Ben Densham, Chief Technology Officer at Nettitude, critiques compliance driven policy and offers a more strategic approach with LR and Nettitude’s Cyber Security ShipRight Procedures.
With the IMO cyber security deadline fast approaching, the issue of security is high on the agenda for owners and operators across marine and offshore. Nearly four years on from the issuance of IMO’s Guidelines for Maritime Security Management, the deadline is upon us. From the 1st January 2021, administrations will be looking to owners and operators to demonstrate that action has been taken in implementing the necessary cyber security measures in their Documents of Compliance.
While these remain ‘strong recommendations’ at present, there’s no doubt that Flag Authorities have got behind the proposals, with most looking for some evidence of adoption. Not just in terms of developing an initial plan, but in demonstrating that those plans are executed, risks are being addressed and wider cyber risk strategies are evolving.
Strategy, security or compliance?
To my mind, this ‘strategy’ point is the most important. Here at Nettitude, we consult across the industry spectrum – in marine and offshore, critical national infrastructure, financial services and others – to help clients mitigate cyber risk. While there are certainly differences in levels of regulation, the precise nature of the threats and so on in each industry, the one constant is the need to plan ahead.
Cyber-attacks are continually growing in number and sophistication, while the push towards digital transformation is increasing the attack surface as organisations become ever more connected. In this fast paced arena, an eye on the future and having an effective, long term strategy is critical to protecting your operations.
We should also be thinking about security in broader terms. Compliance with cyber regulations is critical for any regulated organisation, but it won’t always mean the business is protected from the multiplicity of emerging threats. And, what happens when regulations are unclear or, as in the case in marine and offshore, are more recommendations than obligations?
While it’s certainly important to demonstrate adherence to IMO’s 2021 guidance in the shorter term, the focus should be on developing cyber resiliency across the organisation. In this way, by bringing information security, business continuity and operational resilience together, organisations can ensure relevant protections and policies are in place to continually adapt to the dynamic threats they face. In short, security is more effective when it’s an ongoing state of being, rather than a ‘point in time’ paper assessment.
The challenges of securing cutting edge and legacy
The marine and offshore sector is a great case in point. Vessels and assets being designed and built today will have operating lives of 30-40 years, and are increasingly sophisticated, connected (and autonomous). While we have a clear idea of the type of attacks these vessels will face in the near term, it’s impossible to predict, with any level of certainty, what they’ll face in a decade or two’s time. Neither can we accurately anticipate what rules and regulations will be issued to address these emerging threats. It makes sense then to develop an agile and flexible cyber resiliency strategy that’s capable of addressing both now and the next.
But asset owners and operators aren’t starting from a blank sheet of paper. We have multiple generations of vessels operating today. While the level of threat will be significantly lower for these less-digital assets, there will be risks – particularly as assets are modified and go for re-fit. So, it’s important to look back as well, and take appropriate remedial action as required.
The impact of Cyber Security ShipRight Procedures
All of this is easier said than done, of course. Cyber risk management is a complex field. Simply understanding the threat profile of your vessels, assets and wider corporate environment is a challenging task in itself. To offer support, Nettitude and Lloyd’s Register have created Cyber Security ShipRight Procedures, part of our wider ShipRight Procedures, with the aim of simplifying the process and providing the assurance the industry needs.
Launched in 2019, and updated in 2020, our Cyber Security ShipRight Procedures are designed to support organisations across the marine and offshore ecosystem – owners and operators, component and equipment manufacturers, shipbuilders and shipyards.
Focusing on two key areas, these comprehensive assessments aim to provide effective cyber risk management in design and construction, and during the in-service phase, to:
• Ensure technical designs and architecture proposals for new builds and refits consider maritime cyber security requirements at an early stage.
• Address the real risks relating to cyber and increasing connectivity.
• Allow assessments to be evidence-based, demonstrating outcomes that are reached.
• Be as pragmatic as possible for end clients working on upgrades or refits, particularly in legacy environments where equipment is built to last decades in remote scenarios.
• Include an audit process aligned to ISO 19011 and based around passive audit techniques.
Built with the controls that need to be evidenced in order to meet Class Descriptive Note (DN) requirements, our in-service assessments measure the cyber security maturity of an asset’s on-board processes and controls. Different levels are uncovered: Established confirms a minimum standard of good; Enhanced confirms that security best practices are being followed; Accomplished highlights an ability to manage high level threat; Optimised identifies very mature environments where cyber threats are high (for example, in naval or autonomous vessel scenarios).
It is important to note that the design and construction assessments demonstrate designed capability. Vessels may not then operate at these levels (as assessed under in in-service procedures), rather this shows they have the potential to do so. Ultimately, this is all about providing a true assessment of cyber security capability to inform both operational and strategic decision-making.
An unconventional approach
In contrast to more traditional assessments, our Cyber Security ShipRight Procedures aim to avoid being too prescriptive. With safety the key priority, for example, it’s not practical to have individual secure password log ins to certain bridge control systems – as these must remain accessible at all time. Our approach, therefore, is to measure our assessments on outcomes rather than on whether a particular technical control is implemented. As long as crews can demonstrate an understanding of the risk and how it is being managed in another way, that is good enough.
Similarly, if vessels are already following established industry standards from organisations such as NIST or ISO, these can be incorporated into our assessments thereby avoiding operators having to double up on regulations or re-invent the wheel.
Securing marine and offshore today and tomorrow
Cyber risk management in general, and Cyber Security ShipRight procedures in particular, are not limited to owners and operators. Here at Nettitude, we are having an increasing number of conversations with equipment vendors, ship builders and shipyards around this issue. Indeed, a growing number of yards are specifying an LR Cyber Security ShipRight certification when selecting equipment vendors – both to understand the levels of security within components, and to offer clients the assurance that security is built in, rather than bolted on, to their new asset.
Ultimately, cyber security is a journey and we recognise that different operators, manufacturers and ship builders have different security objectives, are at different levels of maturity and, of course, have different levels of cyber risk management expertise within their organisations. Here at Nettitude, we are able to meet our clients wherever they are on this journey – whether we are providing services to help hit those regulatory goals, or providing ShipRight procedures as the catalyst for wider and longer term strategic assurance.