Maritime cyber risk management - Intertanko · Maritime cyber risk management Maritime Safety Division Javier Yasnikouski Head, Maritime Security Sub-Division for Maritime Security

Maritime cyber risk management

Maritime Safety Division

Javier YasnikouskiHead, Maritime Security

Sub-Division for Maritime Security and FacilitationMaritime Safety Division

2

IMO – the International Maritime Organization


IMO mission:

Safe, secure and efficient shipping on clean oceans

3



• Specialized UN agency• Headquarters in UK since 1958• Annual budget £30+ million• Secretariat – 265 staff, more than 50 nationalities

4



Panama £5.22m 17.33%Liberia £3.00m 9.98%Marshall Is. £2.41m 7.17%Singapore £1.62m 8.01% Bahamas £1.31m 4.35%UK £1.30m 4.29%Malta £1.29m 4.27%China £1.20m 3.98%Hong Kong, China £1.04m 3.46%Greece £1.01m 3.38%

Ten largest contributors to IMO in 2015. Assessed contributions based on flat base rate with additional components based on ability to pay and merchant fleet tonnage

5

IMO – Global coverage


o 171 Member States, three associate memberso IGOs and NGOs participate as observers

6

IMO – Structure


Assembly171 Member Governments

Council40 Member

Governments

Facilitation

Technical Cooperation

Legal

Maritime Safety

MarineEnvironment Protection

SHIP DESIGN AND CONSTRUCTION (SDC)SHIP DESIGN AND CONSTRUCTION (SDC)

SHIP SYSTEMS AND EQUIPMENT (SSE)SHIP SYSTEMS AND EQUIPMENT (SSE)

NAVIGATION, COMMUNICATION AND SEARCHAND RESCUE (NCSR)

NAVIGATION, COMMUNICATION AND SEARCHAND RESCUE (NCSR)

CARRIAGE OF CARGOES AND CONTAINERS (CCC)CARRIAGE OF CARGOES AND CONTAINERS (CCC)

POLLUTION PREVENTION AND RESPONSE (PPR) POLLUTION PREVENTION AND RESPONSE (PPR)

IMPLEMENTATION OF IMO INSTRUMENTS (III) IMPLEMENTATION OF IMO INSTRUMENTS (III)

HUMAN ELEMENT, TRAINING AND WATCHKEEPING (HTW)HUMAN ELEMENT, TRAINING AND WATCHKEEPING (HTW)

7

IMO – Progress of measures at IMO


Casualty/Review/

Technology

Proposal to IMO

Discuss, agree to refer on

Draft text

Proposals for new, or amendments to existing, mandatory instruments - a compelling need for such amendments should be demonstrated by the proponent(s), and an analysis of the implications of such amendments, particularly those with far-reaching implications and consequential proposals for other amendments, having regard to the costs to the maritime industry, the legislative and administrative burdens involved and benefits which would accrue therefrom, should be provided……

Adoption or

approval

8

IMO – Instruments


• Some 50 IMO Conventions and Protocols

• Hundreds of codes, guidelines and recommendations

• Almost every aspect of shipping covered:

§ Design§ Construction§ Equipment§ Maintenance§ Crew

9

IMO – World Maritime Day


The theme was chosen to focus on the critical link between shipping and global society and to raise awareness of the relevance of the role of IMO as the global regulatory body for international shipping.

29 September 2016

10



The Maritime Safety Committee, at its ninety-sixth session(11 to 20 May 2016), considered the urgent need to raiseawareness on cyber risk threats and vulnerabilities andapproved Interim guidelines on maritime cyber riskmanagement (MSC.1/Circ.1526).

The Guidelines provide high-level recommendations onmaritime cyber risk management to safeguard shipping fromcurrent and emerging cyberthreats and vulnerabilitiesand include functional elements that support effective cyber riskmanagement.

11



These Guidelines are primarily intended for all organizationsin the shipping industry, and are designed to encouragesafety and security management practices in the cyber domain.

For details and guidance related to the development andimplementation of specific risk management processes, usersof these guidelines should refer to specific MemberGovernments' and flag Administrations' requirements, aswell as relevant international and industry standards andbest practices.

12



Additional guidance and standards may include:

Ø The Guidelines on Cyber Security on board Ships byBIMCO, CLIA, ICS, INTERCARGO and INTERTANKO.

Ø ISO/IEC 27001 standard on Information technology– Security techniques – Information security managementsystems – Requirements. Published jointly by theInternational Organization for Standardization (ISO) and theInternational Electrotechnical Commission (IEC).

Ø United States National Institute of Standards andTechnology's Framework for Improving CriticalInfrastructure Security (the NIST Framework).

13

Risk management


Ø Risk management is fundamental to safe and secureshipping operations.

Ø Traditionally focused on operations in the physicaldomain.

Ø Greater reliance on digitization, integration, automation andnetwork-based systems has created an increasing needfor cyber risk management in the shipping industry, notonly on board ships but also ashore.

14



Maritime cyber risk refers to a measure of the extent towhich a technology asset is threatened by a potentialcircumstance or event, which may result in shipping-relatedoperational, safety or security failures as a consequence ofinformation or systems being corrupted, lost or compromised.

Cyber risk management means the process of identifying,analysing, assessing and communicating a cyber-relatedrisk and accepting, avoiding, transferring or mitigating itto an acceptable level, considering costs and benefits ofactions taken to stakeholders.

The Overall goal of maritime cyber risk management is tosupport safe and secure shipping, which is operationallyresilient to cyber risks.

15



To address the rapidly evolving technologies and changingthreats, these Guidelines recommend a risk managementapproach to cyber risks that is resilient and evolves as a naturalextension of existing safety and security managementpractices established by this Organization.

16



The International Ship and Port Facility Security (ISPS) Code is a mandatory instrument adopted under SOLAS chapter XI-2 on Special Measures to enhance maritime security.

It is the IMO's main legislative framework to address maritime security related matters.

Contains detailed security-related requirements for Governments, port authorities and shipping companies, and is divided into two sections, a mandatory Part A, and a series of guidelines on how to meet the requirements of Part A in a non-mandatory Part B.

17



The International Safety Management (ISM) Code is a mandatory instrument adopted under SOLAS chapter IX Management for the safe operation of ships.

The purpose of this Code is to provide an international standard for the safe management and operation of ships and for pollution prevention.

The Code establishes safety-management objectives and requires a safety management system (SMS) to be established by "the Company", which is defined as the shipowner or any person, such as the manager or bareboat charterer, who has assumed responsibility for operating the ship.

18



Cybertechnologies have become essential to the operationand management of numerous systems critical to the safetyand security of shipping and protection of the marineenvironment.

The vulnerabilities created by accessing, interconnecting ornetworking these systems can lead to cyber risks whichshould be addressed.

19



Information Technology

Systems

Operational Technology

Systems

Use of data as information Use of data to control or monitor physical

processes

20



Vulnerable systems onboard ships could include:

• Bridge systems;• Cargo handling and management systems;• Propulsion and machinery management and power control

systems;• Access control systems;• Passenger servicing and management systems;• Passenger facing public networks;• Administrative and crew welfare systems; and• Communication systems.

21



Vulnerabilities can result from inadequacies in operation,design, integration and/or maintenance of cyber systems,as well as lapses in cyber discipline (e.g. inappropriate use ofremovable media such as a memory stick).

Vulnerabilities in operational and/or information technologiescan be exposed or exploited, either directly (e.g. weakpasswords leading to unauthorized access) or indirectly (e.g.the absence of network segregation).

This can have implications for security and the confidentiality,integrity and availability of information, but also for safety,particularly where critical systems are compromised (e.g. bridgenavigation or main propulsion systems).

22



Cyber threats could be presented by:

• malicious actions (e.g. hacking or introduction of malware);or

• the unintended consequences of benign actions(e.g. software maintenance or user permissions).

Effective cyber risk management should consider both kinds of threat

23



Who is involved?

Everybody should be involved (crew members, passengers,shipping companies, etc.). However, effective cyber riskmanagement should start at the senior managementlevel.

A culture of cyber risk awareness and discipline should beembedded into all levels of an organization. The level ofawareness and preparedness should be appropriate to roles andresponsibilities in the cyber risk management system.

A holistic and flexible cyber risk management regime should bein continuous operation and constantly evaluatedthrough effective feedback mechanisms.

24



Functional elements to support effective cyber riskmanagement:

Identify: Define personnel roles and responsibilities forcyber risk management and identify the systems, assets, dataand capabilities that, when disrupted, pose risks to shipoperations.

Protect: Implement risk control processes and measures,and contingency planning to protect against a cyberevent andensure continuity of shipping operations.

Detect: Develop and implement activities necessary to detect acyber event in a timely manner.

25



Functional elements to support effective cyber riskmanagement:

Respond: Develop and implement activities and plans toprovide resilience and to restore systems necessary forshipping operations or services impaired due to a cyberevent.

Recover: Identify measures to back-up and restore cybersystems necessary for shipping operations impacted by acyberevent.

26



Data/Information

Intercepted

Modified/corrupted

Deleted/destroyed

SystemsModified/corrupted

Availability partially/fully affected

Take appropriate actions to secure your systems and data

27

What’s going on


Facilitation

• Implementation of Maritime Single Windows

• Electronic certificates

E-navigation

• PNT resilience

• Ship reporting

• VDEs

Review of the GMDSS

ECDIS implementation

4 Albert EmbankmentLondonSE1 7SRUnited Kingdom

Tel: +44 (0)20 7735 7611Fax: +44 (0)20 7587 3210Email: [email protected]

International Maritime Organization

twitter.com/imohq facebook.com/imohq youtube.com/imohq flickr.com/photos/imo-un/collections

www.imo.org


Documents

Maritime cyber risk management - Intertanko · Maritime cyber risk management Maritime Safety Division Javier Yasnikouski Head, Maritime Security Sub-Division for Maritime Security