MASS UK Industry Conduct Principles and Code of Practice 2022 (V6)
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
n Negatively affect the reputation <strong>and</strong> credibility <strong>of</strong> organisations <strong>and</strong> individuals.<br />
n Take control <strong>of</strong> a system or asset<br />
n Access other people’s accounts<br />
n <strong>Conduct</strong> Industrial espionage<br />
n Initiate Government instability prior to an overthrow<br />
5.9 CYBER SECURITY<br />
5.9.1 Cyber security is a process used to control <strong>and</strong> protect an organisation’s computer systems, networks, <strong>and</strong> data<br />
from, <strong>and</strong> reduce the risk <strong>of</strong>, Cyberattack.<br />
5.7.2 A Cybercriminal could be an individual working alone or a group <strong>of</strong> people acting together such as:<br />
n An organised crime gang<br />
n A competitor organisation<br />
n A foreign government (or department <strong>of</strong>)<br />
5.7.3 The list <strong>of</strong> potential Cybercrimes is huge but commonly used methods include:<br />
n Targeting disgruntled former employee, current employees, contractors<br />
n Phishing emails- attempting to gain access to credentials<br />
n Social Engineering<br />
n Loss or theft <strong>of</strong> equipment <strong>and</strong> rogue USB Devices<br />
n Password guessing through Brute-Force attack<br />
n Unchanged default credentials, weak passwords on web, application or network devices (Particularly IoT devices)<br />
n Systems <strong>and</strong> Application Vulnerabilities (updated <strong>and</strong> poorly patched s<strong>of</strong>tware)<br />
n SQL injection through entry field <strong>of</strong> websites/ browsers<br />
n Cross-Site scripting (XSS)<br />
n Passwords or data lacking strong cyphers or encryption<br />
n Distributed denial <strong>of</strong> service (DDoS) Botnets<br />
5.9.2 Cyber security's core function is to protect the devices we use (smartphones, laptops, tablets, computers, network<br />
<strong>and</strong> routers), data <strong>and</strong> the services we access - both online <strong>and</strong> at work - from theft, damage or unauthorised<br />
access.<br />
5.9.3 The traditional approach to cyber security focuses on the protection <strong>of</strong> data <strong>and</strong> controlling access to the IT<br />
systems components. Advanced technology such as “smart” equipment <strong>and</strong> the Internet <strong>of</strong> Things (IoT) have<br />
changed how IT is integrated into systems <strong>and</strong> is deployed <strong>and</strong> operated. These new systems, which are<br />
complicated, connected <strong>and</strong> can generate large amounts <strong>of</strong> data now dem<strong>and</strong> a much more comprehensive<br />
cyber security approach. It is no longer sufficient for a cyber security system to consider just the IT system; it<br />
must also take account <strong>of</strong> the operational technology (OT) system. This is generally referred to as IT/OT<br />
convergence.<br />
5.10 IT/OT CONVERGENCE<br />
5.10.1 IT/OT convergence is the integration <strong>of</strong> information technology (IT) systems with operational technology (OT)<br />
systems. IT systems are used for data-centric computing; OT systems monitor events, processes <strong>and</strong> devices,<br />
<strong>and</strong> make adjustments in enterprise <strong>and</strong> industrial operations.<br />
5.8 THREAT/ATTACK VECTORS<br />
5.8.1 Cybercriminals will investigate a target <strong>and</strong> determine which threat/attack vector to employ depending on their<br />
findings.<br />
Figure 5-1 Typical threat/attack vectors (Courtesy <strong>of</strong> Threat Vector Security)<br />
5.11 THE DIFFERENCE BETWEEN IT AND OT<br />
5.11.1 Traditional IT cyber security protects the IT system <strong>and</strong> data held in it but OT cyber security protects the complete<br />
system (vessel, people <strong>and</strong> environment).<br />
5.11.2 The traditional, IT based, definition <strong>of</strong> cyber security can be stated as: “Technologies, processes, <strong>and</strong> practices<br />
designed to prevent malware from doing damage or harm to networks, computers, programs, or data.”<br />
5.11.3 But modern, distributed, interconnected remote systems dem<strong>and</strong> a more comprehensive <strong>and</strong> robust OT based<br />
cyber security system which can be defined as:<br />
n Technologies, processes, <strong>and</strong> practices designed to prevent the intended or unintended use <strong>of</strong> a cyber<br />
technology system to do damage to the cyber technology (networks, computers, programs, data), <strong>and</strong> vessel<br />
or harm to people, <strong>and</strong> environment.”<br />
5.11.4 To achieve this level <strong>of</strong> protection we need to be able to verify the satisfactory performance <strong>of</strong> the OT cyber<br />
security system by:<br />
n Ensuring correct, safe, efficient <strong>and</strong> reliable operation through S<strong>of</strong>tware quality engineering.<br />
n Preventing malicious <strong>and</strong> non-malicious threats through the cyber security system.<br />
5.11.5 Functional testing will help assess a system against “known” errors or threats but makes no allowance for, as<br />
yet, unknown events. Using a maturity model provides ongoing monitoring, assessment <strong>and</strong> improvement to a<br />
cyber security system <strong>and</strong> will help defend against these unknown events.<br />
40<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6<br />
<strong>MASS</strong> <strong>UK</strong> <strong>Industry</strong> <strong>Conduct</strong> <strong>Principles</strong> <strong>and</strong> <strong>Code</strong> <strong>of</strong> <strong>Practice</strong> Version 6 41