Cybersecurity Drill

Image - Cybersecurity Drill

Cybersecurity drills provide a way to test all elements of an effective incident detection and response strategy. CYGNUS has a deep understanding of modern cyber threats and vast experience in vessels and maritime industry, Scenario creation is part of our day to day processes for internal training/assessment and recruiting purposes.

As in other aspects of maritime safety, cyber drills may reveal several weaknesses, otherwise unseen, and are vital in improving response performance to incidents.

High Level Plan

  1. Preparation: This stage starts with defining the scope, requirements and goals of the drill to be executed. It may involve meetings of our engineers with involved departments of the customer
  2. Composition of a detailed scenario of a cyber incident affecting the vessel/office along with response and mitigation steps (inspired by SANS framework for Incident Response) involving both ship (if applicable) and shore, also describing the optimal ship/shore communication (where applicable) containing the exchange of information and response steps.
  3. Scenario execution with contribution of CYGNUS as an external member of the customer’s CSIRT (Computer Security Incident Response Team)

Proposed Framework

The gold standard when either simulating of performing actual Incident Response is SANS Institute Incident Response Plan.

The above framework is roughly the same as NIST’s framework which is also featured in BIMCO’s Guidelines for Cybersecurity Onboard Ships, with the difference that it includes a final Lessons Learned stage. This step is essential to gradually improve the response plan with knowledge acquired during incidents or drills.

Framework’s Steps

Preparation

Review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).

1

Identification

Monitor IT systems and detect deviations from normal operations, and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.

2

Containment

Perform short-term containment, for example by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.

3

Eradication

Remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.

4

Recovery

Bring affected production systems back online carefully, to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.

5

Lessons learned

No later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.

6