“Whether in machinery, navigation or communication systems, programmable control systems are a longstanding and essential part of ships and offshore units, but the increasing integration and connectivity of these systems represents an ever-larger target for cyber-security threats,” said Knut Ørbeck-Nilssen, CEO of DNV GL – Maritime. “As all programmable components are theoretically vulnerable to cyber security threats we have set out, with the new Cyber secure class notations, to offer owners and operators a framework to improve and demonstrate their cyber resilience.”
The Cyber secure class notations have three different qualifiers: Basic, Advanced and +. Basic is primarily intended for ships in operation, while Advanced has been designed to be applied throughout the newbuilding process, with requirements for asset owners and operators, system integrators (e.g. yards), and equipment manufacturers. The Basic and Advanced qualifiers cover a number of essential systems, including propulsion, steering, navigation, and power generation. The third qualifier, +, is intended for systems that are not part of the default scope of Basic/Advanced. This gives owners and operators the flexibility to identify the threats, assess, and secure extra systems which are of particular importance to their operations.
The Cyber secure class notations build on DNV GL’s Recommended Practice (DNVGL-RP-0496) on cyber security and extends to the cyber security assessment of control system components type approval program DNVGL-CP-0231, with which makers can now demonstrate the security of their systems through an independent verification process.
DNV GL has also developed a wide range of services in close collaboration with several major ship owners aimed at enhancing the cyber security of their assets. Through its Maritime Academy, DNV GL offers both classroom training and e-learning modules aimed at developing customised working cyber risk management methodologies and increasing the awareness for cyber security related issues among crews and shore staff. DNV GL also helps customers measure the awareness level of crews and shore staff via penetration testing, which is offered not only on the technical level (penetration testing of business networks, computers and onboard machines) but also at the human level. Using social engineering techniques DNV GL can design friendly phishing campaigns, helping customers understand the awareness levels within their company and fine-tune the level and frequency of cyber awareness training.
In addition, DNV GL recently worked with the P&I Club Gard on a video to build awareness and competence among crews and others. It focuses on daily tasks and routines, and aims to de-mystify the cyber security issue as well as providing concrete recommendations on how to prevent cyber incidents. The video can be found here: dnvgl.com/csvideo.