DNVGL.com

How to make your company and ships more cyber-resilient

DNV GL has been addressing cyber security together with our clients for years. Even though we see the risk increasing every year, we believe that many companies and their assets are not prepared. This technical news summarizes some common-sense recommendations on how to make your company – and your ships – more cyber-resilient.

Tecnical Regulatory News No9 - cybersecurity

Cyber security is a complex subject and, sadly, cannot be fixed simply by purchasing a “magic box”. Neither can it be qualified in one single index or grade of security/risk. For illustrational purposes, cyber security can be divided into three categories: People, Technology and Processes. Each  category is equally important and needs to be addressed on a continuous basis for your company to be(come) safer. Indeed, trying to solve the problem by working with only one or two of the categories will be much more expensive than working with all three of them for the same level of security/safety improvement. With that said, some attention to one or more of the categories is a lot better than no attention. 

1) People

People make mistakes, and in many of the cases where hackers have breached company defence mechanisms, employees or colleagues are the point of entry. What we often see when we are asked to help our customers assess and test their cyber security is that the impact from small mistakes made by crew or employees is bigger than our customers are aware of. The everyday actions of employees and not just some remote criminal hackers present one of the greatest risks to your organization and your customers. 

The commitment of your people to protect your organization is a critical component of a strong cyber resilience. In other words, focus on the human aspects of your organization – on developing a positive security culture and attitudes, evident in the actions ashore and on board, and which is practiced by walk-the-talk management. Hence, when working with cyber security in your company, raising cyber security awareness among your staff is probably the most effective prevention.  

2) Technology

Technology is becoming increasingly complex, also for the maritime industry. Today’s vessels are no longer composed of several stand-alone control systems. Rather, the systems are all connected, dependent on each other and constantly online. Changes to requirements and continuous software upgrades are contributing to making the security of technology more difficult (and expensive). Still, it is of great importance that the technology side of things is also included in your cyber security strategy (keywords: network segregation, hardening, anti-virus, software patching, etc.).

Most companies today have a good overview of their assets, and they have processes in place for maintaining their systems, but how much attention do you pay to your systems’ cyber risks? 

3) Processes

The link between people and technology is processes. IMO has given ship owners and managers until 1 January 2021 to incorporate cyber risk management into their Safety Management System (SMS) or else ships risk being detained by port state control. 

On a general basis, we observe that processes are not in place, or what is in place is not enough to give proper guidance in the day-to-day operation or, worse, in case of cyber security events. 

Developing procedures to cover cyber security in addition to those already in place for operations, maintenance and safety would seem like yet another paper mill, but it is vital for you company’s safety. We advise you to keep the procedures straightforward with uncomplicated language and make people understand why they are necessary. Furthermore, we recommend you integrate cyber security-related policies, processes and procedures into the present SMS and Planned Maintenance System on vessels, rather than creating independent documents and tools.

10 simple steps to become more cyber-resilient

  1. Think before you click on links and attachments. 
  2. Protect your passwords.
  3. Make sure external drives and USBs are clean.    
  4. Be aware when third parties enter your location, systems or data.
  5. Never connect personal items to the ship/company-critical systems. 
  6. Never use external Wi-Fi for company emails or downloads unless protected by VPN.
  7. Learn how to install and use two-step authentications.    
  8. Plan for the unknown – learn how to back up and restore.
  9. Always report errors and mistakes.        
  10. Educate yourself on cyber risks and how it affects your workplace, colleagues and you personally.  

Our main concern, as seen from a class perspective, is the lack of awareness when it comes to putting these three elements together. For example, you will not have good safety if you focus solely on making the technology bulletproof and your crew then finds the processes hard to follow or even inadequate. 

Recommendations

DNV GL has summarized all these best practices in a video which is freely available for you on our website The video has been produced together with the insurance company GARD and is a great means to enhance awareness and build best practices on board and ashore. We recommend all companies to use the video and supporting materials in their efforts to prevent any cyber-related incidents in future.

References

Contact

Email us at cybersecurity.maritime@dnvgl.com

 

2018. gada 3. maijs

Practical advice for IMO DCS data collection starting 1 january 2019

Both EU MRV (Monitoring, Reporting and Verification) and IMO DCS (Data Collection System) requirements are mandatory, and are the first step in a process to collect and analyse CO2 emission data for the shipping industry. EU MRV data collection already started from 1 January 2018, while IMO DCS data collection on fuel consumption to comply with the IMO DCS regulations starts 1 January 2019. This statutory news provides practical advice on IMO DCS compliance.

  • Maritime
2018. gada 21. marts

Ballast water management and port state control – checklist for preparation of PSC inspections

The international Ballast Water Management Convention (BWMC) came into force on 8 September 2017. In Paris MoU alone, the Port State Control (PSC) issued more than 70 deficiencies regarding BWM in the last four months of 2017; worldwide more than 160 deficiencies were identified up to March 2018. This PSC news provides you with an overview of the main categories of deficiencies raised during the first seven months of BWMC entering into force and provides a checklist for preparation of PSC inspections regarding BWM systems, their operation and maintenance.

  • Maritime
2018. gada 20. februāris

Shaft alignment and propeller shaft aft bearing performance – recent trends call for action

Recent experience reflects concerns on propeller shaft aft bearing performance on some oil lubricated installations, e.g. ships with single stern tube bearing, during turning conditions involving hard-over steering angles in the upper speed range (MCR). This also coincides with evolving trends comprising of larger and heavier propellers operating at a lower RPM and different types of stern tube lubricants. This technical news aims to elaborate the basic logic, criteria and recommendations associated with propeller shaft aft bearing performance.

  • Maritime
2018. gada 24. janvāris

Cold conditions call for extraordinary measures for ships, equipment and crew

Canada and other areas close to the Arctic are currently experiencing extremely low temperatures, and owners calling at ports in these areas are obliged to prepare accordingly. This includes paying particular attention to safety and navigation-related equipment which may be damaged or impeded from working properly under such conditions. This PSC news summarizes the most important measures to be assessed for cold climate navigation.

  • Maritime
View all