Cybersecurity in the maritime and offshore industry

Transcription

1 Cybersecurity in the maritime and offshore industry Where do we stand today - and what is the pathway going forward? Tor E. Svensen, CEO Maritime 24 March DNV GL 24 March 2015 SAFER, SMARTER, GREENER

2 Why cybersecurity is a cause for concern Ships are interconnected Today, most ship systems are interconnected and part of a common network New integrated & networked solutions provide targets for cyber threats. Cyber attacks are a reality Hackers are capable of manipulating or destroying ship data It s a fact: the maritime industry is already under attack. Legislators need to develop guidance on managing the risk A lot can be done already to increase cybersecurity Software dependent control systems growing Almost all onboard systems are software driven Increasing reliance upon software driven systems in operations Complex integration of systems leaves room for errors What about control of software updates? 2

3 Cybersecurity a weak spot An increasing number of incidents are caused by software-related issues. To ensure total system integrity is a safety related issue Cybersecurity is an additional risk of criminals exploiting already existing vulnerabilities The risk of malfunction or breakdown due to software error or system integration issues, is still bigger than risks from cyber-attacks 3

4 Software drives our ships and rigs 4

5 Current standards ISO 27001/2: targeted at general information security ISA/IEC (under development): targeted at industrial automation and control systems ENISA (European Network and Information Security Agency) wrote the ANALYSIS OF CYBER SECURITY ASPECTS IN THE MARITIME SECTOR in 2011 The Norwegian Oil and Gas Association published Recommended guidelines for information security baseline requirements DNV GL s Integrated Software Dependent Systems (ISDS) Standard 5

6 What is the ISDS standard? ISDS was originally developed by DNV GL for the offshore industry ISDS helps ensure that integrated and stand-alone control-systems perform reliably ISDS requirements are requirements on the development process rather than on the finished product If implemented, you are already managing some of the risks associated with cyber-attacks. 6

7 What could be a possible pathway? Define a Cyber Security Baseline (in the form of a Guideline) Ask operators to submit a self-assessment Require a third-party compliance audit and technical verification Support the use of voluntary standards such as Class Notations for cybersecurity Introduce mandatory testing and systems verification 7

8 What contribution can Class make? We believe it is in the best self-interest of the maritime industry to include cybersecurity requirements into the class specifications. DNV GL has provided comments to USCG on Guidance on Maritime Cybersecurity Standards DNV GL is involved in the ISA/IEC standardization work If regulating authorities define cybersecurity requirements, DNV GL will be active in establishing: regulations, rules, class notations, recommended practices, guidelines DNV GL offers dedicated consultancy and third-party services, testing against own, national and international standards 8

9 Example: Hardware-in-Loop (HIL) testing 10

10 Summary Key issue is ensuring the integrity and reliability of software dependent systems controlling most functions on the ship Cybersecurity is an additional threat A robust regulatory framework on cybersecurity would help to increase awareness develop guidance on risk management establish risk assessments as common practice We favor a risk-based approach third-party assessments, audits, testing and verification If you have already taken care of software integrity, data protection and risk assessment, you are in a good position to improve on cybersecurity and face future legislation 11

11 Thank you! SAFER, SMARTER, GREENER 12