Working together for a safer world
Cyber and digital transformation Cyber secure: strategies to keep your people, assets and business safe and secure.
Contents Cyber shipping has arrived, and is set to change the industry. At Lloyd’s Register (LR), we’re helping clients around the world to assess the technology, decide on the level of digitisation that’s right for them, then deploy data streaming and other cyber systems safely, effectively and profitably. The cyber security landscape is constantly changing, as new threats and countermeasures emerge, and the regulatory framework is adjusted to reflect current and future needs. Our services are evolving in line with developments, to ensure our provision remains consistently relevant, robust and up to date.
Introduction
05
Partnership and experience
06
Cyber security readiness
08
Cyber secured
10
Threat ready
12
Our cyber security services
14
Our wider capability
16 XX
THE CONNECTED MARITIME WORLD 2
3
Introduction In an increasingly connected world, cyber enablement opens up huge opportunities for owners and operators to improve performance and efficiency, but it also brings increased risks to security.
operational technology (OT) is lesser known, and the boundaries are blurring. The hardware and software that control your processes, systems and equipment can be highly vulnerable to cyber attacks.
While the importance of security in information technology (IT) is generally well understood, and most businesses already have safeguards in place, security in
We help you to maximise the benefits, and manage the risks presented by connectivity. Our cyber security services are designed to help you assess your cyber security
readiness, identify possible threats and quantify their potential impact, providing you with trustworthy and independent advice and assurance.
CASE STUDY: SHAPING REGULATION By the end of 2018, vessels trading in US waters could be subject to new cyber security regulations currently being developed by the United States Coast Guard (USCG). The framework is likely to be NIST-800, a set of computer security policies, procedures and guidelines created for the US Federal Government by the National Institute of Standards and Technology (NIST). Our approach aligns with this framework, so you can be confident that our advice is both technically sound and future-proof.
CYBER SECURE
4
HOW DO I KEEP MY PEOPLE, ASSETS AND BUSINESS SECURE?
Consultancy services From guidance and training to vulnerability and impact assessment, we can help you develop a cyber security strategy that will work for your business now and in the future.
5
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
Partnership and experience Developing your cyber security strategy. We’re guiding the way and creating awareness right across the maritime industry. There is no global regulation in the maritime sector governing cyber security at present – but it’s on its way. We’re building our cyber security services on an easy to use, flexible and sustainable model that provides clarity and allows us to evolve in line with emerging threat patterns and the changing regulatory environment. From guidance
and training to vulnerability and impact assessment, we can help you develop a cyber security strategy that will work for your business now and in the future. And because we recognise the importance of having the best capabilities, we’ve chosen to work with QinetiQ, a leading multinational defence technology
company based in the UK. Through this unique partnership, we can bring you the benefits of QinetiQ’s world-leading cyber security skills, knowledge and experience, which complement our own expertise in marine and offshore risk management and unique collaboration with regard to maritime cyber security risks.
Did you know? • 2011: Pirates suspected of exploiting cyber weaknesses for use in targeting vulnerable shipments. • 2012: Foreign military compromises “multiple systems” onboard commercial ship contracted by U.S. TRANSCOM. • 2012: Over 120 ships, including major Asian Coast Guard vessels, experience malicious jamming of GPS signals. • 2013: European authorities announce drug smugglers hacked cargo tracking systems in major European port to avoid detection. • 2014: A major U.S. port facility suffered a system disruption which shut down multiple ship-to-shore cranes for several hours. • 2014: Spear-phishing campaign against major Asian Shipping company. INTERPOL 2014 cybercrime incidents (www.interpol.int)
6
7
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
Cyber security readiness Are you ready? Across the maritime industry, there’s still huge variation in levels of awareness, and preparedness for, the increasing role of cyber technologies. Understanding your level of cyber readiness is the essential first step to identifying, mitigating and managing this risk. We understand that you need to provide a consistent, reliable and competitive service to your customers. This means minimising costly downtime, maintenance and repairs. Technology can play a key role here, too, allowing remote diagnostics and prognostics, reducing unplanned maintenance, and enabling the most efficient and effective maintenance regimes.
8
In our experience, many in the industry are still not realising this potential. With regulation on its way, cyber security will soon be a must have. So, we can conduct a readiness review to quantify your existing cyber capabilities, and help you develop strategies to maximise the benefits. Uniquely, we take a ‘whole asset’ approach, looking at all your connected equipment, systems and software, both individually and in terms of their interactions with, and potential impact on, each other. We can also review the levels of cyber security readiness within your offices, and identify awareness and technical training needs for your people.
This assessment also allows us to identify the residual risks – those that cannot be reduced or avoided at present, and must therefore be understood, accepted or insured against. This assessment may help you assure your stakeholders, since you can show due diligence in identifying and evaluating the potential risks.
9
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
Cyber secured How do you make cyber security business as usual? We also understand that cyber security is essential to your business, but something you probably don’t want to think about every day – and certainly not something you want to impact on or complicate your day-to-day operations. We’ll work with you to develop a cyber risk management plan specifically tailored to your
10
business and operational needs. Our aim is to embed cyber security seamlessly within your organisation, so it works effectively yet remains completely unobtrusive. We believe that the greatest security vulnerabilities come from people: indeed, our experience shows that 90% of cyber security incidents can be traced back to
human error or intent. Good security outcomes are underpinned by positive security behaviours, so we can also provide comprehensive training for you and your staff to raise overall awareness of cyber risks and ensure that the appropriate behaviours, awareness, attitudes and technical skills are embedded within your business.
11
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
Threat ready How do you prepare for and respond to cyber security risks? Even with the best cyber security strategy in place, at some point you may suffer a breach. Every connected system, the links within your asset and the communication systems that connect them to you are vulnerable. Both from outside your organisation and within, you may suffer a cyber security breach that could present immediate commercial, safety, environmental, technical and reputational risks. We’re here to help you understand your risks and take the necessary steps to defend them. We can undertake a detailed technical assessment of your entire asset,
12
identifying theoretical cyber threats and vulnerabilities, and carry out practical interventions, such as penetration testing and ethical hacking, to ascertain the real, practical risks to your business. This combined desk-based and practical work approach provides a robust, objective and fully quantifiable basis for developing your cyber security strategy. We’ll help you prepare for the eventuality of something going wrong and work with you to produce robust incident response plans that can be deployed quickly and effectively. And it is vital that you and your staff know what to do in the early stages of a cyber security
threat. We can provide immersive training using a simulated cyber attack, giving you critical ‘first aid’ skills to help you to limit the potential damage and protect your people, assets and business. And if something does go wrong, we’re on standby to help you limit the risks and get you operational as soon as possible. We’re developing an emergency response service to help you in the event of a cyber security breach, giving you the experienced, fast and effective support you’ll need.
13
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
LR CSecERS As well as helping our clients to meet their current challenges, we’re shaping our future cyber security provision by developing a range of new services including our cyber security emergency response service: LR CSecERS.
Our cyber security services Consistently relevant, robust and up to date. We believe the best way to secure the future for our client, and our industry is to take responsibility and shape it ourselves. Through our Global Technology Centres and our collaboration with QinetiQ, we have developed a unique, world-class approach to providing cyber security services. We’re at the forefront of developing new services, technologies and thinking to balance these demanding ideals with robustness and commercial reality.
Awareness training Our awareness training gives staff in security-critical roles a solid grounding in the principles of cyber security, highlighting the human factors that can create and mitigate vulnerabilities. As well as highlighting practical measures, this training helps to create a culture of security awareness and promote security-focused behaviours within the organisation. Over the past three years, our cyber security awareness courses have been attended by almost 2,500 delegates, with over 90% rating them good or excellent.
14
Readiness-to-comply review This is designed to help shipowners and operators gain awareness of proposed regulations and standards, and understand their likely impact on operations and business. Following a formal review of your existing procedures, your business’s position and your crew’s levels of cyber security knowledge and readiness, we’ll prepare a report with recommendations and actions. This will help you develop, prioritise and implement appropriate safeguards for your critical infrastructure, ensuring you’re fully prepared in the event of a cyber attack.
Gap analysis A follow-up to the readinessto-comply review, this will help you advance beyond the Protect level, and introduce the Detect, Respond and Recover functions, in accordance with the NIST Framework and LR guidelines.
If you suffer a cyber security breach, it may present immediate commercial, safety, environmental, technical and reputational risks. Knowing what to do and how to respond will be fundamental to minimising the impact. So we work with you to produce robust incident response plans that can be deployed quickly and effectively. We’re also developing an emergency response service to support you in the event of a cyber security breach and help you limit its effects.
Cyber security roadmap
Tailored management plan
Cyber security health check
Cyber security specification development
Bringing together your readiness-to-comply review and gap analysis, the cyber security roadmap provides a basis for developing your future cyber security capabilities, and achieving the maximum return on investment through improved business performance.
Cyber security is a continuous process, not a one-time, fit-and-forget solution. To help you make it part of business as usual, we’ll help you develop a high-level cyber security management plan, designed to prevent, mitigate and minimise your vulnerabilities, and take your ‘high potentials’ and attitude to risk into account. This plan will assist with your day-to-day cyber security procedures, and provide an objective basis for investment.
This is a broad-based service for maritime and offshore, government, law enforcement and defence clients. Working with our cyber security specialists, you’ll examine key questions, including:
When ordering a new asset, you want to be confident that it will be cyber secure both now, and in the future. In line with this we can work with you to develop a cyber security specification. This specification is used by your equipment manufacturer or ship builder to ensure that they know which components, equipment or systems to procure and how to incorporate them safely from the start of your project.
• How quickly could a hacker access your sensitive information or mission-critical systems? • How well could you withstand a sustained cyber attack? • What damage could a system compromise cause to your operations, regulatory compliance and reputation? The health check includes penetration testing and ethical hacking of corporate systems, applications and networks, using the same tools and techniques as your real adversaries to simulate both internal and external attacks.
15
INTRODUCTION
PARTNERSHIP AND EXPERIENCE
CYBER SECURITY READINESS
CYBER SECURED
THREAT READY
OUR CYBER SECURITY SERVICES
OUR WIDER CAPABILITY
Adding value at every stage. Our wider capability One constant, wherever and whenever you need us. LR’s network of 300 national and regional offices, spread across six operating areas, puts our customers around the world first, giving you access to our advice and expert service delivery from Åalesund to Zhoushan.
Marine & Offshore operational areas
And wherever you are, you can be confident that our entire team of over 8,000 specialists is never more than a phone call or email away.
Map key North Asia South Asia & Middle East
LR Quality Assurance
South Europe
LRQA
Assessment
Lloyd’s Register Quality Assurance, LRQA, are the leading choice for the control and prevention of cybercrime and supporting businesses to achieve a tangible business solution through assessment and certification, improving performance and removing risk.
ISO 31000 D.Lgs 196/2003
Certification North Europe ISO 20000
UK&I
ISO 22301
Americas
D.Lgs 231/01
ISO 27001
Business Continuity Disaster Recovery Incident Handling
ISO 37001
Lloyd’s Register’s six operating areas
Innovation
Design
Build and commissioning
Operation
Life extension
Decommissioning and recycling
We are conducting worldclass research and development into design, construction and operation for the next 20 years and beyond. If you are developing novel technology, we can qualify its compliance and performance, helping you attract investment, prove your business case and find a route to market.
At the design stage, our appraisal services and software give you confidence that your asset will comply with all class and statutory requirements. And we can work with you to optimise your design so it achieves the best possible performance and return on investment.
At the build and commissioning stage, we help you ensure that assets are delivered to meet all contractual requirements.
In-service, we help you keep your assets compliant, safe and performing reliably, helping you deliver business as usual and minimise downtime.
We can help you best manage the operational life of your assets. By assessing their condition, we provide you and your clients with assurance of their integrity. We can also work with you to extend the life of your assets.
At the end of your asset’s life, our services help you comply with recycling requirements and provide added confidence in a safe and sustainable decommissioning process.
And we help you make the right decisions when investing in designs and technologies.
And we can help you implement the latest technologies, and understand what return on investment to expect, so that you can increase performance and be more competitive in the market.
In line with your business needs, we can identify any remedial work or renovations that are required.
Crisis Management Risk Management Cyber Security Vulnerability Assessment Penetration Test
With our experts on your team, you have a solution for every challenge. To find your nearest office, visit www.lr.org Send your questions to cyber.security@lr.org 16
17
info.lr.org/cybersecure
March 2017 Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates. Copyright © Lloyd’s Register Group Limited. 2017. A member of the Lloyd’s Register group. MO-Cyber-cyber-secure-brochure-v1.0-20170301
In collaboration with