A new cyber security component has been incorporated into the third edition of Tanker Management and Self Assessment: A Best Practice Guide (TMSA3), released by the Oil Companies International Maritime Forum in 2017. The cyber security component is directly addressed in two of the performance elements: management of change (element 7) and marine security (element 13).
For each element in TMSA3, tanker operators should carry out a self-assessment and rate themselves (their safety management systems, operations and practices) against the key performance indicators (KPIs) defined in TMSA3. We want to support you in implementing the new cyber security component and help you to provide documentation of compliance, whether that be achieving the minimum expected level or going above and beyond and achieving level 4.
To support the implementation of the new cyber security component found in TMSA3 (requirements 7 and 13), we have identified potential phases that can be followed and tailored to your specific needs. These start from the achievement of the minimum expected level (level 1) and can ultimately bring the company to the full achievement of the management of changes and marine security objectives, which are identified as level 4 by TMSA3.
What we offer
Cyber security procedures definition
We will you with a number of supporting documents. These are generic documents based on good industry practice. As part of a one-day workshop, we will show you how to tailor these to suit the operational model of your business. Should additional support be required after the workshop, this can be discussed and a pricing agreement reached.
An example risk assessment will be provided, showing how to assess the threats and apply mitigating controls. This would be a standard template showing the approach to and methodology for conducting a risk assessment. Standard assets will be pre-populated, which would have to be tailored to suit your business model. After instruction provided by the consultants, you would need to populate the compensating controls within the template to mitigate the identified risks.
Cyber security procedures audit
We can undertake an audit of cyber security procedures based at your HQ. The audit would be undertaken by an ISO 27001-qualified auditor, and the scope of the audit will be agreed with you and will be based on a selection of agreed controls, as opposed to every control. This will ensure that the audit be completed in one day.
The main aim of our onboard audit is to determine the effectiveness of the ship’s security measures, policies, procedures and preparedness for cyber-related incidents. The audit will determine whether controls, processes and procedures conform to the requirements of the TMSA3 standard, whether the policies and procedures are effectively implemented and maintained, and if they perform as expected.
Vulnerability assessment will be delivered on computer based systems (navigation, cargo control, power management, communication, etc.), ship networks and any automation on board the selected vessel(s). If a specific goal is identified you, penetration testing can also be performed. Penetration testing is the attempt to actively exploit weaknesses in the environment from the perspective of an attacker with direct access to the network being tested.
Why choose LR?
We provide independent assurance and expert advice to companies operating high-risk, capital intensive assets in the marine, energy and transportation sectors, and we have a unique insight into ship and cyber security. We know both the operational technology systems that drive performance and the information technology platforms. We understand the changing regulations being faced by the industry and we know how to deliver a cost-effective solution while reducing our clients’ vulnerability to cyber threats. Our work helps to ensure that your assets and processes are secure, safe, sustainable and compliant with the regulations.
Complete your details below to download our TMSA brochure
What we think
LR's experts regularly share their research and insights.