In view of the sudden spread of a new ransomware variant, that affected maritime owners and operators, forcing them to shutter operations, ABS suggests that such cases illustrate what can happen to systems, when technology use outruns system understanding and presents the ABS CyberSafety® program, an enabling factor for enterprise security.
The automation systems on ships and offshore assets today are often single-purpose components. These automation systems bring features and functions that multiply human effort, but sometimes at the cost of vulnerabilities to specific errors, failure modes or intrusions. Automation systems can be information technology (IT), operational technology (OT) or the converged IT-OT cyber-physical systems, which are becoming more common in control system implementations.
There are several major efforts required to keep systems safe and increase the likelihood that they perform as expected for our enterprises. These are bare minimum requirements for today’s security:
- Architecture is required for company or organizational processes. It’s important to know systems and their interfaces, to understand the interoperability requirements among systems and to appreciate where protective features should be incorporated in architecture.
- Incident response and recovery capabilities, based on system understanding and positive system control, are required to stimulate and manage response to malfunctions, errors or intrusions. Asset inventory and systems performance monitoring is critical to detect abnormalities and respond appropriately.
- Software management of change program addresses hardware systems, the software running on them and how that software is managed through configuration, testing, patching, maintenance and lifecycle. The management of change program is that conscious effort required to track the software versions, their test results, their master copies (for recovery) and their upkeep through the system life.
These three factors all provide inputs to the organizational work expected for risk assessment. As recently reinforced by IMO in the report of their Maritime Security Committee (MSC) 98, cybersecurity risk will be required as a part of conventional risk management conducted for maritime assets.
That risk assessment process will include cyber-enabled systems and the potential hazards and impacts of certain conditions. Suddenly there is a new sense of apprehension for potential risks to people, systems, the ship or platform, and to the environment, all emerging from our automated systems.
In response of these, the ABS CyberSafety® program encourages and expects security behaviors and functions as principal enabling factors for enterprise security, helping shipowners to:
- Establish a control systems management organization to document and understand company or installation systems;
- Develop a Functional Description Document (FDD) to combine system documentation, architectures, networking implementations, failure mode analyses and test results into a comprehensive collection to assist with operator training and system understanding;
- Develop and implement an Incident Response and Recovery capability, including the procedures and processes needed for the management organization to use the FDD to guide incident control and recovery efforts;
- Develop and implement an effective Software Management of Change process to track and manage assets and software; and
- Put into place a Cybersecurity Management System (CMS) that allows the company to understand their current posture and their prioritized actions to address risk factors or risk conditions.
ABS CyberSafety crews perform assessments against critical function checklists and provide action-oriented reports, thus enabling organizations to implement risk-based cybersecurity as part of their normal operational risk management processes. It’s very clear that there is no ‘magic bullet’ against cybersecurity risks, but proper organization, operation and engineering can make the difference.