How to achieve type approval for cyber security
With the maritime industry implementing measures to increase ship and system security, DNV GL and Naval Dome are taking a closer look at how vendors can achieve type approval.
Cyber security is a major concern for vessels at sea today. The impact of unauthorized, and even authorized, access to ships’ systems can be catastrophic, potentially resulting in reputational, financial and environmental damage, robbery, piracy or simply malicious interference. These are all distinct risks for an unprotected vessel.
Consider potential cyber risks
Not all threats, of course, may be immediately obvious. While an attack on the main propulsion system that causes the vessel to drift without control will be picked up immediately, navigation and positioning systems can be manipulated to show misleading information, inadvertently guiding the ship into trouble.
As the industry slowly approaches truly autonomous shipping, increased reliance on automated systems heightens concerns about security. Vital systems need to be accessible by authorized personnel but protected against any interference. For this reason, type approval processes for systems designed to protect potentially vulnerable components and systems need to consider how the risks of access, both authorized and unauthorized, can be alleviated.
In its type approval process DNV GL identifies four different security level capabilities in line with the IEC 62443 standard. Security Level (SL) 1, the most basic one, provides protection against casual or coincidental violations. Levels 2 to 4 cover increasingly strict protection levels against intentional violation, depending on sophistication of means and the likely level of resources, motivation and skills of potential offenders. Security Level 4 protects against a highly motivated, highly sophisticated attack.
Maritime cyber security specialist Naval Dome has been working with DNV GL, with both organizations sharing knowledge and expertise to improve security requirements for the maritime industry in general and Naval Dome’s own systems in particular. One of the problems identified was that technicians and manufacturers were able to access on-board systems without the knowledge and approval of the crew, which meant they could potentially infect the systems unintentionally.
Therefore a two-step authorization process was needed for which new algorithms had to be developed to prevent remote access without authorization by a vessel’s senior leadership team. To protect the system it is imperative to verify that the person trying to gain access has the necessary authorization and that every action this person takes is recorded in a secure log to mitigate the risk of an internal attack.
Asaf Shefi, CTO at Naval Dome, explains: “To protect a vessel’s critical systems against an attack that might be delivered unknowingly by authorized personnel, such as a crew member or technician, the cyber protection must be done from within the OEM system. This is the only way to ensure that the critical systems on board are cyber-secured and cannot be manipulated by an attacker. All other protective solutions acting from outside the OEM system are vulnerable to internal attacks.”
One of DNV GL’s original type approval requirements was that once security logs were saved to disk, they could no longer be changed. However, Naval Dome and DNV GL found that this was not necessarily the most secure way of keeping this data safe. Naval Dome therefore devised a new cloud-based solution in which files and logs can be encrypted and saved for 15 years.
The type approval process
The type approval process starts with an assessment of the equipment and its documentation, including installation and operation manuals, applying DNV GL’s stringent and challenging evaluation principles. This often results in revisions before the next phase, product evaluation and test procedure, can begin.
This first phase can be quite a challenge for vendors. Documentation typically requires revision, which can mean it has to go back and forth a number of times until both parties are satisfied with the outcome. This phase also requires vendors to draft test procedure documents which are then sent to the classification society for revision and approval.
Once all of these files have been assessed and revised as necessary, the process moves on to physical testing. If the vendor opts to have systems tested at DNV GL facilities, the vendor will set up the equipment and test protocols before the testing is carried out. In the case of Naval Dome, software was set up on an ECDIS system at the DNV GL facility in Trondheim. However, vendors also have the option to have independent third-party testing performed by DNV GL experts at their own premises.
To protect a vessel’s critical systems against an attack that might be delivered unknowingly by authorized personnel, such as a crew member or technician, the cyber protection must be done from within the OEM system.
DNV GL’s test procedures are based on marinized versions of the international standards ISA/IEC 62443-4-2 and IEC 61162-460 which comprise seven chapters and cover increasingly stringent levels of security requirements. The tests ensure that cyber security equipment is sufficiently robust to prevent penetration attempts while also assessing aspects such as encryption strength. The process covers:
- Human user identification and authentication
- Unique identification and authentication
- Multifactor authentication for all interfaces
- Access privileges
- Software process and device identification and authentication
- User control and functionality
- System integrity
- Data confidentiality
- Restriction to data flows
- Response time to cyber events
- Network/system segmentation
- Monitoring of events
- Resource availability
- The cyber security software must allow the protected application to run without interference
“The tests are important as they can reveal outdated encryption algorithms which the vendor would need to update,” says Dr Mate J Csorba, Global Service Line Leader at DNV GL Digital Solutions.
The tests include remote access, ensuring that ship systems are accessible to vendors’ technicians and authorized on-board staff, but that protocols are in place to prevent malicious access.
“What we are assessing is the security capability of the product. We check the capability and integrity of features such as firewalling and the configuration of the system,” says Csorba.
Depending on the level of security a system is being type-approved for, the number of requirements in each of the seven chapters will differ. The higher the level, the stricter and greater the number of requirements.
The Naval Dome system proved highly effective in DNV GL’s one-week type approval tests. The testing covered the security of the operational system protected by the Naval Dome solution as well as potential interference with vessel systems. “During testing it was not possible to hack, or take control of, vessel systems, and ultimately the ship. The two-step authorization process as well as network and Wi-Fi access security were tested without being able to compromise the protected marine system,” said Shefi.
According to DNV GL, few ships are sailing with adequate security systems. “If all ships were sailing with SL1, that would be better than having no security at all, but sadly they are not,” says Csorba.
Without adequate protection, systems on existing vessels are exposed to threats every time data is transferred from shore to ship, or even when crews or technicians do something as straightforward and routine as updating software, including charts and notices to mariners, directly from a CD, a USB drive or technician’s device.
Systems on older ships can be upgraded but will be difficult to bring fully up to date without retrofitting new systems. DNV GL believes that at least SL3 should be specified for newbuilds. According to the definition, SL3 provides “protection against intentional violation using sophisticated means, extended resources, IACS specific skills and moderate motivation”.
To achieve this level of cyber security protection ‒ or the optimum SL4, which offers similar safeguards to those under SL3 with the addition of high offender motivation equipment ‒ vendors need to fully understand the international standards and participate in appropriate workshops with the type approval organization. These help the vendor gain a full understanding of the type approval regulations and requirements, and the approval authority to understand the equipment. Then both parties can jointly determine the security level the vendor or supplier should achieve.
DNV GL and Naval Dome, currently the only specialists capable of offering an SL4 cyber security solution, were able to demonstrate how relatively simple it is to attack live ship systems. The demonstrations have shown that in the absence of adequate cyber protection, the reported ship position can be shifted and the radar display misled. Similarly, the testing experts were able to turn machinery on and off or disable it, and to override fuel control, steering and ballast systems. These penetration tests allowed Naval Dome to develop a cyber security product that can protect against all kinds of attacks and meet the SL4 standards.
DNV GL was one of the first classification societies to recognize the growing threat resulting from increased digitalization in shipping and other industries. Its cyber security type approval was introduced in 2017, with the cyber security class notation “Cyber Secure” added the following year.
The Cyber Secure notation has three qualifiers: Cyber Secure (Basic), corresponding to SL1 and intended primarily for existing ships; Cyber Secure (Advanced) for newbuilds, which corresponds to SL3 with specific adaptations for maritime systems; and Cyber Secure (+), which covers additional systems not included in the scope of the other two qualifiers but which can be combined with either of them.
Cyber Secure notations by default cover ten systems: propulsion, steering, watertight integrity, fire safety, ballast, thrusters (other than main propulsion), auxiliary systems, communications, navigation and power generation. Other systems can be addressed under the “+” qualifier subject to risk assessments. Under all parts of the notation, a cyber security management system is required for every ship.
Image copyright information
- Key image - ©Aleksey Stemmer - stock.adobe.com
- Text image 1 - foto-dock.com
- Text image 2 - Mariusz Bugno – Shutterstock.com
- Side image 2 - ©Aleksey Stemmer - stock.adobe.com
- Side image 3 - ©Aleksey Stemmer - stock.adobe.com