Professional Documents
Culture Documents
Practice of
Cyber Security Management System on Cargo Ship
October 2018
Trends
Crew Welfare
Administrative
Management,
Decision-Assisting,
Monitor, Alarm,
Control,
Decision-Making
Interconnectivity
Ship-Shore,
Ship-Ship,
Inner
Recommedation
KPI
OCIMF: TMSA3, VIQ7 Tanker
de facto standard
OCIMF Requirements
Tanker
RightShip Requirements
Bulk Carrier
Summary of Requirements
IMO/OCIMF/Rightship
Manual/Policy
Procedure/Process
Instruction/Record
Plan
Stakeholder Stakeholder
Planning
Operation Improvement
Do Action
Check
Six Steps
Expectations
Needs &
Measure
Develop policy
Improve
Specify Scope
Risk Assessment
Risk Treatment
Risk Control
Security
Prepare SOA Operate
Result: Management Files
NO. File Description
6 Procedure for corrective action and preventive action Rev. Add content of cyber security
7 Procedure for carrying out internal audits Rev. Add content of cyber security
15 Ship cybersecurity risk assessment report New Assessment Report (each ship)
1st level: Programmatic documents / manuals
2nd level: Procedure / Provision
3rd level: Instruction/Specification 4 level Management System Files
4th level: Records, Report/Plan
Finding 1: Network status onboard
Data
Email system ECDIS
Administrative system Integrated control
IT OT
Crew welfare system Monitor and alarm
Planned Maintenance System CCTV
Communication
IT/OT Mingle
More direct , integrated , efficient
Risk
Keypoints
No formal released cybersecurity management system
Construction & delivery management not perfect Rely on builder & supplier
Security and malware prevention management No rules for access control and upgrade
is not perfect maintenance
Keypoints
OT network segment measures not perfect Undistinguished privileges and
Lack external source limitation of remote access OT computer lack of virus protection
Keypoints
Responsibilities not clear, especially between shipboard and shore-side,
rely on the established convenience
Physical Access
Remote Access
Necessary to be approved
Physical measure
Lock up with signature seal (dated) or physical lock
Proposal 7:Contingency Preparedness
Asset Inventory + Responsible
Require builders to cooperate to develop asset inventory when delivery
Each asset (network equipment, IT computer, OT computer, etc.) specifies user and
maintainer.
Contingency plan for each ship, different symptoms, such as software failure,
hardware failure, and virus infection, are given respectively disposal plans
Basic strategy is to control the situation, try to restore itself, switch to emergency
mode, and then request shore-based support, step by step
Proposal 8:Awareness Promotion
Security Manual
Publicity cartoon/animation/movie/film
Screen saver
…
Our Plan & Goal
Set up a cybersecurity lab, to carry out systematic research.
Develop guidelines about cyber security, such as resilience management
Tel: (8627)85423516
E-mail: zbchen@ccs.org.cn
Welcome to contact us