Risks and emergencies

Preparing against the cyber threat

cyber_security_elearning

Cyber security is typically considered a technical issue. But reality shows that the human element is a key parameter that needs to be considered. Awareness is in the focus of every requirement of the industry.

Over the past years there is a continuous increase of interest in Shipping companies to becoming more cyber resilient, while many stakeholders are producing guidelines and requirements. Last year, TMSA3 brought the first clear requirement on Cyber Security (commercial), pushing tanker managers to improve significantly and in practice. Now, as per IMO requirements, all vessels need to be prepared for Cyber Security by January 2021. This is the first statutory requirement that will push all commercial vessels to become more cyber resilient.

But, what is the reason everyone started talking about Cyber Security. The truth is that the maritime industry came a bit late on the train, while other industries have been dealing with cyber risk for many years now. Nowadays, with vessels becoming more and more connected and relying on automation, safety and efficiency are improved but we need to pay attention to the cyber risk. You may get more information by watching our webinar.
And dealing with cyber risk is complex but not a superhuman task. DNV GL has issued the Recommended Practice RP-0496 to aid managers and owners with untangling this knot. Based on real feedback from actual projects with vessels and offices, we have developed a thorough document describing the steps towards improving cyber resilience. DNV GL Maritime advisory offer a wide range of services on Cyber Security (more info here).

A basic part of our recommended practice is the 3-pillars approach. A solid construct of Cyber Security relies on 3 pillars:

  • Technology: Software and hardware that act as barrier or mitigate the cyber threat. Usually covered by the IT department.
  • Processes: All the policies and procedures that define who should do what and when. For example, the crew needs to know what to do when they identify a problem with ECDIS.
  • People: The end-user is critical for the entire operation, as the human element can always affect the level of cyber security significantly.

It is evident, that having in place one or two of the above pillars and missing the third is a large gap. For example, having the best technological solution on-board, and a very extensive and solid management system in place, will not help if the crew operating vessel have no idea what the cyber threats are and how to protect themselves and the vessel. Another important element is to identify the critical systems on-board the vessels, which may be split in two categories, namely IT (Information Technology) and OT (Operation Technology). The latter, OT systems, are all the machinery systems that rely on software to operate, e.g. ECDIS, GPS, Data logger, Remote control.

At the moment, these pose the red flag of the industry when it comes to Cyber Security. Mainly for the below reasons:

  • IT systems were typically covered by IT departments, but not OT.
  • The risk assessment and cyber security enhancement requires expertise from a blend of departments, namely IT, Technical, Crew, HSQE.
  • Currently, many vendors do not provide certified cyber secure solutions.
This requires many non-IT people to acquire new knowledge on the cyber risks so as to aid in this cross-departmental effort. Based on DNV GL experience, agreeing with the guidelines and requirements from all stakeholders (OCIMF, BIMCO, IMO), crew and office personnel awareness is one of the most critical items, and one of the largest gaps currently in the industry. Both commercial and statutory requirements focus on general awareness of the entire workforce of a company.

To meet this exact need DNV GL Maritime Academy is offering following training solutions both aimed at the marine personnel who wants to improve their understanding of Cyber Risk (and both complying with TMSA 3 element 13 and 13.2.4 KPI/best practice):

On top of above DNV GL Advisory has also developed a customized training solution, that within one day covers all the employees in three to four 1 hour sessions, leading to a company wide certificate on general awareness of cyber security.

For more information please contact your DNV GL Maritime Academy.