COP_2023_V7_pages

More documents

Recommendations

Info

Figure 5-2 - Proactive model to ensure future protection (Courtesy of the Athens Group) RECOVER: capabilities after a cybersecurity event and continually improve plans for resilience IDENTIFY: understand and manage risk to systems, assets, data and capabilities Recover Identify RESPOND: quickly to a detected event Respond Detect DETECT: cybersecurity events early using appropriate means Protect PROTECT: critical services against cybersecurity threats with appropriate safeguards 5.11.6 As technology advances OT systems will become networked such as in MASS/USV vessel control systems where the operator may be located in a remote control centre (RCC) but the vessel could be hundreds of miles away. 5.12 WHAT IS A ROBUST CYBER SECURITY SYSTEM? 5.12.1 As previously stated, a robust cyber security system must address potential issues across the complete system and should include policies and procedures which: n Address both IT and OT components of the system n Defines roles and responsibilities n Defines who requires what access to various parts of the system n Defines personnel access control policy n Defines security protocols such as password control, lifespan and renewals n Defines actions to be taken if a breach results from a Cyberattack n Defines actions to be taken if a Cyberattack occurs without breach n Defines the actions to be taken to ensure that the systems remain protected against newly created cyber threats. 5.12.2 A robust cyber security system should begin at the equipment design and planning stage. Many modern systems contain components provided by many different OEM’s. In many cases the IT and communications equipment is added after the system is built. This approach could introduce potential for a Cyberattack, if the integration of this equipment is not fully understood. Even if the equipment is integrated, commissioned and operates successfully, when an upgrade or a software patch is applied to improve and enhance performance what effect will that have on another manufacturer’s equipment? Cyber access point could be unintentionally created leaving the system vulnerable to attack from criminals. How many times have official Microsoft upgrades caused unexpected issues with Windows? If the system is, initially, designed with products specifically selected to integrate together then any later upgrades are less likely to cause problems. 42 MASS UK Industry Conduct Principles and Code of Practice Version 7
THREAT/ATTACK VECTOR RISK MANAGEMENT MATRIX Owners and operators of MASS should produce a Risk Management Matrix to cover all threat and attack vectors. An example matrix is shown is at Table 5-1 following. Table 5-1 Personnel Domain Sub Domain Threat/Attack Vector Mitigation procedure Lack of understanding of cyber threats Unsuitable security history Malware Ongoing training and education Vetting during hiring process/Security Clearance? Ongoing training and education Keyloggers Ongoing training and education Social Engineering - Phishing Ongoing training and education Social Engineering - Spam Ongoing training and education Employees Access level Password control Software access control procedure IT procedures - robust passwords, not written down Change regularly, protect, do not reveal Regular penetration test to check staff awareness Training, Access control, Key Cards Personnel Physical security Security zones relevant to function IT procedures - robust passwords, not written down Screen locks, signing out of machine if left Working from home with company equipment Mobile devices Third Party Could include maintenance, cleaners, visitors, clients Disgruntled Staff Access Control Security history Training, Access control, Key Cards Vetting of contracting company staff Accompany at all times while on premises Record of On/Off premises Interview to resolve, monitor and observe Vetting during hiring Equal, fair, open, and non-discriminatory policies Limit access to sensitive areas and software MASS UK Industry Conduct Principles and Code of Practice Version 7 43
Page 1 and 2: BEING A RESPONSIBLE INDUSTRY Mariti
Page 3 and 4: Contents FOREWORD 1 Background 4 2
Page 5 and 6: 1.9 The intent is to ensure equival
Page 7 and 8: 5 CONTRIBUTING ORGANISATIONS 5.1 Th
Page 9 and 10: 1 Scope 1.1 SUMMARY 1.1.1 This is a
Page 11 and 12: 5 Environment 5.1 ENVIRONMENTAL MAN
Page 13 and 14: Assuranc INDUSTRY PRINCIPLE 4 - CUS
Page 15 and 16: 11 Regulatory and Legislative Compl
Page 17 and 18: 1 Terms and Terminology In this Cod
Page 19 and 20: “Coxswain” refers to any person
Page 21 and 22: Definitions for Level of Control (L
Page 23 and 24: 2 Application This Code applies to
Page 25 and 26: 2.6 CARRIAGE OF ADDITIONAL EQUIPMEN
Page 27 and 28: 3.4 SHIP TYPE 3.4.1 MASS will have
Page 29 and 30: 3.7.5 For trials activities, as opp
Page 31 and 32: Schedule: Dates / times Location Ac
Page 33 and 34: 4 MASS Shoreside Interface Guidance
Page 35 and 36: 4.6.2 There are in the South Coast
Page 37 and 38: 5 Cyber Security Considerations for
Page 39 and 40: n 60% of fraud goes through mobile
Page 41: 5.9 CYBER SECURITY 5.9.1 Cyber secu
Page 45 and 46: Table 5-1 Vessel CREWED Domain Sub
Page 47 and 48: 2. NIST Cyber security Framework NI
Page 49 and 50: ecommends communication processes f
Page 51 and 52: equires vendors or third-parties in
Page 53 and 54: 5.14 CYBER GLOSSARY “Access contr
Page 55 and 56: 6 Safety Management 6.1 OBJECTIVE T
Page 57 and 58: 6.5.6 The Operator should ensure th
Page 59 and 60: 6.10.2 The Operator should pay due
Page 61 and 62: n Loss of Control of MASS for a cri
Page 63 and 64: 6.17.2 The ISM Code regulates and r
Page 65 and 66: Data to be recorded - General Princ
Page 67 and 68: 7.2 INTERNATIONAL DEFINITION OF AUT
Page 69 and 70: 8 Ship Design and Manufacturing Sta
Page 71 and 72: 8.7 ELECTRICAL SYSTEMS 8.7.1 The el
Page 73 and 74: RNMB Hussar engaged in operational
Page 75 and 76: 9 Navigation Lights, Shapes and Sou
Page 77 and 78: Table 9-2: Sound Appliances Overall
Page 79 and 80: 10.3.7 It may be necessary to exert
Page 81 and 82: 10.6.3 The level at which these may
Page 83 and 84: tide tables and atlases, and the la
Page 85 and 86: 10.10.4 Where applicable and deemed
Page 87 and 88: 10.15.4 The performance of Sense an
Page 89 and 90: n If fitted with a satellite instal
Page 91 and 92: 12 Remote Control Centre - Operatio
Page 93 and 94:
PHASE 2. MISSION PLANNING Task Pre-
Page 95 and 96:
12.5 ROLES AND RESPONSIBILITIES WIT
Page 97 and 98:
- Assist in USV pilotage and berthi
Page 99 and 100:
12.8.2 When designing the RCC, the
Page 101 and 102:
12.12.3 Human factors, including ma
Page 103 and 104:
13.4 SENSOR TESTS 13.4.1 Any sensor
Page 105 and 106:
14 Operator Standards of Training,
Page 107 and 108:
on an operator. In addition, where
Page 109 and 110:
n Management of records, reports, a
Page 111 and 112:
14.13 OPERATIONAL DEVELOPMENT 14.13
Page 113 and 114:
14.15.2 Operation Assessed. Once al
Page 115 and 116:
Competence Knowledge & Skills Contr
Page 117 and 118:
SECTION 2 - OPERATIONAL LEVEL Stand
Page 119 and 120:
Function: Safety and Security at th
Page 121 and 122:
Function: MASS Manoeuvring at the M
Page 123 and 124:
ANNEX B TO CHAPTER 14 The blank pro
Page 125 and 126:
Table 15-1: Identification Requirem
Page 127 and 128:
Table 15-2: Certification Considera
Page 129 and 130:
16.2.3 Marine casualties (accidents
Page 131 and 132:
16.5.2 The concept of the confident
Page 133 and 134:
17 Security 17.1 OBJECTIVE The obje
Page 135 and 136:
17.5 MASS SECURITY PLAN 17.5.1 The
Page 137 and 138:
17.9 VERIFICATION AND CERTIFICATION
Page 139 and 140:
18.5 AIR POLLUTION 18.5.1 All engin
Page 141 and 142:
19.2.6 For MASS engaged on internat
Page 143 and 144:
19.6.3 Documentation: n When carryi
Page 145 and 146:
19.9 DANGEROUS GOODS CLASSES 19.9.1
Page 147 and 148:
20.4.2 The duty is qualified by wha
Page 149 and 150:
21.4.4 MASS owners should exercise
Page 151 and 152:
MGO Marine Gas Oil MIA Marine Indus
show all

COP_2023_V7_pages

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?