What are the best options for securing remote connections on ship and offshore systems? Which operational technology on board is most vulnerable to cyber-attacks? DNV GL has published a Recommended Practice (RP) on “Cyber Security Resilience Management” to help the industry address potential cyber hazards. Developed in cooperation with customers, the RP provides guidance on risk assessment, general improvements to cyber security, and the verification of security improvements and management systems.
“With ships and mobile offshore units becoming increasingly reliant on software-dependent systems, cyber security is an important operational and safety issue for the maritime world,” said Knut Ørbeck-Nilssen, CEO of DNV GL – Maritime, in his presentation at the DNV GL press conference at the SMM trade fair in Hamburg today.
The RP covers some of the most common threats to maritime assets, such as vulnerabilities in the electronic chart display and information system (ECDIS), the manipulation of AIS tracking data, as well as jamming and spoofing of GPS and other satellite-based tracking systems.
The Recommended Practice differentiates between unintentional infections and targeted threats. Unintentional infections include incidents such as software infections through malware as well as weaknesses in software, which can be caused by the misconfiguration of equipment and software, or faulty software designs. Targeted threats include external cyber-attacks by hackers, who can infiltrate systems through phishing, social engineering, or by exploiting weaknesses in control systems. This category also looks at the possibility of cyber-attacks by disgruntled employees and their ability to circumvent physical access controls.
To help the industry prepare for achieving compliance to internationally recognized standards, the RP provides guidance on how to apply ISO/IEC-27001 and ISA-99/IEC-62443 standards. ISA-99/IEC 62443 is the recognized standard for security of the industrial control systems in the operational technology (OT) domain of organizations. Certification to the ISO/IEC-27001 standard demonstrates that a company has a process-driven approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving their information security management system. DNV GL offers certification to ISO/IEC-27001, as well as to the ISO-22301 standard for business continuity management, which demonstrates a business’ preparedness for a major incident or disaster.
In addition to the RP, DNV GL has developed a wide range of services in close collaboration with several major ship owners aimed at enhancing the cyber security of their assets. DNV GL’s Maritime Academy offers e-learning modules aimed at increasing the awareness for cyber security related issues among crews and shore staff. “Studies have found that the human element still accounts for 90 per cent of all cyber security breaches, this means that regular trainings and awareness campaigns are central to any cyber security initiative,” said Knut Ørbeck-Nilssen.