The growing threat of maritime cyber incidents, speed of propagation and impact make it necessary to define and implement good cyber incident management practices that include specific processes, resources and procedures.
In this article, I present a methodology based on five processes that can be adapted to the requirements of the maritime sector including ships:
- Detection and analysis
- Resolution and recovery
- Post-incident activities
The adoption of this methodology for the management of maritime cyber incidents would allow the organization:
- Respond systematically to cyber incidents.
- Adopt appropriate response measures for every cyber incident.
- Facilitate business continuity in case of cyberincidents of security so impacts to the organization are minimized.
- Allow the identification and allocation of adequate budgets for the management of cyber incidents.
- Use information and knowledge obtained in the management of cyber incidents to establish metrics and better manage future cyber incidents.
Fig. 1. Management of Maritime Cyber Incidents
This methodology could be applied by shipping companies, organizations designated for ISM code security management and on ships.
Given the limitation of crew members specialized in information systems on ships, it is understood that they would be supported by personnel ashore and by organizations specialized in cybersecurity such as CERT cyber incident response teams and SOC cybersecurity operations.
The proposed methodology is aligned with the NIST computer security incident management guide SP800-61 and section 4 of the BIMCO guide on cybersecurity onboard ships related to the development of contingency plans.
In this article, when the word “organization” is used, it should be understood as the company responsible for the implementation and operation of the ISM code as defined in regulation 1 of that code.
Preparedness activities should include both the establishment of cyber incident response capacity and prevention.
Develop management procedures
Cyber incidents can originate and materialize in very different ways. Cyber incident management policies and procedures should be developed to manage the types of cyber incidents with the highest probability of occurrence or greater foreseeable impact on the organization.
Preparing to handle incidents.
Provisions should be made for:
- Personnel (team, individual persons) for the management of cyber incidents: managers, technicians, responsibilities, contacts.
- System and network documentation: inventory of assets, diagrams, procedures and configuration files.
- Reports of activity considered normal (“baseline”) of networks and systems to detect abnormal activities.
- CERTs on which the organization can rely for response capacity.
2. Detection and Analysis
The activities to perform include the detection of warning signs and precursors of cyber incidents and their analysis, classification, prioritization and notification, ending with the documentation of cyber incidents once they have been resolved.
The signs of a cyber incident can be of two types:
- Indicator signs: signs that a cyber incident has occurred or may be occurring; e.g.: alert of a sensor warning of buffer overflow on a server, antivirus reporting on infected system, total dropping of a server, slow and generalized access to services or systems, etc.
- Precursor signs: signs that cyber incidents may occur in the future; e.g .; scanning of network ports, advertisement of exploits that can take advantage of existing vulnerabilities in the organization, threats of attack directed at the organization announced by hackers, etc.
The detection of indicator signs should trigger the response actions planned by the organization.
The detection of precursor signs should initiate the implementation of controls and preventive actions.
Some sources of precursor and indicators signs that the organization should consider are:
- Software alerts: intrusion detection IDS and prevention IPS systems, antivirus, service monitoring systems.
- Logs of operating systems, network devices and applications.
- Public information: new vulnerabilities and exploits, websites and mailing lists of professionals where cyber incident experiences are shared in different organizations.
- Personnel: people from the organization and other organizations reporting on the materialization of possible cyber incidents.
- CERT / SOC: information and support organizations or agencies for cyber incident security response.
In order to detect changes that may be indicators or precursors of cyber incidents, it is necessary to know the profile and activity of our networks and systems and to establish the characteristics of their normal activity.
For this purpose, it is recommended to set-up one or more IT systems in the organization where log files of the different ICT devices of the organization such as firewalls, communications devices, servers and intrusion detection or prevention systems can be consolidated and correlated.
In the case of ships, log information would be kept on the ship itself where it could be correlated and the ship’s cybersecurity officer and shore specialists be automatically alerted in case of potential cyber incidents.
Once a cyber incident is detected, it is classified into one of the types of cyber incidents contemplated in the management procedures. If the cyber incident cannot be classified, the treatment will be carried out using a generic cyber incident management procedure.
The characteristics of the cyber incident, number and type of resources affected and its criticality will determine the impact to the organization and to the safe operation of the ship. The level of impact will determine the order of priority in the management of cyber incidents in case more than one occurs simultaneously.
Cyber incident containment strategies vary depending on the type of cyber incident and foreseeable impact on the organization.
On ships, in the case of cyber-incidents confirmed by specialized personnel ashore, the designated cybersecurity officer on the vessel would be advised to take the necessary actions.
It may be necessary to perform actions such as disabling services, shutting down or disconnecting systems and equipment from the network in a controlled manner before the impact can be extended to the organization or in the case of ships to other systems of the ship.
Actions can be performed more quickly and effectively if the procedures for containing the different types of cyber incidents have been previously determined.
The organization should analyze the foreseeable impacts for each type of cyber incident and define containment strategies based on the level of risk considered acceptable. In the case of ships the impact will depend on the systems affected, degree of functionality affected and the current conditions of navigation of the ship.
Evidence of cyber incidents should be collected for forensic analysis purposes and as potential evidence if legal action is required. Evidence can be acquired from information systems (files, disk images, equipment, etc.) and other sources that are considered relevant for cyber incident analysis or for initiation of legal procedures such as the SMS security management system manual and procedures.
In the case of ships the collection and preservation of evidence may be more complex given the lack of specialized personnel on board. In this case, the recommendations of designated personnel ashore and specialized companies should be followed.
The appropriate training of ship officers in the management of cyber incidents could be essential for the effective management of the cyber incident and the preservation of evidence.
4. Resolution and recovery
Once the containment of the cyber incident has been carried out, it is necessary to verify if it is necessary to eliminate or clean components associated with the cyber incident and proceed to recover the normal operating situation in the organization or ship.
In the resolution activities, the elimination of harmful malware components associated with the cyber incident is carried out as well as other activities necessary to solve the cyber incident or to prevent future occurrences.
Common resolution activities may include installing security patches and changing firewall rules or access lists on network devices.
Recovery activities can include actions such as recovering complete systems, restoring back-ups, replacing affected components with clean versions, installing software updates, changing passwords or tightening the network perimeter by reviewing firewall configurations.
In the case of ships the resolution and recovery of systems could be done following the procedures onboard and the instructions of specialized personnel ashore, although this support may be limited.
In case systems cannot be recovered, it may be necessary to navigate with the affected systems disconnected. If ECDIS and GNSS systems are affected, traditional navigation techniques will have to be used.
5. Post-incident activities
Once the cyber incident has been closed, it is necessary to recapitulate and proceed to lessons learned.
The organization should make a recapitulation study analyzing the characteristics of cyber incidents, impacts and actions performed for detection, analysis, containment and recovery.
It is recommended to complete a document with the previous data and include origin and person that detects the cyber incident, services and systems affected, start and closure dates and times, personnel involved in the management of the cyber incident and actions taken for resolution.
Periodically, the activities carried out should be analyzed and possible improvements or changes be made to manage future cyber incidents.
It is recommended to collect and analyze metrics on the types and frequency of cyber incidents, impacts (financial, legal obligations, image against third parties, operative), resolution methods, cost of resolving cyber incidents and corrective or preventive actions performed.
The cyber incident may be notified to other organizations such as CERTs, subcontractors, manufacturers or other organizations in the industry that may be affected by the cyber incident.
Given the growing threat of maritime cyber incidents that may affect shipping companies and ships, it is of paramount importance to define and implement processes and procedures for its detection and management.
The adoption of a methodology for the management of maritime cyber incidents that includes processes and procedures would allow a systematic response to cyber incidents and the adoption of agile and effective response measures.
It is important the involvement and participation of personnel ashore and on ships in the definition and management of cyber incident management procedures.
Given the high level of expertise required to define and implement effective cybersecurity controls, shipping companies should consider the support of specialized companies such as cybersecurity organizations providing CERT and SOC services.
- NIST SP 800-61: Computer security incident handling guide: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
- NIST SP 800-83: Guide to malware incident prevention and handling: http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf
- ISO 27035 Information security incident management: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=44379
- ISO 27002 section16: Information security incident management: http://www.iso.org/iso/catalogue_detail?csnumber=54533
- CERTs: https://www.first.org/members/teams/