This week the world saw the sudden spread of a new ransomware variant, called by some ‘Petya’ and by others ‘NotPetya’. It affected maritime owners and operators, forcing them to shutter operations to control the corruption in their systems.
The automation systems on our ships and offshore assets today are often single-purpose components. These automation systems bring features and functions that multiply human effort, but sometimes at the cost of vulnerabilities to specific errors, failure modes or intrusions. Automation systems can be information technology (IT), operational technology (OT) or the converged IT-OT cyber-physical systems, which are becoming more common in control system implementations.
This ransomware event – no matter the name – illustrates what can happen to systems when technology use outruns system understanding. There are several major efforts required to keep systems safe and increase the likelihood that they perform as expected for our enterprises. These are bare minimum requirements for today’s security.
These three factors all provide inputs to the organizational work expected for risk assessment. As recently reinforced by the International Maritime Organization (IMO) in the report of their Maritime Security Committee (MSC) 98, cybersecurity risk will be required as a part of conventional risk management conducted for maritime assets.
That risk assessment process will include cyber-enabled systems and the potential hazards and impacts of certain conditions. Imagine if ransomware hit the ship control console (helm) when the ship is maneuvering through the port’s ship channel. Imagine if malware infected the computers connected to the automated devices controlling a drilling platform’s blowout preventer functions, deep down on the seafloor. Suddenly there is a new sense of apprehension for potential risks to people, systems, the ship or platform, and to the environment, all emerging from our automated systems.
The ABS CyberSafety® program encourages and expects security behaviors and functions as principal enabling factors for enterprise security. The minimum requirements listed above must be supplemented by security practices within the company to ensure sustainability – that is, security past today. With ABS CyberSafety assessment and program implementation, we assist owners and operators to:
a. Establish a control systems management organization to document and understand company or installation systems;
b. Develop a Functional Description Document (FDD) to combine system documentation, architectures, networking implementations, failure mode analyses and test results into a comprehensive collection to assist with operator training and system understanding;
c. Develop and implement an Incident Response and Recovery capability, including the procedures and processes needed for the management organization to use the FDD to guide incident control and recovery efforts;
d. Develop and implement an effective Software Management of Change process to track and manage assets and software; and
e. Put into place a Cybersecurity Management System (CMS) that allows the company to understand their current posture and their prioritized actions to address risk factors or risk conditions.
ABS CyberSafety crews perform assessments against critical function checklists and provide action-oriented reports, thus enabling organizations to implement risk-based cybersecurity as part of their normal operational risk management processes. It’s very clear that there is no ‘magic bullet’ against cybersecurity risks, but proper organization, operation and engineering can make the difference. The ABS CyberSafety program is good engineering and good practices brought to the fore.
John Jorgensen is the Director of Cybersecurity and Software at ABS.