Perimetros.services

PERIMETROS cyber security assessment of the ship becomes the foundation for the development of the cyber security plan. The plan PERIMETROS will develop will address all the identified issues in the relevant assessment (e.g. cyber, physical and personnel issues) through the establishment of appropriate security controls designed to minimise the likelihood of a breach of security and the consequences of potential risks. It is intended that wherever appropriate, the CSP will build upon the existing ship security plan and most likely will be an annex to it. Therefore the measures aimed at reducing the risk of unauthorised access to the ship should also give a degree of protection to its operational technology cyber-physical systems. PERIMETROS's CSP will perform the same function for the issues identified in the CSA, also taking into consideration the impact of measures set out in the security plan for the ship and its systems. When developing the CSP, we are adopting a holistic approach, covering all people, process, physical and technological aspects of the ship. From a cyber security perspective, PERIMETROS CSP will contain:

​

1. The cyber security principles that set the minimum baseline for security and drive the continous improvement of the ship security posture;

2. The organisation structure for cyber security across the ship organisation and ashore;

3. The policies that set out the security-related business rules derived from the ship security plan (SSP);

4. The processes that are derived from the security policies and provide guidance on their consistent implementation throughout the lifecycle and use of the ship assets;

5. The procedures that comprise the detailed work instructions relating to repeatable and consistent mechanisms for the implementation and operational delivery of the processes.

​

With a large proportion of security breaches caused by people and poor processes, it is essential that personnel, process and physical aspects directly related to the technological systems for which cyber security measures are required, are also considered and appropriate measures put in place. For example, sensitive ship systems will have to be protected from unauthorised access or modification as follows:

​

1. Physical – the system and its components may be located in a restricted access area, to which only those personnel who have been authorised for access are permitted unsupervised access, a log of all authorised personnel is kept and regularly updated;

2. Personnel – personnel with privileged (administrative, engineering or technical support) access to the systems are subject to pre-employment screening and periodic background checks;

3. Process – processes are in place to ensure that all access to the systems is monitored and logged, and that personnel accessing controlled spaces or sensitive system, who were not subjected to the screening and background checks are supervised by a person who is authorised to access the systems;

4. Technical – measures are in place to check any removable media or portable devices that will be connected to the system for malware (for example, software updates on USB memory sticks or diagnostic software on laptops or tablet devices). Access to systems consoles, displays, etc is password protected.

 

The measures required in each of the aspects will also depend on the level of resilience that the ship may call upon. Regular training and assessment should be established for all those who are granted 'authorised' status for access to systems and subsystems to ensure that appropriate cyber hygiene is carried out when accessing systems for whatever reason. The completed CSP for the ship should be protected from unauthorised access or disclosure and should form an annex of the SSP.