Det Norske Veritas - Germanischer Lloyd

DNVGL  Cyber security resilience management for ships and mobile offshore units in operation
 N DNVGL-RP-0496

Annotation

In this RP cyber security threats to onshore and vessel systems are considered within the following categories:

— Unintentional infections / non-targeted threats:

— Software infections stemming from malicious malware or ransomware: Spreading via unsuspecting and insufficiently trained users in combination with unsecured internet access or insufficiently protected use of portable storage devices like USB sticks, the infection thrives through automated replications aimed at infecting as many systems as possible. These non-targeted threats typically exploit known vulnerabilities in standard systems and networks.

— Unintentional weaknesses in software: Typically stemming from misconfiguration of equipment and software as well as from software design or updates containing undetected weaknesses due to insufficient verification and validation of the software.

— Intended / targeted threats:

— External attackers: Hackers, “hacktivists” as well as criminal attackers, employing a wide range of attack techniques and malicious software infections. These include phishing, social engineering, and exploitation of weaknesses in control systems, user authentication or lack of network segregation.

— Insider threats: Originating from disgruntled employees or from employees that intend to sell or otherwise misuse data or system access. Their ability to circumvent physical access controls and their in depth knowledge of the systems makes them particularly difficult to defend against.

To counter this wide range of threats, a comprehensive response is required, with Cyber Security responsibilities to be shared by different participants of the value chain: Owners of the vessel or offshore assets, users of the different systems, respective suppliers as well as ship managers and the operators themselves. Within these organisations: