Proceedings Of The Marine

WIN 2015

Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.

Issue link: https://uscgproceedings.epubxp.com/i/436751

Contents of this Issue

Navigation

Page 39 of 94

37 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings As testing software, such as communication protocols, in an entirely random way would be quite ineffective, state-of- the-art fuzzers combine techniques such as grammar rules that specify which parts of a protocol to fuzz, and various strategies for generating packets in an effcient way, system- atically simulating invalid communication. 12 Vendors often use remote login to provide support and use penetration testing to evaluate security and to determine whether there is proper network segregation. Appropriate segregation is key to properly seal off the control network from less critical networks, such as an offce network. Net- work segregation is deemed insuffcient if one can reach a probe installed in the critical part of the network from the other side of a segregation point. Vendors also evaluate general ICS robustness by load testing and network "storm" simulation, where switches, devices, or controllers are fooded with network traffc to test how capable they are of handling the overload. Maintaining the proper user rights is also paramount to limit unauthorized access to critical networks and control systems. For example, system personnel should forbid all types of access unless explicitly granted. They should also check for weak passwords, authorization bypassing, privi- lege escalation, and login locking. 13 Moving Ahead Today, an integrated approach for handling software and software updates is essential for successful vessel opera- tions. Combining HIL testing and cybersecurity testing will increase maritime and offshore industry safety and security. As threats to cybersecurity are increasing and appear from unexpected new angles, we believe that an up-to-date methodology is required to secure safe operations at sea. To maintain cybersecurity, it is benefcial to integrate test- ing into the change management cycle and establish a test strategy for all confguration changes and upgrades. About the authors: Mr. Mate J. Csorba is an electrical engineer, with a Ph.D. in telematics from the Norwegian University of Science and Technology, awarded for his research on optimization employing swarm intelligence. His professional background is in telecommunications, and he has worked for the Test Com petence Centre of Ericsson, prior to joining Marine Cybernetics, where his focus is on communication systems. Mr. Nicolai Husteli has worked with simulation technology for more than 13 years. He began his career at the Norwegian Marine Technology Research Institute as a research engineer. He joined Marine Cybernetics in 2006 and has been leading the development of the company's software platform for HIL testing. He has been the Marine Cybernetics chief technical offcer since 2012 and has an M.S. in marine technology from the Norwegian University of Science and Technology. Mr. Stig O. Johnsen is senior researcher at SINTEF, Norway. Endnotes: 1. R. Røisli (2006). HMS og IKT-sikkerhet i integrerte operasjoner (in Norwegian). Proceedings of a Ptil seminar 29.11.2006, Norway. 2. J. Wagstaff (2014). All at sea: global shipping feet exposed to hacking threat. Reuters.com. 3. Y. Dyryavyy (2014). Preparing for Cyber Battleships – Electronic Chart Display and Information System Security. NCC Group. 4. M. Balduzzi, K. Wilhoit, A. Pasta. Hey Captain, Where's Your Ship? Attacking Vessel Tracking Systems for Fun and Proft. 11 th Annual HITB Security Conference in Asia, October 2013, Kuala Lumpur, Malaysia. 5. Recommended guidelines for Information Security Baseline Requirements for Process Control, Safety and Support ICT Systems, Norwegian Oil and Gas Asso- ciation, Jun 2006, revised Jan 2009. 6. Norwegian Oil and Gas Association recommended guidelines for Information Security Baseline Requirements for Process Control, Safety and Support ICT Sys- tems. 7. ISBR #1 – avg. score 1.9 ISBR #5 – avg. score 1.5 ISBR #7 – avg. score 1.9 8. The In Amenas attack, Statoil ASA investigation report. Available at http://statoil. com. 9. The Norwegian National Security Authority (NSM). Rapport om sikkerhetstil- standen 2014. 10. Korn, M. "In the Loop," Proceedings of the Marine Safety & Security Council, the Coast Guard Journal of Safety & Security at Sea, Winter 2013-2014. 11. The Crisis Intervention and Operability analysis method. Available at www. criop.sintef.no. 12. Sutton,M., and A. Greene, P. Amini, Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley, 2007. 13. Authorization bypassing: Bad actors or others may try to "skip" authentication or logon pages by directly accessing internal page that is supposed to be avail- able only after authentication has been performed. It is also possible to bypass authentication measures by tampering with requests and tricking the applica- tion into thinking that the user is already authenticated. Privilege escalation is an attack against a system to access system resources that are normally protected. Login locking is used to prevent brute-force, password-guessing attacks.

Articles in this issue

Links on this page

Archives of this issue

view archives of Proceedings Of The Marine - WIN 2015