‘Security by Design’ looks at the adoption of integrated technologies, which increases the need for cyber resilience in order to reduce operational risks.
Smart cruise ships embrace technology as a tool to enhance the guest experience and to improve the ships’ operational efficiencies. For example, to improve ship operations, new marine technologies are used to monitor and intelligently leverage integrated sensor data to predict future maintenance needs.
With marine operational technology (OT) and industrial control systems (ICSs) becoming increasingly software intensive and connected to onshore systems and third parties, their exposure to cyber threats on board ships has increased, thus requiring a rethink on how to adapt and to adequately deal with cyber threats to these marine systems.
In parallel, the potential for a cyber disruption is an increasing risk to cruise operators, shipbuilding yards and marine cyber-physical system vendors.
All of the stakeholders involved in the delivery of a modern cruise ship now need to consider cyber security threats during the newbuilding of complex vessels. Suitable cyber security methods are now readily available and have recently been adopted to the maritime domain to manage cyber risks, DNV GL said.
Information security standards, such as ISO 27001, help the industry to secure business information systems, and more standards, such as IEC 62443, are emerging to help secure the cyber-physical systems. Yet, little guidance can be found on how to achieve cyber security during complex vessel design and construction.
The methodology presented by DNV GL aims to help improve the effectiveness of an integrated team of owner, operator, yard and vendors, by providing guidance on how to approach threat management for IT and OT integrated systems, alongside the design, construction, testing and commissioning of complex vessels. The class society presented the cyber security risk reduction approach using examples of applications on a recent cruise ship newbuilding.
This paper focuses on the key aspects of the applied methodology as an extension to the usual newbuilding processes. Two potential cyber attacks were illustrated, using scenarios based on threat modelling of cyber security gaps that may be found in newbuilding verification projects.
DNV GL then demonstrated how to detect and address these gaps during the newbuilding process using a combination of process model standard requirements for cyber-physical systems and threat assessment techniques.
Standard protection barriers to the attack scenarios were mapped and the impact of applying the techniques was illustrated via graphical representations.
Finally, examples of remediation actions by the owner/operator, yard and cyber-physical system vendors, who all play an active role in the effective cyber security risk reduction and mitigating efforts, were highlighted.
The two scenarios, one intentional and the second unintentional, illustrate the cyber threat management approach and risk reduction effects of the proposed methodology:
1) Intentional: “passenger attacker”, equipped with a considerable amount of affordable gear and attack scripts that are publicly available. With the occupancy capacity of modern cruise vessels (around 7,000 passengers and crew), there is a non-negligible risk that a small percentage of the people on board have hacker skills of one level or another. The first scenario thus starts with a passenger tampering with a passenger-facing crew terminal, hoping to install malware.
2) Unintentional: During a maintenance operation, a service engineer connects an infected laptop to the marine automation monitoring systems. After connecting the laptop, it causes malware to rapidly propagate from the marine automation networks to other normally isolated networks if there aren’t enough security barriers in place, such as network segregation.
The use of security weakness detection principles during newbuilding projects extends the standard quality assurance models where typical verification and validation actions ensure the correct implementation of the cyber systems on board the vessel; that is, the system performs the functions it was required and designed to do.
However, cyber security is not a function or one system you can point to; rather, it is an emergent property of the integrated system, which can only be achieved through a controlled manufacturing process, much like product quality, which is measured at the output of different stages. The security of an integrated system can be perceived during operations.
It is generally understood in systems engineering that the quality of a product is an indication of the quality of the process through which the system is manufactured. Therefore, it is necessary to first break down the manufacturing process of the integrated systems (both IT and OT) into phases. This enables the identification of any weaknesses in the newbuilding processes on which the emergence of cyber security relies.
The detection of technical and process weaknesses is based on the evaluation of the application of best practices prescribed in the Independent Software Dependent System (ISDS) and DNVGL-RP-0496. This is done through verification assessments (eg, document reviews, checking for artefacts that can confirm the expected use of a best practice, or testimonials from the project team to corroborate the application of a practice).
For example, to check that design best practices are used, we look for the existence of segregation principles, design philosophies and internal company guidelines containing the cyber security principles required to be followed by the company’s engineering development and commissioning teams.
A full version of this report can be downloaded from DNV GL’s website.