Cyber safety and cyber security are clearly significant concerns for shipowners and operators who must rely on the equipment that is installed on their vessels being cyber-secure.
Some class societies already offer assessment schemes for equipment manufacturers and one of them, ABS, issued a new version, dubbed Volume 7, of its ABS ABS CyberSafety for Equipment Manufacturers guide in October and held a related webinar last week (20 November).
For me, the obvious question is whether there is any evidence that equipment from a certified provider is less vulnerable than that from a non certified provider, so I asked that question during the Q&A. Paul Walters, who was the guide’s principal author and is ABS’ subject matter expert on software quality and operational technology cybersecurity, said that, as yet, there is no evidence to demonstrate that.
At first hearing, that worried me. But on reflection it may be because – as with safety-related equipment and attitudes – it is impossible to know of incidents that they have prevented. Nonetheless, ABS has “confidence in them that they will do a more thorough job” because their policies, procedures and much else besides have been checked for cyber security concerns, supplemented by annual follow-up checks.
The webinar was aimed at equipment manufacturers and another attendee was concerned that different class societies have different requirements for cyber safety and that “conforming to all will be difficult”. This is something that is being discussed within the International Association of Classification Societies (IACS), replied Demetri Stroubakis, global market lead for equipment and materials at ABS, but no outcomes from those discussions are yet in effect and no timetable for their conclusion has been disclosed, he said.
It is worth recalling that, as ShipInsight reported in September, IACS has been looking at cyber security themes since 2015 and launched a set of proposals in 2018. These are currently being reviewed in a project led by ABS but with a key part of it – to develop a new set of recommendations – managed by India’s IRClass, which currently holds IACS’ chairmanship. Speaking during London International Shipping Week in September, IRClass managing director Suresh Sinha said that this part of the project would be finished by the end of this year and I have asked the class society for a report on progress.
One detail from Mr Sinha’s LISW presentation that may disappoint last week’s webinar questioner is that the final recommendations will not be issued as an IACS Unified Requirement, which suggests that manufacturers will still have to meet a variety of requirements to satisfy all class societies.
Mr Stroubakis said that cyber vulnerabilities in equipment present “a major threat to the safe and reliable operation” of an owner’s asset. “There have already been incidents where drilling units were shut down … or vessel central services – including steering and main propulsion – failed to operate properly. So mitigating such threats is gaining increasing attention from the industry stakeholders.”
To combat these threats, operators “need to fully understand inherent equipment design vulnerabilities” as part of their “baseline assessment to implement successful cyber security strategies,” he stressed. And “this is not just a one-time event. [It is] an ongoing process that has to deal with changes throughout the life cycle of the asset.” Addressing this requires “a collaborative process with the OEM,” Mr Walters suggested.
A key part of ABS’ risk assessment for equipment is what it calls its Functions, Connections and Identities (FCI) Risk Model, which it launched in June last year. During the webinar Mr Walters explained that the ‘functions’ it refers to are those that an OEM programs into a system that must be protected. Its ‘connections’ are the physical and logical connections that should be controlled by the OEM and the shipowner. ‘Identities’ can be either machines or humans that access networks and their control systems. After a vessel has been delivered, “the OEM has control over the functions, some control over the connections and little control over the identities,” he said.
ABS’ CyberSafety guide “recognises these constraints” and advises that the OEM should issue a vulnerability report “so that the owner can maintain a rigorous cyber security posture.” He drew a parallel with the well known ‘fire triangle’ of oxygen, heat and fuel: if any one of them is removed, a fire will be extinguished. In the same way, removing the risk to any of those three parameters “will mitigate the risk of a cyber issue.”
That sounds too easy and if that was all that was necessary, it would be easy. “Cyber security is a journey of continuous improvement,” said Mr Stroubakis during the Q&A. “Starting is the hardest step; with every step after that, it’s easier.” He was echoing a similar point made by Mr Walters during the webinar: “This is a continuous process as new threats will evolve and need to be addressed by both the owner and OEM.”
• Are you an OEM with experience of addressing cyber security? Are you an owner concerned about cyber threats coming via equipment vulnerabilities? How are you tackling those threats? Where do you turn to for advice? Email me now with your comments.