ASTM F3286-17

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: F3286 − 17 An American National Standard
Standard Guide for
Cybersecurity and Cyberattack Mitigation
This standard is issued under the fixed designation F3286; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope 2. Referenced Documents
1.1 This guide addresses the company or government orga-
2.1 Federal Standards:
nizational need to mitigate the likelihood of cyberattacks and
46 CFR 140.910 Equipment
reduce the extent of potential cyberattacks, which can leave
sensitive personal data, corporate information, and critical
3. Terminology
infrastructure vulnerable to attackers.
3.1 Definitions:
1.2 These recommendations are meant to serve as a guide-
3.1.1 access control, n—practice of selective limiting of the
line for corporate and government organizations to adopt for
ability and means to communicate with or otherwise interact
the protection of sensitive personal information and corporate
with a system, use system resources to handle information,
data against hackers.
gain knowledge of the information the system contains, or
1.3 Cybersecurity and cyberattacks are not limited to the
control system components and functions.
maritime industry. With greater advancement in computer and
3.1.2 application programming interface, API, n—set of
information technology (IT), cyberattacks have increased in
routines, protocols, and tools for building software and appli-
frequency and intensity over the past decade. These advance-
cations.
ments provide hackers with more significant tools to attack
3.1.3 botnet, n—number of internet-connected computers
vulnerable data and communication infrastructures. Cyberat-
communicating with other similar machines in which compo-
tacks have become an international issue to all governments
nents located on networked computers communicate and
and companies that interact with each other.
coordinate their actions by command and control or by passing
1.4 Cybersecurity and the safety of cyber-enabled systems
messages to one another.
are among the most prevailing issues concerning the maritime
3.1.4 capability, n—ability to execute a specified course of
industry as well as the global economy. Cyberattacks could
action.
affect the flow of trade or goods, but operator errors in
complex, automated systems may also cause disruptions that
3.1.5 communications, n—means for a vessel to communi-
may be mitigated with proper policies and personnel training.
cate with another ship or an onshore facility.
1.5 This guide is meant to provide strategies for protecting
3.1.6 compression, n—reduction in the number of bits
sensitive data onboard vessels and offshore operations.
needed to store or transmit data.
1.6 This standard does not purport to address all of the
3.1.7 cybersafety, n—guidelines and standards for
safety concerns, if any, associated with its use. It is the
computerized, automated, and autonomous systems that ensure
responsibility of the user of this standard to establish appro-
those systems are designed, built, operated, and maintained so
priate safety, health, and environmental practices and deter-
as to allow only predictable, repeatable behaviors, especially in
mine the applicability of regulatory limitations prior to use.
those areas of operation or maintenance that can affect human,
1.7 This international standard was developed in accor-
system, enterprise, or environmental safety.
dance with internationally recognized principles on standard-
3.1.8 cybersecurity, n—activity or process, ability or
ization established in the Decision on Principles for the
capability, or state whereby information and communication
Development of International Standards, Guides and Recom-
systems and the information contained therein are protected
mendations issued by the World Trade Organization Technical
from and defended against damage, unauthorized use or
Barriers to Trade (TBT) Committee.
modification, or exploitation.
This guide is under the jurisdiction of ASTM Committee F25 on Ships and
Marine Technology and is the direct responsibility of Subcommittee F25.05 on
Computer Applications. Available from U.S. Government Printing Office, Superintendent of
Current edition approved Dec. 1, 2017. Published January 2018. DOI: 10.1520/ Documents, 732 N. Capitol St., NW, Washington, DC 20401-0001, http://
F3286-17. www.access.gpo.gov.
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
F3286 − 17
3.1.9 data assurance, n—perception or an assessment of 3.1.26.1 Discussion—Industrial control systems include su-
data’s fitness and integrity to serve its purpose in a given pervisory control and data acquisition (SCADA) systems used
context. to control geographically dispersed assets, as well as distrib-
uted control systems (DCSs) and smaller control systems using
3.1.10 data, n—quantities, characters, or symbols on which
programmable logic controllers to control localized processes.
operations are performed by a computer being stored and
transmitted in the form of electrical signals and recorded on
3.1.27 original equipment manufacturer, OEM,
magnetic, optical, or mechanical recording media.
n—company that makes parts or subsystems that are used in
another company’s end product.
3.1.11 detection processes, n—methods of detecting intru-
sions into computers and networks.
3.1.28 phishing, v—sending e-mails to a large number of
3.1.12 encryption, n—conversion of electronic data into potential targets asking for particular pieces of sensitive or
confidential information.
another form called ciphertext, which cannot be easily under-
stood by anyone except authorized parties.
3.1.28.1 Discussion—Such an e-mail may also request that
an individual visits a fake website using a hyperlink included
3.1.13 exposure, n—measure of a system at risk that is
in the e-mail.
available for inadvertent or malicious access.
3.1.14 firewall, n—logical or physical break designed to 3.1.29 programmable logic controller, PLC, n—digital com-
puter used for automation of industrial electromechanical
prevent unauthorized access to information technology (IT)
processes.
infrastructure and information.
3.1.15 file transfer protocol, FTP, n—standard network
3.1.30 ransomware, n—malware that encrypts data on sys-
protocol used to transfer computer files between a client and
tems until the distributor decrypts the information.
server on a computer network.
3.1.31 remote desktop protocol, RDP, n—proprietary proto-
3.1.16 flaw, n—unintended opening or access point in any
col developed by Microsoft that provides a user with a
software.
graphical interface to connect to another computer over a
network connection.
3.1.17 human system, n—interaction and contact between a
human user and a computer system.
3.1.32 resilience, n—characteristics that enable a system to
3.1.18 hypertext transfer protocol, HTTP, n—primary tech- resist disruption and adapt to minimize the impact of disrup-
nology protocol on the web that allows linking and browsing.
tions.
3.1.19 hypertext transfer protocol over secure socket layer,
3.1.33 risk, n—potential or threat of undesired conse-
HTTPS, n—protocol to transfer to encrypted data over the web.
quences occurring to personnel, assets, or the environment as a
result of vulnerabilities in systems, staff, or assets.
3.1.20 information technology, IT, n—equipment or inter-
connected system or subsystem of equipment that is used in the
3.1.34 risk assessment, n—process that collects information
automatic acquisition, storage, manipulation, management,
and assigns values to risks for informing priorities, developing
movement, control, display, switching, interchange,
or comparing courses of action, and informing decision mak-
transmission, or reception of data or information.
ing.
3.1.21 internet of things, IoT, n—internetworking of physi-
3.1.35 risk management, n—process of identifying,
cal devices, such as vessels, vehicles, buildings and other items
analyzing, assessing, and communicating risk and accepting,
embedded with electronics, software, sensors, actuators, and
avoiding, transferring, or controlling it to an acceptable level
network connectivity that enable these objects to collect and
considering associated costs and benefits of any actions taken.
exchange data.
3.1.36 router, n—device that forwards data from one net-
3.1.22 information security management system, ISMS,
work to another network regardless of physical location.
n—set of policies with information security management or
3.1.37 scanning, v—procedure for identifying active hosts
IT-related risks.
or potential points of exploit or both on a network, either for
3.1.23 local area network, LAN, n—computer network that
the purpose of attacking them or network security assessment.
interconnects computers within a particular area and does not
connect to the internet; this applies to onboard ship networks.
3.1.38 sensitive information, n—any digital data that can be
classified as private or corporate not meant for public access.
3.1.24 machinery control systems, MCS, n—IT systems that
report operating parameters or control operation of equipment,
3.1.39 social engineering, n—nontechnical technique used
which commonly use programmable logic controllers (for
by potential cyberattackers to manipulate insider individuals
example, fuel tank level indicators or throttle control systems).
into breaking security procedures, typically, but not
exclusively, through interaction via social media.
3.1.25 network, n—infrastructure that allows computers to
exchange data by wireless or cable wireless network interac-
3.1.40 social media, n—computer-mediated online tools
tions.
that allow people, companies, and other organizations, includ-
3.1.26 operational technology, OT, n—information system ing nonprofit organizations and governments, to create, share,
used to control industrial processes such as manufacturing, or exchange information, career interests, ideas, and pictures/
product handling, production, and distribution. videos in virtual communities and networks.
F3286 − 17
3.1.41 software, n—intellectual creation that represents the ments and need to know. For good practice, human and
real world as data and uses logic, that, when translated into machine access to sensitive information should be kept to a
electronically readable code and run on a computer, processes minimum level. Access needs for third parties (for example,
the data, allowing the requirements placed on the software to maintenance personnel, consultants, service engineers, and any
be realized in the real world. non-crew personnel) should be addressed in company or
government policies and procedures, or both.
3.1.42 Subchapter M, n—U.S. Coast Guard (USCG) regu-
lations that legally define rules for the inspection, standards,
4.4 Companies and governments may use cybersecurity
and safety policies of towing vessels.
training programs to educate the shoreside employees and
mariners of the organization. Training programs and materials
3.1.43 transportation worker identification credential,
should provide useful tools and strategies to:
TWIC, n—provides a tamper-resistant biometric credential to
4.4.1 Reduce or prevent human errors in automated systems
maritime workers requiring unescorted access to secure areas
operations that could affect safety, correct system function, or
of port facilities, outer continental shelf facilities, and vessels
ship data; and
regulated under the Maritime Transportation Security Act of
2002 (MTSA) and all USCG credentialed merchant mariners. 4.4.2 Identify when a cybersecurity event occurs and how to
stop or prevent one from happening.
3.1.44 water holing, v—establishing a fake website or com-
promising a genuine site to exploit visitors.
4.5 Any implemented training program should apply to all
members, shoreside employees, and mariners of a government
3.1.45 wide area network, WAN, n—network that can cross
or company operating seagoing vessels. Training programs
regional, national, or international boundaries.
should begin at the top of an organization and work through to
3.1.46 wi-fi, n—all short-range communications that use
thebottomthusfollowingahierarchicalapproachandresponse
electromagnetic spectrum to send and receive information
to cyber-system events and their impacts on the company, ship,
without wires.
or organization.
4. Summary of Guide
4.6 Training programs should focus on and follow a general
procedure including the following steps:
4.1 The maritime industry is globalized. Shipping occurs
across the world, transporting goods to different nations and 4.6.1 Risk identification,
continents.Technology integration onboard seagoing ships and
4.6.2 Risk detection,
vessels has increased the quality and reliability of
4.6.3 Protection of personnel and vulnerable or critical
communications, data recording, navigation, and record keep-
infrastructure,
ing.Wherever ships and marine craft go, there is a potential for
4.6.4 Mitigate effects of cyberattack,
cyber-enabled systems to impact ship operations and crew
4.6.5 Recover stolen or lost data, and
safety.At times, these impacts can emerge from human error or
4.6.6 Restoration of systems to fully operational status.
deliberate actions.
4.7 Ship systems have become increasingly integrated with
4.2 Commercial pressures and demands for efficiency and
navigation, communications, recordkeeping, logistical data,
speed, as well as more control over shipboard systems, create
corporate data, personal data, and ship-operating systems.
the need for integrated systems that may be subject to misuse,
These systems may be running on the same information
abuse, or illicit access. Table 1 provides an overview of the
infrastructure. With this interconnectedness comes complexi-
motivation and impacts of a cyberattack.
ties and interdependencies that can result in unexpected vul-
4.3 Companies and governments that operate or own sea- nerabilities. Even systems that use air gaps for security, such as
going vessels should adopt measures and practices that will machinery control systems, may be vulnerable to errors and
shape personnel and system access according to job require- attacks because of contamination with malware or malicious
A
TABLE 1 Impacts of Cyberattack
Group Motivation Objective
Activists (including disgruntled employees)  Reputational damage  Destruction of data
 Disruption of operations  Publication of sensitive data
 Media attention
Criminals  Financial gain  Selling stolen data
 Commercial espionage  Ransoming stolen data
 Industrial espionage  Ransoming system operability
 Arranging fraudulent transportation of cargo
Opportunists  The challenge  Getting through cyber security defenses
 Financial gain
States  Political gain  Gaining knowledge
State-Sponsored Organizations  Espionage  Disruption to economies and critical national infrastructure
Terrorists
A
Courtesy of BIMCO, Guidelines on Cyber Security Onboard Ships, February 2016.
F3286 − 17
code from diagnostic equipment. Vulnerabilities that present 5.2.2 Many of these systems are critical to mariners while at
openings to outside connections can become weaknesses. So, it sea. If any of said systems failed or were compromised while
is vital for organizations to understand the origins of system at sea because of a cyberattack, then the ship and its security
vulnerabilities and likely means of attack. could be compromised.
4.8 As technology advances, IT systems require greater
5.3 By adopting these practices, mariners and shoreside
attention and resources to sustain and maintain them for employees at all levels of the organization should be able to
continued operations and system reliability. Many older IT identifypotentialthreatsorriskfactors,aswellastheabnormal
systems, especially in the maritime industry, use outdated indications that show a cyberattack underway.
technology that can endanger the confidentiality, integrity, and
5.4 Cyberattacks can occur in multiple forms including, but
availability of data, therefore, creating previously undetected
not limited to, the following practices:
cyber risks and vulnerabilities.
5.4.1 Social engineering,
4.9 In the United States, recent cybersecurity legislation
5.4.2 Phishing,
passed by Congress and authorized by the President has begun
5.4.3 Waterholing,
to address the rapidly growing concerns for cybersecurity and
5.4.4 Ransomware,
points towards the development of new technologies for
5.4.5 Scanning,
government agencies and private industry in the years ahead.
5.4.6 Spear-phishing,
5.4.7 Deploying botnets, and
4.10 Governmental regulations, such as Subchapter M, 46
CFR 140.910, now permit and encourage the use of electronic 5.4.8 Subverting the supply chain.
records in addition to or in lieu of manual logging. The move
5.5 These suggested strategies extend to all individuals of a
to electronic recordkeeping and the sensitivity of the informa-
corporation, government, or organization. By adopting a basic
tion these records contain impose new challenges to the secure
and developed capability to defend from cyberattacks, mari-
access of the information, the sharing of the information with
ners can continue proper practices out at sea while feeling
inspectors and auditors, the media to which this information is
confident that safety critical systems, business-critical data,
securely stored and backed up, and the methods required to
personal data, and records are safe.
access the information in a secure manner.
5.6 Intheeventofsystemerror,orinthecaseofcyberattack
or infection, any files required to rebuild or repair a personal
5. Significance and Use
computer (PC)-based onboard system shall be on the ship
5.1 To maintain the integrity of potentially vulnerable in-
already rather than from off-board sources using satellite
formation systems while the vessel is at sea or in port,
communications systems. Most vessels currently do not have
strategies and procedures can be used by every company,
operatingsystemdisksonboard,letaloneproprietarysoftware,
organization, and ship. Mitigating potential cyberattack events
drivers, or patches. This connectivity constraint and lack of
will allow for a better economic environment through secure
multiple failsafe outputs also provide a single point of failure
consumer, employee, and corporate data. Informational infra-
and vulnerability. In the future, system software and firmware
structure between ships, platforms, and onshore facilities are
may be kept current with over-the-air updates, which shall be
more interconnected today than a decade ago. The long-term
encrypted.
health and economic viability of ship owners and operators
5.7 There are cross-system considerations that shall be
depend on establishing and maintaining security that can
considered for cyber-enabled ships. They may include such
measured and monitored.
factors as:
5.2 With the increase in cyberattacks in recent decades,
5.7.1 Human-system interfaces;
maritime-based companies and governments have cited a need
5.7.2 Software availability, versions, and licensing;
to update and train their workforce to mitigate the loss of data
5.7.3 Network and communications, including remote ac-
or intellectual theft from onboard systems.
cess methods;
5.2.1 Vulnerable onboard systems can include, but are not
5.7.4 Data trustworthiness and availability (that is, data
limited to:
assurance);
5.2.1.1 Cargo management systems;
5.7.5 Diagnostic and evaluation equipment that may be
5.2.1.2 Bridge systems;
required to diagnose system problems;
5.2.1.3 Propulsion and machinery management and power
5.7.6 Cybersecurity, especially as it applies to safety critical
control systems;
and ship critical systems; and
5.2.1.4 Access control systems;
5.7.7 Onboard sensors and IoT infrastructure that provide
5.2.1.5 Passenger servicing and management systems;
data for ship operations and command decisions.
5.2.1.6 Passenger facing pu
...