus following a hierarchical approach and respo
46、nseto cyber-system events and their impacts on the company, ship,or organization.4.6 Training programs should focus on and follow a generalprocedure including the following steps:4.6.1 Risk identification,4.6.2 Risk detection,4.6.3 Protection of personnel and vulnerable or criticalinfrastructure,4.6
47、.4 Mitigate effects of cyberattack,4.6.5 Recover stolen or lost data, and4.6.6 Restoration of systems to fully operational status.4.7 Ship systems have become increasingly integrated withnavigation, communications, recordkeeping, logistical data,corporate data, personal data, and ship-operating syst
48、ems.These systems may be running on the same informationinfrastructure. With this interconnectedness comes complexi-ties and interdependencies that can result in unexpected vul-nerabilities. Even systems that use air gaps for security, such asmachinery control systems, may be vulnerable to errors an
49、dattacks because of contamination with malware or maliciousTABLE 1 Impacts of CyberattackAGroup Motivation ObjectiveActivists (including disgruntled employees) Reputational damageDisruption of operationsDestruction of dataPublication of sensitive dataMedia attentionCriminals Financial gainCommercial espionageIndustrial espionageSelling stolen dataRansoming stolen dataRansoming system operabilityArranging fraudulent transportation of cargoOpportunists The challenge Getting through cyber security defensesFinancial gainStatesState-Sponsore
