Cyber: Marine Risk and Potential Impact

Transcription

A briefing by Bernard Twomey and Jonathan Earthy
Lloyd’s Register Electrotechnical
Working together
for a safer world
Cyber Loss
•
Much publicity of the threat to the marine sector
from malicious attack of systems and
organisations via information technology
•
Threat is real, and loss is related to the use and
misuse of systems that have software as a
significant component
•
Today’s presentation is about the consequences of
insufficient maturity in the marine sector using
this technology
•
We hope to inform a discussion on how the
marine insurance industry could address these
risks.
Overview
•
Examples
•
Components &
Lifecycle
•
Issues
•
Causes
•
Effects
•
Mitigations
•
Conclusions
Latest ship control centre
User understanding
•
•
Princess reported on Thursday that 240 injured passengers
were treated onboard, and 94 transferred to local
hospitals. Five people remain hospitalized, and all are
expected to fully recover.
How much is my claim worth? It is impossible to say for
certain how much your physical and/or psychological injury
is worth before obtaining specific information about your
situation. We expect that some permanent claims will be
worth in excess of one million dollars ($1,000,000) and, of
course, a jury will be free to award any damage amount
which they deem appropriate. Further, if Princess Cruises is
found to be grossly negligent, they may be sued for
punitive damages.
Unexpected behaviour
"The sea trials year is also partly platform characterisation," … "You can
read all the operations statements until you're blue in the face but actually
when you find out…'oh, we didn't know it'd behave that way and that's
very interesting and we can use that', there's a voyage of discovery in
operating the platform”.
Quote from Lieutenant Commander Julian Lowe, MEO,
HMS Daring regarding Sea Trials programme
www.defencemanagement.com, Tuesday, December 15, 2009
•
Is this desirable or not?
Unsafe requirements
•
IMCA Safety Flash 18/08 December 2008
•
Failure of Pipe Handling System Causes 8 Injuries
and 4 Fatalities
•
The primary causes of the incident were found to be:
•
Sudden release of the two quadruple joints was caused
by a failure in conceptual design of the control system
software. The program relevant to the JLT initialising
instruction was pre-loaded in the erasable
programmable read-only memory (EPROM) of the
programmable logic controller (PLC) with the
instruction to open all clamps.
•
Members are recommended to investigate the
possibility that this could happen to the PLC-based
control systems on equipment on their vessels.
Insufficient testing
•
Aberdeen harbour ships collision 26th feb 2011.
•
The SBS Typhoon collided with VOS Scout headon and forced her into the Ocean Searcher
•
SBD marine managing director Nigel Taylor said
the accident happened as a result of a glitch in
fitting new, high-tech equipment:
•
“We were in the process of installing a new
dynamic positioning system.
•
"We were doing checks on the system and had
to have the engine running. There was a fault in
the software. The controls were fully manned at
the time, as were the other two vessels.
Damage was caused to the bow of our vessel but
all three vessels remained water tight.“
System upgrade
•
Technical risk
•
Financial risk
•
Environmental risk
•
Risk to reputation
“Upgrade of reliquifaction plant software,
pre system configuration status audit
not carried out to establish a firm base
line.
Pre works backups not made, import
procedures not fully documented and
associated risks not advised to the ships staff”.
Cyber security
“Followed Stuxnet attack, retaliation with Shamoon
virus attacking Saudi Aramco, 30,000 workstations
impacted, 10-day network disruption.
Iran captures alive a US’s CIA-operated stealth drone
RQ-170 Sentinel, probably using GPS spoofing.”
•
Nation states, malicious or mistaken insiders,
opportunistic criminals and hackers are all sources of
cyber-attacks against companies.
•
Trying to protect against actors coming from
different perspectives is difficult.
•
Companies can’t secure everything equally, they
need to focus on what infrastructure and
information is critical and what is not, instead of a
one-size-fits-all approach.
Components of a software intensive system - basics
Maintenance interface
Interfaces to networks
and other systems
User interface
Software and data
Programmable electronics
Input devices
Output devices
Asset information
Documentation
After ISO 17894
Components of a software intensive system – controlled
systems
Components of a software intensive system - protocols
Enterprise networks are not secured against all actors
Connection between enterprise network and industrial network creates a direct
pathway from Internet (all actors present) to the industrial critical elements
Internet
protocol
Increasing awareness of the insecure state of the industrial network leads to
increasing frequency of intrusion intention
Unsecured
protocol
Components of a software intensive system – programs and
data
Data or programs used to configure the application.
Typically fixed for a particular vessel. Potentially
changeable by the supplier under advice of the ship builder
or ships technical staff or by a trained technical expert.
Special access controls and tools required.
All must be under configuration management
Defined ship, or
defined application
data
Programmable Electronic System
Application Programs
Set points, hysteresis, etc.
Changeable by shifts staff
Need to consider
consequence / impact and
give appropriate controls
Can some parameters be
don’t care?
Tuneable
parameters
Data used to configure the underlying
software and only changed as part of a
change to the underlying software
(under the control of the supplier)
Support
tools
Ladder Logic
C, C++
Visual Basic
etc.
Core Processing
Micro code
Static data
Program code
The Initial state of the parameter
needs to be defined.
A mechanism is required for change
Typically defined by the processor card.
Generally not visible or changeable by user or application supplier.
BIOS is slightly different and could be identified separately from the processor card.
Typically supplier’s underpinning
product, not accessible by users.
Under supplier control
Lifecycle and responsibilities
newbuilding
identify need
breaking
refit
disposal
owner / operator
define concept
modification
in-service support
planning & management
define requirements
specify functions
design
validation
shipbuilder /
systems integrator
verification
supplier
construction
acceptance testing
installation and
commissioning
testing
ISO 17894
Issues related to IT/Cyber systems
•
Supply - no alternatives to software
•
Systems are complex and complicated
•
Systems are dynamic, flexible and reconfigurable
•
Maintenance – versions, testing, reporting, recording
•
Use – distrust, reliance on automation, information, manual modes
•
Competence - lack of knowledge: ships staff, maintenance, management
•
Data – configuration, control, asset, communication, sharing
•
Management – support, remote access, service contract, configuration, spares,
obsolescence
•
Regulatory requirements (systems required by)
•
System architecture – integration, strategy, defence, networks, segregation,
etc.
Cause of problems
•
Poor requirements
•
Inadequate integrity
•
Installation
•
Update/maintenance
•
Malicious attack
•
Corruption
•
(Mis)use (usability)
•
Insufficient/inappropriate training
Effects in the marine context
•
Loss of control (failure of high integrity systems, ship and platform)
•
Reduced reliability or availability of any system
•
Impact on safety (degraded/unknown margin of safety?)
•
High cost of ownership (poor ROI/productivity, high downtime, offhire time
for repair)
•
Loss of data (both accidental and malicious)
•
Damage to ship systems
•
Incorrect reporting of regulatory information
•
Increased number of incidents (ship, cargo and environment)
Mitigations/preventions
•
Awareness of this technology
•
Security (link to ISM and ISPS, assess operational readiness level vs. cyber risks)
•
IT service management (configuration management, support, backup)
•
Training (risks, recognition, response, resilience)
•
Network design (resilience, safety)
•
Usability (trust, transparency, doing it right as the easiest thing)
•
Maintenance/through life (relates to ITSM and CM)
Conclusion
•
Cyber loss is real, here to stay and will grow
•
Not only a result of malicious attack, lack of awareness is just as bad
•
Learn how to see the issue of software intensive systems (make software
visible)
•
Needs to be managed
•
Need better statistics for frequency and impact
•
Loss prevention as well as estimation.
Bernard Twomey, Head of Electrotechnical Systems
Marine Technical Policy
M +44 (0) 7785 394432 E Bernard.Twomey@lr.org
Jonathan Earthy, Human Factors Coordinator
Marine Technology & Engineering Services
M +44 (0) 7825 386784 E Jonathan.Earthy@lr.org
Lloyd’s Register EMEA, Global Technology Centre
Mountbatten House, 1 Grosvenor Square, Southampton SO15 2JU, UK
Working together
for a safer world
Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates.
Copyright © Lloyd’s Register Marine. 2014. A member of the Lloyd’s Register group.
On-going Works at LR GTC Singapore
•
•
Cyber-risk consulting package
1.
Identify criticality of assets that have software-elements: breakdown to connection / control / monitor
/protocol / programming language /equipment models (criticality in business)  HAZID / HAZOP
2.
Identify consequence if losing control or data related to those assets
3.
Build network-based models of all those assets with known vulnerabilities and pathways, and known
weaknesses of defense mechanisms / tools in place (similar to “drawing or P&ID” of a platform/)
4.
Identify human factors / trust-dependency contractors related to each identified assets/components
5.
Perform Simulation of all sorts of scenarios of failure pathways and calculate the probability of losing
control or data for each type of actors (or combination of a set of actors – chain event simulation)
6.
Rank the Cyber-Risk Operational Readiness Level (1 to 5)
7.
Recommendation to risk-mitigation or risk-reduction of the maximum amount of risks with a certain
investment on defense mechanisms/tools /mitigation.
•
LR is at project planning stage to work with partners on #3 and #5
Software security-reliability risk-assessment models
•
Developing the generic models for use at whole development lifecycle of software-intensive systems

Cyber: Marine Risk and Potential Impact

Transcription

Similar documents

Web Safety

KennethGeers

VOITTAVA KYBERSTRATEGIA Jarno Limnéll

PDF - Monterey Boats

Scuba Dogs at Escambrón Marine Park

Icerette Promo - Raritan Engineering

Cyber Bullying - The HUGS Foundation

TODAY!

Issue 10 - Storrar Marine

syntheticmarinelubric antsyntheticmarinelub ricantssyntheticmarin e