Files
Abstract
Past decades Cyber Security gets increasingly more attention and impacts end-users, system administrators, system owners, and governments. Frequency in which a Cyber Security incidents/vulnerabilities reaches international media increases. Recently, the Log4J vulnerability kept (and still is keeping) the Cyber Security community in its grip. Despite available Cyber Security approaches to identify and evaluate risks, select security measures, and governance structures to keep in control (e.g. ISO-2700x), high impact incidents still occur. The majority of these Cyber Security frameworks are aimed at an (traditional) Information Technology (IT) environment, like typical business IT infrastructures and business users.
What about the maritime/naval platform infrastructures, where new technologies are interconnected with traditional maritime/naval (OT) infrastructures? These mixed infrastructures with (legacy) OT technology and new (IT) technology will be susceptible to (technological savvy) Cyber Security incidents. Threat actors like criminal organizations, and even state (sponsored) actors are increasingly interested in OT and maritime platforms. However, due to the specific OT characteristics, operational use of these maritime/naval platform, and the safety driven regulations, traditional approach are not usable. Specific regulations and standards arise (e.g. IMO, DNV and IEC-62443). However, operational use of the maritime/naval platform still rises challenges in selecting and implementing security measures, and secondly the governance of Cyber Security across the entire lifecycle (from cradle to grave) rises challenges.
This paper describes the approach that is followed by RH Marine to integrate and implement Cyber Security successfully within maritime/naval infrastructures and applications. Firstly, the paper explains the fundamental difference between IT and OT by means of the Confidentiality, Integrity, and Availability (CIA)-triad. The approach followed to balance Safety and Security is described. Furthermore, there is a plethora of standards and regulations enumerating security measures where applicable standards, regulations, and customer requirements will vary across different maritime/naval platforms.
The paper describes how these difference standards, regulations, and customer requirements can be supported with a Cyber Security architecture which defines security services supporting multiple security measures/standards. Based on the TOGAF-architecture approach the Cyber Security architecture consists of Architectural Building Blocks (ABB), supporting different standards and still is extensible to support new developments. Interrelations between e.g. network infrastructure, remote access, and big data are identified within the architecture. This approach, and the resulting Cyber Security architecture, enabled RH Marine lay down a strong fundament which is applied in current projects to thrive Cyber assurance to the next level. The paper presents the first results of applying the Cyber Security architecture within the definition, implementation, and evaluation of maritime/naval platforms.