1. Introduction of IACS Activities related to Maritime Cyber Systems / Cyber Security
George Reilly
IACS Cyber Systems Panel Chairman
Joint Working Group / Cyber Systems Chairman

2. IMO and Goals of MSC.1 Circ.1526 - Review
Introduction of IACS Activities related to Maritime Cyber Systems / Cyber Security
Contents:
IMO and Goals of MSC.1 Circ Review
IACS in Industry with a Non-Cyber Mind-Set
Activities of the Cyber Systems Panel
Activities of the Joint Working Group (JWG/CS)
Incorporating Cyber Systems/Security into the process
Contents:
IMO MSC.1 Circ.1526 Goals + Review
Challenges for Industry with a non-Cyber Mind-set
Activities of the Cyber Systems Panel
Activities of the Joint Working Group (JWG/CS)
The wider context of Cyber Systems and Safety
Cyber Security in the Class process
Collaborating with the industry

3. The Goal of Cyber Risk Management
Support Safe and Secure Shipping
which is
Operationally Resilient to Cyber Risks
(MSC.1 Circ1526)

4. Risk potential circumstance or event, (JWG/CS)
Maritime Cyber Risk = Measure of the extent a technology asset is threatened by
potential circumstance or event, (JWG/CS)
which may
result in operational, safety or security failures (E22)
as a consequence of
information or systems being corrupted, lost or compromised (E22)

5. Stakeholders → take the necessary steps to
safeguard shipping
from threats & vulnerabilities
Actual IMO Words: Stakeholders should take the necessary steps to safeguard shipping from current and emerging threats and vulnerabilities related to, digitalization, integration and automation of processes
Everybody has their part to play.
(E22)
digitization, integration & automation of
processes and systems

6. Risk management is fundamental
. . . to safe and secure shipping operations traditionally been focused on operations in the physical domain
. . . cyber risk management
(JWG/CS)
greater reliance on:
. . created an increasing need for
digitization
Integration
automation and
network-based systems
(Cyber Systems Panel MCSR10+12, E22)

7. Predicated on the goal of supporting safe and secure shipping which is
Integrated Implementation
Predicated on the goal of supporting safe and secure shipping which is
operationally resilient to cyber risks; these Guidelines provide recommendations that can be incorporated into existing risk management processes
The Guidelines are complementary to the safety and security management practices established by this Organization
We too want it to be part of our system and uniform application with other processes as far as possible
Complimentary to existing IACS processes
(Cyber Systems Panel)

8. Information technology use of data as information
Distinctive IT vs OT
Information technology
use of data as information
Operational technology systems
data to control or monitor physical processes
information and data exchange within and between these systems
(Cyber Systems Panel MCSR 4, 7, 11, 12)

9. Technologies Gains & Risks
the technologies - provide efficiency gains and present risks - to critical systems and processes
risks may result from vulnerabilities arising from
- inadequate operation,
- integration (Cyber Systems Panel MCSR10)
- maintenance (Cyber Systems Panel MCSR1+11)
- design (Cyber Systems Panel MCSR8)
- intentional and unintentional cyberthreats
(Cyber Systems Panel MCSR7)
You gained – you cover the downside.

10. IACS and Cyber Systems Challenges in an Industry with a non-Cyber tradition

12. .ppt IACS
Failures0in circuits1may0not appear0to1create significant maritime0safety or1environmental threats

13. We transferred the power
However the potential for significant damage by maritime activity has increased dramatically due to advances in technology and ever larger vessels. The means for controlling almost all vessels has become increasingly dependent on electronics and programmable systems. The consequence is that the larger potential for damage has been accompanied by a dependence on the performance and reliability of the programmable systems. The electronics and software did not create the problem but WE have transferred a great deal of responsibility to them.

14. Naval / Structural Mechanical Electrical
We started with the classic and the comprehendible - and still has primacy
Mechanical was more complex but reduced dependence on the weather and improved productivity (But still not as well regarded).
Electrical bought improvements in safety

15. Those in the industry have remained comfortable with the knowledge and experience that they already had. But they were also driven by the benefits that developments in this little understood area had to offer.

16. WWW Electrical / Electrical Electronic 10010100101110 10011011000101
WWW
Electrical /
Electronic
Electrical
Electronics bought more sophisticated control to supplement and/or replace some of the operators skills.
This technology was not visible in its operation and while it was adopted and implemented it was not generally understood and not given the respect to match the critical importance that was being transferred to it.
Finally - The ability to interconnect previously isolated systems introduced the opportunity for more benefits, but they were also introducing more dependence and complexities to a subject that was already poorly understood by the maritime industry.

17. The parts that have been introduced over the past 5 to 10 years have not been so visible
Those in the industry understand the principles of Naval Architecture, Structures and Machinery very well.
Even as we have become aware of this gap in our understanding it has not been possible to get most participants to appreciate it long enough to acknowledge its significance.
It is similar to an optical illusion where people can see the alternative image, but we are too busy or distracted to let ourselves be persuaded of the new reality – UNTIL NOW

18. We want to get back to a more comfortable time
The Maritime industry would prefer this Cyber issue would simply pass and go away

19. To better understand the problem
To deal with the problem everybody needs let go of an outdated mental model to accept the reality
The apparent ‘GAP’ is not small and it is not empty . . .

20. The apparent ‘GAP’ is not small
… and it is not empty
WWW
It contains:
- navigational aids,
- collections of data,
protective devices,
communication protocols,
drivers,
equipment control,
internet connections

21. It also contains ‘System Knowledge’
It also contains ‘System Knowledge’ and is filled with multiple layers of sophisticated engineering that need to be understood and addressed in the same way that other branches of engineering are.
PID controller
Nyquist Stability Criterion
Network Storm
e x =1+ 𝑥² 1! + 𝑥² 2! + 𝑥³ 3! +…
Von Mises
RS232
Fourier Series
Data Validation
Stuxnet
Kalman Filter
Software Lifecycle
𝑓 𝑥 = 𝑎 0 + 𝑛=1 ∞ 𝑎 𝑛 cos 𝑛𝜋𝑥 𝐿 + 𝑏 𝑛 sin 𝑛𝜋𝑥 𝐿
IEC 61508

22. However, the Maritime industry must now also face the problems that have come to affect all industries around the world.
With the WWW comes the maritime industry quickly and at a time of Cyber Security issues and growing awareness

23. Context and Activities of the Cyber Systems Panel
Planning a Way Ahead
Engineering Organizations
Need to support Human
IACS Recognition of Cyber
The steps underway

24. Planning a Way Ahead It is important to know the realities of:
ourselves – and our responsibilities
our industry – and its responsibilities
the world in which we operate
In order to establish where we need to be and what steps we need to take to get there
We need a practical effective and ongoing process

25. Engineering Organizations
IACS Members are Engineering organizations
Operate internationally
Regulate ship design
Verify construction
Verify components in the supply chain
Follow-up during regular Surveys
Widely recognized by port and flag states
Automatically incorporating Cyber into the process – though it will need to adapt

26. Need to support Human
IACS Members are Engineering organizations that appreciate the need for the process to support the ‘Human’:
Satisfies end user
Reduces degrees of freedom
System interfaces that minimise unplanned functions

27. IACS Recognition of Cyber
IACS Members are Engineering organizations
Recognized Cyber Systems with a full Panel
Coordinating with industry
Initially developing recommendations:
For widest consultation with industry
To create awareness prior to regulation
To populate a framework for applying risk
To create no more burden than necessary

28. IACS - The Steps Underway
Initially a set of 12 basic subjects
To be developed in 4 phases
Initially non-mandatory Recommendations
Industry advised of availability in order to encourage feedback
At end of 12th document, decisions on how the 12 topics would be reformatted and combined to address risk levels
Practical application process implemented and validated

29. A B C D 12 Maritime Cyber System Recommendations
(MCSR 1 to 12) Four Phases A, B, C & D
MCSR 1 Procedure for Software Maintenance
MCSR 2 Manual Backup
MCSR 3 Contingency Post Failure A
MCSR 4 Network Architecture
MCSR 5 Data Assurance
MCSR 6 Physical Security B
Initiated in Phases in order to allow early release for comment to a wider industry.
These are the initial recommendations. There will eventually be more.
MCSR 7 Network Security
MCSR 8 Vessels’ System Design
MCSR 9 Programmable System Equipment Inventory C
MCSR 10 Integration
MCSR 11 Remote Update / Access
MCSR 12 Communications and Interfaces D

30. Maritime Cyber System Recommendations

31. Activities with the Joint Working Group (JWG/CS)
Primary aim of the Industry Joint Working Group is to facilitate active cooperation and communication amongst industry groups that have an interest in the production, use and operation of cyber systems.
The experience of the JWG members will assist as direction and strategy are developed by providing a practical and expert input.
The IACS Cyber Systems Panel will also benefit from the availability of the JWG expertise and will be able to assist in the review of early drafts of recommendations and requirements as the are developed.

32. IACS Cyber System Panel To develop requirements
Relationship between Panel and JWG/CS
IACS Cyber System Panel
Formed 1 July 2016
All 12 Class Societies
Ongoing
Communicate with IMO & EU
Industry
To develop requirements
Industry Joint Working Group / Cyber Systems
1st meet 10 Nov 2016
2nd JWG/CS risk assessment
3rd meet JWG/CS +
Industry forum

33. Relationship between Panel and JWG/CS

34. Activities with the Joint Working Group (JWG/CS)
One of the first activities of the JWG is to participate in a Risk Assessment to consider aspects such as:
- criticality focus and priorities,
- threat focus and priorities
Industry risk framework goals and resulting requirements
Suggested security levels (e.g. security level 1,2, 3 and 4) and mapping into IACS and other standards work
The risk assessments are being led by Professor Paul Dorey who also undertook a similar role in the UK Energy Sector covering generation and distribution for both Gas and Electricity.
Prof. Dorey is retained by Inmarsat and it is planned that Risk Assessment work with the JWG will be the subject of a White Paper later this year.

35. Coordination of Implementation
Port
Authorities
Owners
Insurers
Shipbuilders
Cargo owners
Flag States
Manufacturers
Communications

36. contacts: ABCyberChair@Eagle.org
Thank you!
contacts: