U.S. ARF Maritime Cybersecurity Resources


IMO Logo

In response to addressing Maritime cyber risk1, the IMO has issued MSC-FAL.1/Circ.32 Guidelines for managing cyber risk and adopted Resolution MSC.428(98)3 in June 2017 which requires the addition of a Cyber Risk Management Plan (CRMP) to vessel SMS documents by January 1, 2021. Based on the BIMCO: The Guidelines on Cyber Security Onboard Ships4 and the IMO International Safety Management (ISM) Code5.


Department of Defense (DoD)

Navigating DoD Cybersecurity Polices is complicated if even possible.


6

A New Hope

There is a new framework which aims to drastically simplify the task of navigating Cybersecurity compliance for DoD related projects as they apply to ARF.

U.S. Coast Guard (USCG)


National Science Foundation (NSF)


White House

Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, May 12, 2021, directs the National Institute of Standards and Technology (NIST) to publish guidelines on vendors’ source code testing.

“Section 4(r) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).”


Framework

The Trusted CI framework provides a pragmatic modern approach to implementing a Cybersecurity Plan

NIST


CIS controls


Cybersecurity Maturity Model Certification (CMMC)

OUSD(A&S), working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry, developed the Cybersecurity Maturity Model Certification 7 (CMMC) framework.

CMMC Level 1


News feeds

ID: 1509079025126 - Title: Threatpost URL: https://threatpost.com/feed

ID: 1509039429926 - Title: Let's Encrypt - Free SSL/TLS Certificates URL: https://letsencrypt.org/feed.xml

ID: 1515767147778 - Title: Naked Security URL: https://nakedsecurity.sophos.com/feed

ID: 1515972208115 - Title: Deeplinks URL: https://www.eff.org/rss/updates.xml

ID: 1527786520049 - Title: CISA Alerts URL: https://www.us-cert.gov/ncas/alerts.xml

ID: 1500415382327 - Title: CISA Current Activity URL: https://www.us-cert.gov/ncas/current-activity.xml

ID: 1512067495365 - Title: CISA TIPS feed URL: https://www.us-cert.gov/ncas/tips.xml

ID: 1508424170390 - Title: The Hacker News URL: https://feeds.feedburner.com/TheHackersNews

ID: 1508421184358 - Title: Dark Reading: URL: http://www.darkreading.com/rss/all.xml

https://arcticwolf.com/resources/blog/cybersecurity-101-basic-terminology-you-need-to-know?utm_source=promo&utm_medium=email&mkt_tok=ODQwLU9TUS02NjEAAAF8Ldc0lIeQI6FwdsPwk7Osrb6h8uOgisvb5thSQSf5xcqa8Q47sr0CrR9bZmDLtngkAXEpyiCGRH7QgRIHEJgnKh08p2noOYKqQ3TcMry_hxnE https://arcticwolf.com/resources/blog/the-security-operations-maturity-assessment?utm_source=promo&utm_medium=email&mkt_tok=ODQwLU9TUS02NjEAAAF8Ldc0lBn0teUTWwtynXN7z3iZkzyKj1iovgym4XwVYz0cMWqgHQzHCOt9XCOPNzM6p_ITVQIobRJgWJwkuuQihqEPZUZw8qzcZ37N4odoWvMG



Cybersecurity Awareness


Security Information and Event Management (SIEM)15

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.15

Areas of Security Monitoring

Areas of Security Monitoring 16

Service AreaService Function DescriptionSolution Examples
Systems Health MonitoringAutomation of service availability, capacity, and integrityhttps://www.zabbix.com/
https://www.nagios.org/
Network Traffic AnalyzerAutomation of north-south, east-west network traffic patterns, audit trails and anomaly detectionhttps://zeek.org/

https://securityonionsolutions.com/
Intrusion Detection System (IDS)A device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system.https://suricata-ids.org/

https://securityonionsolutions.com/
File Integrity Monitoring (FIM)An internal control or process that performs the act of validating the integrity of operating system and application softwarefiles using a verification method between the current file state and a known, good baselinehttps://en.wikipedia.org/wiki/File_integrity_monitoring

- Virus Scanning
Log AnalysisAutomated and consolidated collection of system logs, analysis and detection of anomalous security, or systems health events.https://www.elastic.co/logstash

https://www.rsyslog.com/
Regulatory ComplianceAutomated detection of regulatory non-compliance eventshttps://documentation.wazuh.com/current/index.html
Vulnerability ScanningAutomated detection of known security vulnerabilities through active probing and penetration testing.https://en.wikipedia.org/wiki/Kali_Linux

https://www.tenable.com/products/nessus
Patch Management and ValidationAutomated management of validated and current patch levels for production software and hardware firmwares.  Verification of patch status for each configuration item / asset.https://en.wikipedia.org/wiki/Windows_Server_Update_Services

https://support.apple.com/en-us/HT209069
- APT / YUM / NPM / PIP
Authentication Event LoggingAutomated logging of all user and host bases authentication events.
Data Visualization and AnalysisUser interface for quickly querying and visualized large amounts of data from multiple sources.https://securityonionsolutions.com/
https://www.elastic.co/what-is/elk-stack

https://www.splunk.com/
https://www.elastic.co/kibana
Configuration Management

Infrastructure as Code
Automated integration of system configuration definition, implementation, and documentation.  Repeatable, modular, scalable deployment for cyberinfrastructure.https://www.ansible.com/
https://puppet.com/
https://www.chef.io/
Asset ManagementPhysical, virtual and digital asset management.  Maximized Automation of Data Collectionhttps://snipeitapp.com/

https://documentation.wazuh.com/current/index.html
Identity Management (IdM)Source of Truth Identity Management database and authentication serviceshttps://incommon.org/software/comanage/

https://incommon.org/academy/grouper/
http://cilogin.org/
https://openid.net/what-is-openid/
- Open LDAP
- Microsoft Active Directory

Reading Material

Notable Software Solutions

This site does not promote any vendor products. The following are highlighted base only on familiarity with feature sets.

Wazuh

Wazuh is a free and open source platform for threat detection, security monitoring, incident response and regulatory compliance. It can be used to monitor endpoints, cloud services and containers, and to aggregate and analyze data from external sources.

Security Onion

Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!

Services

Run your own for free, or outsource hosting and support.

Zabbix

Zabbix is the ultimate enterprise-level software designed for real-time monitoring of millions of metrics collected from tens of thousands of servers, virtual machines and network devices. Zabbix is Open Source and comes at no cost.points, cloud services and containers, and to aggregate and analyze data from external sources.

Asset Management


Identity Management

TBD


About U.S. ARF

Please see more about UNOLS and the U.S ARF

Cyberinfrastructure Working Group (CIWG)

The CIWG is a team of loosely federated participants from UNOLS member institutions who's focus is on the shared governance

Satellite Network Advisory Group (SatNAG)

SatNAG is a team of technical experts who's mission is:

To steward the objective, effective and efficient use of ship to shore network resources and optimize positive customer experiences for the UNOLS fleet.


Cloning These Docs

git clone https://satnag.unols.org/scm/git/cybersec/arf-cybersec
cd arf-cybersec

Point your browser to site/index.html


Terminology

  • ARF - Academic Research Fleet
  • ARF’s designated risk acceptor(s) - TBD
  • ARF incident response teams - TBD
  • ARF Network - A general term for any ARF Vessel or Institutional Owned / Operated Network segments.
  • CISO - Chief Information Security Officer
  • CIWG - The US ARF Cyberinfrastructure Working Group provides fleetwide oversight for - Cyberinfrastructure and Cybersecurity related issues.
  • Cyber Security Plan - A formal set of documentation, policies and procedures focused on delivering defined desired outcomes in regards to all aspects of cybersecurity.
  • Cyber Security Policy - A set of policy documents which define permitted, prohibited and required activities in regards to cybersecurity.
  • Cyber Security Program - Those activities which take place to implement a Cybersecurity Plan.
  • Cyber Security Strategy - TBD
  • IP - Intellectual Property
  • IP - Internet Protocol
  • IT - Information Technology
  • NSF - National Science Foundation
  • OmniSOC - is a security operations center (SOC) that provides trusted and actionable intelligence to higher education institutions.
  • OT - Operational Technology; A subset of IT dedicated to integrated feedback and control systems typically operated and maintained by the crew onboard research vessels. OT systems may or may not be connected to internal networks or the Internet. (Necessary for the safe operation of a vessel, Permanently installed on the vessel)
  • Red Phone IR Service - Is a short-duration burst-capacity of skilled cybersecurity staff available to aid in Incident Response once per year for one incident up to 25 person/hours at no additional charge, and may be leveraged thereafter on a fee-per-hour basis.
  • ResearchSOC - The NSF-funded ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research through operational cybersecurity services, training, and information sharing necessary to a community as unique and variable as research and education (R&E).
  • SatNAG - Satellite Network Advisory Group, a team of technical SMEs who consult on technical decision making for the ARF, initially focused specifically on Satellite Network Communications.
  • SIEM - Security Information and Event Management: Proactive, automated, security event monitoring and reporting.
  • SME - Subject Matter Expert
  • SOC - Security Operations Center
  • vCISO - Virtual CISO - partial-FTE CISO who acts as organizational CISO
  • Virtual Security Team - full operational security team made up of partial-FTE engineers and/or analysts
  • VIS - Vulnerability Identification Service

Privacy Policy

This website does not collect or use personal information for user tracking or advertising purposes.
Browser Client IP address information is collect and retained for a period in the server logs for administrative and cybersecurity purposes.
Cookies and browser session storage are used on this site to improve user experience and facilitate the functionality of this website.

TODO