Merriam-Webster defines a silver bullet as something that acts as a magical weapon; especially – one that instantly solves a long-standing problem
The problem
A modern vessel’s bridge systems, such as DP, vessel
And this harm is already happening. The first such case was reported in by the US Coast Guard in 2015 when offshore oil workers brought infected laptops and USB drives on board a MODU. The unintentionally uploaded malware disrupted computer networks by directly downloading infected files of pornography and illegal music. The malware disabled the signals between the dynamic positioning and thrusters, resulting the MODU drifting off of the well site.
Malware introduced to the network is not the only threat. A poorly designed secure access protocol can be just as harmful as malware. In another recent incident, a crew member attempting to access an on board well control simulation environment inadvertently logged on to the live system. The secure access protocol did not prevent him from accessing the live system. The result was a complete and unexpected shutdown of the active online well control system.
Though malware is not the only threat, it is the most well-known and common of the threat delivery methods. Things as basic as bad password management procedures can also be major threats to cybersecurity on any computer-based systems. While external threats must be considered, these cases highlight the fact that local human factors can be equally damaging.
An IT systems-based approach that ignores human factors leaves the ICS open to harm from the service technician or employee that accesses a local service-related open port or system HMI on the bridge. Cybersecurity for ICS must be a comprehensive end-to-end process that considers all threat possibilities. Much like the basic principles of software quality engineering, effective cybersecurity for ICS should focus first on prevention rather than relying solely on detection.
Antivirus or malware detection software isn’t enough. In many cases, such tools do not exist for the ICS platform. Frequently, the available resources on ICS attached systems, e.g. the CPU or flash memory, are too small to host the necessary tools. With an ICS, even if you are able to detect the threat, it may be too late to avoid damaging consequences. In most cases, you can’t stop operations to deal with it, and once launched, the damage that can be done within the ICS is far greater than that which can be done in a typical IT system.
This means PREVENTING the malware from gaining access to your systems is the is the primary risk mitigation. Prevention is chiefly a system management process and human factors issue.
Effective cybersecurity is achieved through the implementation of comprehensive organizational and operational behavior policies and procedures.
The best place to start is the US Department of Homeland Security roadmap for prevention of cybersecurity threats as described in the Cybersecurity Capability Maturity Model for the Oil & Natural Gas Subsector (ONG-C2M2).
A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice of the discipline. This maturity model thus provides a benchmark against which an organization can evaluate the current cybersecurity capability level of its practices, processes, and methods and set goals and priorities for improvement.
The ONG-C2M2 model identifies ten domains for evaluation. Each domain is a logical grouping of cybersecurity practices, and the practices in each domain are grouped by objective. The model also provides specific metrics to evaluate organizational maturity for each objective in the model. The ten domains are:
- Risk Management
- Asset, Change, and Configuration Management
- Identity and Access Management
- Threat and Vulnerability Management
- Situational Awareness
- Information Sharing and Communications
- Event and Incident Response, Continuity of Operations
- Supply Chain and External Dependencies Management
- Workforce Management
- Cybersecurity Program Management
In summary, there is no silver bullet for cybersecurity. There is no malware detection software, network box or firewall that can be installed to prevent the introduction of threats. This is
Athens Group Services systems engineering-based cybersecurity services are built around quality processes, not just the equipment, giving us the knowledge and experience necessary to mitigate the human factors risks. We integrate with your teams to understand each stakeholder’s requirements and tailor your solution to provide meaningful outcomes, improvement opportunities, and tools you can use.
To see the latest Athens Group Services developments, please follow us on Linkedin and Twitter.