【国外标准】 Standard Guide for Cybersecurity and Cyberattack Mitigation

5.1 To maintain the integrity of potentially vulnerable information systems while the vessel is at sea or in port, strategies and procedures can be used by every company, organization, and ship. Mitigating potential cyberattack events will allow for a better economic environment through secure consumer, employee, and corporate data. Informational infrastructure between ships, platforms, and onshore facilities are more interconnected today than a decade ago. The long-term health and economic viability of ship owners and operators depend on establishing and maintaining security that can measured and monitored.5.2 With the increase in cyberattacks in recent decades, maritime-based companies and governments have cited a need to update and train their workforce to mitigate the loss of data or intellectual theft from onboard systems.5.2.1 Vulnerable onboard systems can include, but are not limited to:5.2.1.1 Cargo management systems;5.2.1.2 Bridge systems;5.2.1.3 Propulsion and machinery management and power control systems;5.2.1.4 Access control systems;5.2.1.5 Passenger servicing and management systems;5.2.1.6 Passenger facing public networks;5.2.1.7 Administrative and crew welfare systems;5.2.1.8 Communications systems;5.2.1.9 Distributed computing devices that support an internet of things (IoT)-enabled ship; and5.2.1.10 Onboard sensors that facilitate wheelhouse automation, alerting, and IoT transmission.5.2.2 Many of these systems are critical to mariners while at sea. If any of said systems failed or were compromised while at sea because of a cyberattack, then the ship and its security could be compromised.5.3 By adopting these practices, mariners and shoreside employees at all levels of the organization should be able to identify potential threats or risk factors, as well as the abnormal indications that show a cyberattack underway.5.4 Cyberattacks can occur in multiple forms including, but not limited to, the following practices:5.4.1 Social engineering,5.4.2 Phishing,5.4.3 Waterholing,5.4.4 Ransomware,5.4.5 Scanning,5.4.6 Spear-phishing,5.4.7 Deploying botnets, and5.4.8 Subverting the supply chain.5.5 These suggested strategies extend to all individuals of a corporation, government, or organization. By adopting a basic and developed capability to defend from cyberattacks, mariners can continue proper practices out at sea while feeling confident that safety critical systems, business-critical data, personal data, and records are safe.5.6 In the event of system error, or in the case of cyberattack or infection, any files required to rebuild or repair a personal computer (PC)-based onboard system shall be on the ship already rather than from off-board sources using satellite communications systems. Most vessels currently do not have operating system disks on board, let alone proprietary software, drivers, or patches. This connectivity constraint and lack of multiple failsafe outputs also provide a single point of failure and vulnerability. In the future, system software and firmware may be kept current with over-the-air updates, which shall be encrypted.5.7 There are cross-system considerations that shall be considered for cyber-enabled ships. They may include such factors as:5.7.1 Human-system interfaces;5.7.2 Software availability, versions, and licensing;5.7.3 Network and communications, including remote access methods;5.7.4 Data trustworthiness and availability (that is, data assurance);5.7.5 Diagnostic and evaluation equipment that may be required to diagnose system problems;5.7.6 Cybersecurity, especially as it applies to safety critical and ship critical systems; and5.7.7 Onboard sensors and IoT infrastructure that provide data for ship operations and command decisions.5.8 By adopting these practices, companies and governments will notice the benefits of better cybersecurity. Some benefits may include, but are not limited to:5.8.1 Better business performance;5.8.2 Increased bandwidth efficiency provided by modern satellite communications;5.8.3 Better crew performance during drills or operations;5.8.4 Reinforcing a healthy safety and security awareness culture onboard seagoing vessels;5.8.5 Enhanced quality of life for ship crews;5.8.6 Better adherence to increasingly stringent regulations and the preservation of electronic records and logs;5.8.7 Tighter security controls and access to objective evidence using biometrics, such as fingerprinting and a company/government (that is, TWIC) issued personal identification card; and5.8.8 Resilient systems that can minimize the impact of cyber disruptions.1.1 This guide addresses the company or government organizational need to mitigate the likelihood of cyberattacks and reduce the extent of potential cyberattacks, which can leave sensitive personal data, corporate information, and critical infrastructure vulnerable to attackers.1.2 These recommendations are meant to serve as a guideline for corporate and government organizations to adopt for the protection of sensitive personal information and corporate data against hackers.1.3 Cybersecurity and cyberattacks are not limited to the maritime industry. With greater advancement in computer and information technology (IT), cyberattacks have increased in frequency and intensity over the past decade. These advancements provide hackers with more significant tools to attack vulnerable data and communication infrastructures. Cyberattacks have become an international issue to all governments and companies that interact with each other.1.4 Cybersecurity and the safety of cyber-enabled systems are among the most prevailing issues concerning the maritime industry as well as the global economy. Cyberattacks could affect the flow of trade or goods, but operator errors in complex, automated systems may also cause disruptions that may be mitigated with proper policies and personnel training.1.5 This guide is meant to provide strategies for protecting sensitive data onboard vessels and offshore operations.1.6 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.1.7 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.