DNV GL © 2017DNV GL © 201

Aus Fehlern lernen - Ein risikobasiertes Managementkonzept für den Schiffsbetrieb

1

VHT seminar "Cyber-Risiken in der Schifffahrt" 7. November 2017

DNV GL MARITIME ADVISORY

SVANTE EINARSSON – SENIOR CYBER SECURITY PROJECT ENGINEER

DNV GL © 2017

Safety in shipping today heavily depends on cyber systems

on-shore org.

Information Technology (IT) IT networks

E-mail

Administration, accounts, crew lists, …

Planned Maintenance

Spares management and requisitioning

Electronic manuals

Electronic certificates

Permits to work

Charter party, notice of readiness, bill of lading…

Operation Technology (OT) PLCs

SCADA

On-board measurement and control

ECDIS

GPS

Remote support for engines

Data loggers

Engine & Cargo control

Dynamic positioning, …

At risk: Mainly

finance

and

reputation

At risk: Life,

property

and

environment

+

all of the above

2

DNV GL © 2017

Cyber security may not be at the top of every fleet managers agenda, but it is probable to climb as issues migrate to OT world

Information technology (IT) Operational technology (OT)

3

Sources: AV-TEST Institute, Germany IBM Managed Security Services - 2016 report“Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent”

2,000

1,000

0

400

600

200

1,200

1,400

1,600

1,800

2,200

2,400

2,600

800

2014 2015 2016

+110%

2013

Attacks on industrial control systems

DNV GL © 2017

WannaCry: Largest ransomware attack to date

4

“The latest count is over 200,000 victims in at least 150 countries”- Rob Wainwright, Europol Executive Director

Known affected organisations:

• Spain - Telefonica, power firm Iberdrola, utility provider Gas Natura and more large firms

• USA - FedEx,• France - Renault,• Germany - Deutsche Bahn • Jakarta- Two hospitals• Russian Interior Ministry• Britain’s National Health

Service, Nissan car plant

DNV GL © 2017

Large money are at stake!

5

DNV GL © 2017

NotPETYA: Heavily impacting maritime industry players

6

“Big hack at Maersk puts Rotterdam's container terminal flat”David Bremmer and Leon van Heel, AD, NL

Arrived via an update to an accounting system in Ukraine (ME Doc)

Spread like a worm from an infected machine

Exploited Windows SMB vulnerability (aka EternalBlue), fix by Microsoft was released on March 14th (MS17-010)

Spreads into the local network using exploits like Eternal Blue and tools like PsExec and WMIC

Encrypts MFT (Master File Tree) tables for NTFS partitions

Overwrites the MBR (Master Boot Record) with a custom bootloader

Shows a ransom note demanding USD 300, same bitcoin wallet

Prevents victims from booting their computer

DNV GL © 2017

Trends

Cyber security threats are progressing and becoming a part of our daily business

Some examples from DNV GL on-board inspections and work with clients:

– Infected ECDIS chart updates cause EDCIS systems of 2 bulk carriers to shut down

– Ransomware on master’s PC leading to loss of main switchboard and loss of vessel operation for 3 days.

– While ongoing routine maintenance, a crew member of a vessel received an email made to look like it was coming from the shore side ship manager asking for system passwords ‘for confirmation’.

– A shipping company suffered a cyber attack in the office directed at the shore-based server. With corrupted data also on vessel as consequence.

7

2010: Drilling rig infected with malware

2011: Pirate Cyber Attack

2012: GPS jamming/spoofing

2013: Hacking of cargo tracking system

2014: U.S. Port hacker attack

2015-16: Significant amount of reported attacks

2017 ++: Ransomware explodes

!

19 days of shutdown – affecting even blow out preventer control system.

Suspected of exploiting cyber weaknesses targeting vulnerable shipments – Exploiting Automated Information System (AIS).

Ransomware attacks on container-ships.

Over 120 ships, including major Asian Coast Guard vessels, experience malicious jamming of GPS signals.

Drug smugglers hacked cargo tracking systems in major European port to avoid detection and get access to goods.

Shut down of multiple ship-to-shore cranes for several hours.

More than 50 cyber security attacks detected in Norwegian energy and oil & gas in 2015.

“WannaCry” virus affecting more than 200.000 users in at least 150 countries.NotPETYAseriously impacting maritime industry.

?

DNV GL © 2017

IMO – present requirements

Cyber Security brought into ISM/ISPS audits

– ISM Code 1.2.1 The objectives of the Code are to ensure safety at sea, prevention of human injury or loss of life, and avoidance of damage to the environment, in particular, to the marine environment, and to property.

ISM Code 1.2.2 Safety management objectives of the Company should, inter alia:

1. provide for safe practices in ship operation and a safe working environment;

2. assess all identified risks to its ships, personnel and the environment and establish appropriate safeguards; and

3. continuously improve safety management skills of personnel ashore and aboard ships, including preparing for emergencies related both to safety and environmental protection.

ISM Code 1.2.3 The safety and management system should ensure:

1. compliance with mandatory rules and regulations; and

2. that applicable codes, guidelines and standards recommended by the Organization, Administrations, classification societies and maritime industry organizations are taken into account

Conclusion: If Cyber Risks exist, the ISM and ISPS Codes contain mandatory requirements.

69

DNV GL © 2017

Impact: Outcome:

Cyber security regulations evolving

MSC 98 agreed that there is an urgent need to raise awareness on cyber risk threats and vulnerabilities

An important part of achieving this would be to consider cyber risk as part of existing safety management systems (ISPS and ISM codes)

MSC 98 adopted resolution MSC.428(98) on Maritime cyber risk management in management systems

The guidelines are not mandatory but Member Governments are encouraged to ensure that cyber risks are appropriately addressed in safety management systems, no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.

9

Cyber risks should be addressed in safety management systems no later than the first annual verification of DoC after 1 January 2021. This is a non-mandatory requirement.

MSC 98 adopted the recommendatory MSC-FAL.1/Circ.3 superseding the interim guidelines

DNV GL © 2017

IMO proposal for new Strategic Plan

Assembly session of IMO, Nov 27th – Dec 6th 2017

Submission of “Strategy, Planning and Reform” with a proposal for a new Strategic Plan for the six-year period 2018 to 2023.

In the submission paper A 30/7 on page 8, para. 28 it is stated/proposed how IMO should handle cyber risks in the strategic direction SD 5:

Shipping operations are increasingly dependent on electronics and digital

technologies and as such are exposed to cyber risks. The Organization

will continue to monitor the issue and encourage a cooperative approach among

Member States and stakeholders.

10

DNV GL © 201711

The weakest linkThreats and vulnerabilities

DNV GL © 2017

Threats can be intended or accidental

36

intentional

unintentional

targeteduntargeted

Malware

Built-in software weaknesses

Spear-phishing

Disgruntled employee

Escaped proof-of-concept, runaway pentest

Falling victim to social engineering

Ransomware

Backdoors

User errorSocial media

DNV GL © 2017

Social Engineering

13

DNV GL © 2017

Just the other day, DNV GL received major phishing attack

14

Note seemingly valid @dnvgl.com sender!

DNV GL © 2017

Fake websites

15

DNV GL © 2017

Three pillars of Cyber Security

Holistic approach for maritime cyber security assessments

Training & Awareness

Professional skills & qualifications

Emergency drills

Authorizations & authentication

Physical Security

Management Systems

Governance Frameworks

Policies & procedures

Vendor/Third party contracts-follow up

Audit regimes

System design

Hardening of connections

Software configuration

Encryption protocols

Jamming & spoofing

Detection & monitoring

People

Process

Technology

17

DNV GL © 2017

Network Security

Example findings on Container, Tanker & Offshore production units

Are firewalls used according to policy?

• Firewall mounted in engine performance monitoring cabinet, but not connected

18

DNV GL © 2017

Physical security and access control

Example findings (continued)

No password change policy, passwords pre-set by shore IT

– Passwords printed on paper and posted on the wall

Checking access control

19

DNV GL © 2017

Physical security and access control

Example findings (continued)

Checking access control

20

DNV GL © 2017

Physical security and access control

Example findings (continued)

Unnecessary Administrator access on engine performance monitoring PC

No automatic lock out, and users stay logged in to workstations, because reporting tasks are so time consuming that they cannot be handled by a single person

Lack of physical security, all equipment in scope is accessible

Weak passwords, e.g. “123”

Checking access control

21

DNV GL © 2017

Network Security

Example findings (continued)

Personal use of company network

– E-mail (bypassing corporate filtering), browsing, and social networking on on-board PCs

4 base functions of on-board firewall disabled, including event-logging & Broadcast storm protection disabled in switches

Limited alarm and event logging

– Security products generate alarms, but there is no central collection or review of events

Lack of Windows patching & hardening

– Windows updated only during major upgrades, i.e. up to 3 years outdated.

– Windows installations configured with standard settings

– Default credentials on networking gear, e.g. switches, routers

15 Anti-virus alarms in a week on sample PC on-board

Network Security checks

22

DNV GL © 2017

Network Security

Example findings (continued)

Anti-virus installed on all hosts: However, no scheduled scans. Last scan in 2014

No monitoring/alarming of network load within Network panel of Alarm server HMI

Alarm servers running unused/unnecessary services

Adequate malware protection not installed on HMI PCs (Alarm monitoring and Engine Performance monitoring)

Alarm overflow: After a certain number, no further alarms can be received

OS security patches ~twice a year (except ship’s firewall)

Unencrypted e-mail communication

Network Security checks

23

DNV GL © 2017

Policies and Procedures

Example findings (continued)

Checks on policies and procedures

No defined policies to follow by associated vendors/service personnel

– Service provider technician uses own USB stick to print reports from on-board PCs

Dedicated USB stick for updating ECDIS, however physically not secured and no malware scanning

Single USB stick policy

– Single USB used to transfer loading condition data to shore via Bridge

– SD card used between camera and on-board workstations

– Gradually all of business network on-board infected

24

DNV GL © 2017

Policies and Procedures

Example findings (continued)

Checks on policies and procedures

All data and configuration backups stored in a single cabinet on-board

All backup HDDs stored in a single rack (together with all IT servers), and not transferred to shore

IT dept. responsible for comm. networks, but Master is responsible on the vessel

– No incident response policy defined. The Master would contact IT dept.

– AIS kept on in piracy area despite policy to switch off: No policy regarding sharing geo-tagged photos

25

DNV GL © 201726

The DNV GL approachHow to manage cyber risks!

DNV GL © 2017

DNV-OS-D203 – Integrated Software Dependent Systems

In Out

28

When welding is introduced to a

structure – how is this process

controlled?

DNV GL © 2017

When cyber physical systems are introduced to newbuild projects – then what?

In OutIn Out

29

DNV GL © 2017

SW lifecycle management model DNV-OS-D203 (ISDS)

30

Four roles:

Owner System integrator Supplier Independent verifier

Three confidence levels:

CL1 CL2 CL3

Lifecycle of five phases:

11 process areas, 119 activities

Basic Engineering Engineering Construction Acceptance Operation

A B C D E

M1 M2 M3 M4 M5

DNV GL © 2017

ISDS Process Areas addressing system emergent properties

1. Requirements Engineering

2. Design

3. Implementation

4. Acquisition

5. Integration

6. Verification and Validation

7. Reliability, Availability, Maintainability and Safety

8. Project Management

9. Configuration Management

10. Process and Quality Assurance

11. Risk Management

The ISDS ranking only focus on the applicable activities that are not already in place

(credit is given for already defined activities)

The ISDS projects only focus on the applicable activities that are not already in place(credit is given for already defined

activities) Bas

ic

Engi

neer

ing

Engi

neer

ing

Con

stru

ctio

nAcc

epta

nce

Ope

ratio

n

31

DNV GL © 2017

End to End from on shore to offshore

Basic Engineering Engineering Construction Acceptance Operation

Closing the gaps at each major milestones

32

Closing the ISDS gaps demonstrates vessel reliability

DNV GL © 2017

Cost of Rework in Fixed Price Project is not Apparent to Buyer, but Delay Is!

Requirements

Design Code Software Test

FAT

(2 mo.)

Commissionin

g(6 mo.)

Rework of Defects

Typically Internal to Supplier

Operation(7 mo. Delay)

Rework Requires Time

LatentCriticalDefects

(HIL)

Start ofReliable

Operation

Assumptions for Business Case: Defects detection and rework follows a Rayleigh Distribution. David Card, Managing Software Quality

with Defects, Crosstalk, March 2003 Rayleigh Distribution is approximated with a Triangular Distribution 7 months delay before operations due to necessary rework on defects based on latest DNV GL study

33

DNV GL © 2017

DNVGL-RP-0496

34

Wha

t

DNV GL © 2017

RP: 14 Iterations with customers from all segments)

35

− Cross industry and cross discipline workgroup− A number of representative external stakeholders

used as reference group− Learning from live cyber security projects− 1000 comments received and addressed from

internal and external cyber security experts− First impression feedback from customers confirm

that the RP is relevant, practical and needed

35

DNV GL © 2017

“Generally very good approach and

description of the requirements”

Gov. agency

“This RP makes a lot of sense”

Shipping manager

“We embrace this approach, thumbs up

for the initiative”Shipping manager

“This RP is absolutely useful in bridging the gap between the IT &

OT* worlds”Shipping manager

“Good overview of the recommended process with

supporting tables, examples, checklists

etc. Overall well done!”

Shipping manager

This RP is a comprehensive document that provides a good

approach to Cyber Security for ICS*“

Shipping manager

*OT: Operational Technology (Automation, Sensors, Industrial Control Systems (ICS)

“Looks really good, best CS guideline out

there”Cruise company

CUSTOMER FEEDBACK

CYBER SECURITY DNVGL-RP-0496

“Outstanding guidance that can be easily understood and

embraced by most organizations”

Flag state

37

DNV GL © 2017

Understanding Cyber Security threats/risks

38

Threat Agents

Threat Agents come in many flavours

DNV GL © 2017

Cyber Organised Crime*Boss

Underboss:Trojan provider and Manager of Trojan Command and Control

Stolen Data Reseller

Affiliation Network

Campaign Manager

Stolen Data Reseller

Affiliation Network

Campaign Manager

Stolen Data Reseller

Affiliation Network

Campaign Manager

Attackers Crimeware Toolkit OwnersTrojan Distribution in Legitimate website

*more organised than some governmental agencies…39

source: EC-Council

DNV GL © 2017

Saudi Aramco caseThe hackers were never identified or caught (that we know of)

On the morning of Wednesday, Aug. 15, 2012, files began to disappear, computers started shutting down. No more Internet, corporate email or office phones. Lengthy, lucrative deals needing signatures had to be faxed one page at a time…Temporarily stopped selling oil to domestic gas tank trucks and after 17 days Saudi Aramco relented and started giving oil away for free to keep it flowing within Saudi Arabia…Representatives flew directly to computer factory floors in Southeast Asia to purchase every computer hard drive being manufactured (50,000 hard drives)…Everyone who bought a computer or hard drive from September 2012 to January 2013 had to pay a slightly higher price for their hard drive…

Social engineering: Gaining understanding of emotional triggers

Who’s interested in a Saudi Aramco breach (9.5 million barrels per day production…)?

Mid-2012, One of the computer technicians on Saudi Aramco's information technology team opened a scam email and clicked on a bad link. The hackers were in

Supply specifically designed Trojan Toolkit

40

DNV GL © 2017

Understanding Cyber Security threats/risks

Nuts & Bolts of a threat scenario :

41

Threat Agents Motivation Capability Physical infrastructure

Opportunity(overlap of Capability and

knowledge of Physical infrastructure)

DNV GL © 2017

Establishing the prioritised action

plan

Determine Consequence

(2.3.2)

Determine Likelihood

(2.3.3)

IT OTIdentify critical systems (2.3.1)

Compare current safeguards with target

(2.3.5) Table 2-7

(Appendix E) (Appendix F)

System type

Determine cyber security risks (2.3.4)

DNVGL-RP-0496: Comprehensive, in depth approach

42

DNV GL © 2017

Understanding Cyber Security threats/risks

Identify critical systems

Rank risks (prioritisation)

43

Remote connection

Physically accessible

Connected and/or integrated

Requiring software updates Ease of Access

X - - - Medium

X - - X High

X - X

No effect on Ease of access

High

X X High

- - X Medium

- X - Medium

- X X Medium

X X X High

- - - X Medium

- - - - Low

Table 2-4 Example rating of ‘ease of access’ (likelyhood)DNVGL-RP-0496 - Cyber security resilience management for ships and mobile offshore units in operation

DNV GL © 2017

Determine consequences of successful attacks

44

DNV GL © 2017

Determine cyber security risks

45

DNV GL © 2017

Compare current safeguards with target

Assessment results defines the target safeguards based on:

BSI – German Federal Office for Information Security46

IEC 62443-3-3BSI GS

and

DNV GL © 201747

How to combine it allFinal remarks

DNV GL © 2017

What to do during the lifecycle of a cyber-enabled vessel?

Predictive & Proactive C

yber S

ecurity M

aturity

Cyber Security Improvement Roll-out

Reactive

Security Testing (e.g. pentesting)

Annual or n-year Inspections / Audits

Risk assessment

ISMS Gap analysis

ISMS Certification

Corrective actions/ Roll-out of Cyber Security

Management System

Letter of Compliance to DNVGL-RP-0496

48

Verification of corrective

actions

DNV GL © 2017

Conclusion

49

DNV GL © 2017DNV GL © 201

Thank you for your attention

50

Download the RP free of charge from

www.dnvgl.com/rpcs

DNV GL MARITIME ADVISORYsvante.einarsson@dnvgl.com +49(0)40-361-493610