MARINE & OFFSHORE CYBERSECURITY
We provide independent assurance and threat led maritime cybersecurity services to marine and offshore organizations around the globe, leveraging our unique insight created by the combined knowledge of industry-based cyber research.
The marine and offshore industries are becoming more connected, more dependent on advanced technology and more digitally aware. Most marine and offshore companies are steering their future strategies towards “digital transformation”, but statistics confirm that the threat of unauthorized data access and maritime cyber-attacks is serious and growing – and systems or data hacking can directly impact a company’s ability to control its critical systems.
Marine and offshore cyber threats are simply the new risk battleground in industries where safety and security have always been paramount.
Why do Marine and Offshore Organisations Need to Pay Attention to Cybersecurity?
Today’s Marine and Offshore companies are facing a range of cybersecurity-driven challenges. These include:
- Reliance on digital communication, automation and interconnected technologies. This leaves infrastructure vulnerable to cyberattack.
- Complexity of the M+O ecosystem. Multiple stakeholders, industry bodies, administrations and regulators at an international, national and sector-specific level add additional challenges around compliance with cybersecurity best practices.
- Potential for legal liability around vessel delays and subsequent cargo, supplier or passenger claims. M+O companies must ensure that cybersecurity processes do not impede them in meeting strict timelines.
- A lack of industry awareness around cyberthreats. A lack of awareness and staff training remains an issue in the M+O industries, making them susceptible to targeted phishing attacks. These attacks are increasingly being seen in the sector.
Facing this complex cyber threat landscape requires a shift in mindset.
Threat Led Approach
Cybersecurity is the single largest growing threat to organizations globally, as the expansion of threat surfaces through interconnected technologies and automation significantly increases exposure and risk.
Additionally, the cybersecurity landscape is rapidly changing; the insights gained as little as five years ago are of less and less value as threat actors adjust their approaches in response to advances by security professionals and technical defenders. Through a dedicated Research & Innovation team, LRQA Nettitude look at how Marine and Offshore organizations can create a scalable cybersecurity strategy.
Threat Briefings
Cyber Security Concerns in Key Ships Systems
8 Cyber Threats facing the Marine and Offshore Sector
Cyber Impacts for Cruise Ships and Super Yachts
GPS Cybersecurity Threats and Impacts
Security Considerations for Remote Access Solutions on-board Ships
How targeted Phishing Emails are Impacting the Shipping Sector
Cyber Risks in Ships Communications Systems
Cyber Briefing:Threat Case Studies
Why LRQA Nettitude?
LRQA Nettitude is perfectly placed to act as a trusted partner for Marine and Offshore organizations as they build a robust cybersecurity strategy. LRQA Nettitude provide a complete suite of maritime cybersecurity services to help clients identify, protect, detect, respond and recover from cyber threats in the Marine and Offshore industries.
We know both the marine and offshore specific operational technology systems that drive performance and the information technology platforms.
We understand the threat landscape and the changing regulations faced by the Marine and Offshore industries and we know how to deliver a cost-effective solution while reducing our clients’ vulnerability to cyber threats.
Our work helps to ensure that marine and offshore organizations’ assets and processes are secure, safe, sustainable and compliant with the applicable regulations.
IMO Resolution on Cyber Security (Operational level)
The International Maritime Organization (IMO) in 2017 released a resolution and guidance around cyber risks.
- 1. Resolution (Mandatory) Maritime Cyber Risk Management in Safety Management System (Resolution MSC.428(98))
- 2. Guidelines (Recommended) on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3)
The Maritime Safety Committee adopted the resolution MSC.428(98) (Maritime Cyber Risk Management in Safety Management Systems) in June 2017. This resolution:
- AFFIRMS that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code, and,
- ENCOURAGES administrations to ensure that cyber risks are appropriately addressed in safety management systems no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.
The ISM Code covers many areas that are impacted by cyber capabilities such as roles & responsibility, risk assessments and management, training, awareness and the implementation of relevant procedures to ensure cyber safety is maintained.
LRQA Nettitude’s consultants have extensive experience across all areas of cyber security including IT/OT architecture, cyber event preparation, technical security controls, assurance/penetration testing.
LRQA Nettitude can assist ship operators to be best prepared for the DOC and SMC audits that will be required post January 2021.
LRQA Nettitude also work closely with ship owners to ensure that operators are preparing at the right pace and priority and with shipyards and marine technology vendors (IT and OT) to ensure that new vessels are built with cyber security considerations included from the outset in the designs, build and commissioning.
Cybersecurity For Marine & Offshore
LR and LRQA Nettitude have developed a comprehensive suite of products and services for the marine and offshore market. These are not just designed for Class or for the IMO/ISM Code resolution, but also for organisations to consider holistically the impact and remediation/detection capabilities needed for their whole company, suppliers and cloud services.
Where To Start – The Cyber Journey
Where do I start? Cyber can very quickly descend into technical language and conversations that are hard to relate back to the business. Impacts and threats can be imagined or blow out of proportion. However, it’s important to do something and the best starting point is to understand the risk – the real risk – your organisation is facing.
The diagram below shows how you can start with a simply risk assessment that can be used to progress to more strategic plans and capabilities.
Class services
LRQA Nettitude is part of one of the world’s largest and most respected classification societies and can guide you through a non-prescriptive, fully integrated, risk-based approach, assuring the security of cyber-enabled ships from concept to operation.
The following technical guidance has been developed by LRQA Nettitude to allow clients to adopt cyber technology safely and securely:
LR Cybersecurity Framework (CSF) – defining a best practice cyber framework for the Marine and Offshore industries, aligned to recognised standards.
LR ShipRight Procedures – defining cyber requirements for a vessel to be in Class both at design/build stages and in operational use.
Type Approvals – defining requirements for HW and SW components deployed onboard a vessel.
Compliance-Based Services
As well as preparing for the IMO operational requirements to be met through the ISM Code and implemented Safety management System, LRQA Nettitude also help organisation adopt best practice industry standards.
As advised by BIMCO, to successfully defend against attacks, a marine business should understand which events could happen, what the consequences of those events would be, and how they can be detected. This summarises LRQA Nettitude’s approach well.
LRQA Nettitude provides marine and offshore organizations around the world with security services for managing corporate governance, risk management and compliance with sector-specific regulatory requirements like BIMCO, TMSA, IMO, IACS, US Coastguard, UK DfT as well as NIST, ISO and PCI DSS.
We provide these services for applications within all areas including passenger and cruise vessels, LNG, bulk carriers, tankers, mega yachts, military systems and fixed and mobile offshore assets.
Professional Services
From guidance and training to vulnerability and risk assessments, LRQA Nettitude can help you develop a cybersecurity strategy that will work for your business now and in the future.
Given the cost and the reputation risks associated with a cyber-attack, estimated to be £11.7 million (USD15.4 million) per company according to a 2017 World Economic Forum study, there is no doubting the importance of taking a strategic approach to cybersecurity. After all, a resilient marine or offshore organization is one that gains intelligence on the evolving cyber threats to inform decisions and plans, beyond compliance.
This is how LRQA Nettitude can help:
- Penetration Testing – an in-depth assessment of a system, application, network or environment, demonstrating the impact of ‘exploiting’ existing vulnerabilities, including information and operating technologies.
- Vulnerability Scans – to identify lower hanging vulnerabilities and poorly configured systems.
- Risk Assessments (including Threat Modelling) – for the identification and management of cyber risks.
- Crisis Management Simulation – to define and simulate real-world attack scenarios using the same tactics, techniques, and procedures as a genuine threat actor.
- Crisis Management Simulation – to define and simulate real-world attack scenarios using the same tactics, techniques, and procedures as a genuine threat actor.
- Training – to raise employee awareness and prevent an attack from being successful.
- Additionally, in many organisations, cybersecurity risk management has evolved from a periodic, static compliance assessment to a dynamic real‐time continuous monitoring and assessment of IT and OT systems. This is what LRQA Nettitude can offer as Managed Security Services.
Effective Cybersecurity Strategy At The Organisational Level
Developing an effective, relevant and pragmatic approach to the threats faced from cyber incidents starts with strategic intent and direction. Ensuring that the risks are understood and that the right operational capabilities and actions are taken is key. Ensuring a governance process that manages changes and provides the right level of assurance is essential. Appropriate coverage of ships, shore, fixed and mobile assets, and 3rd parties as well as future buildings, regulations, and Class and national requirements must be part of this holistic approach.
LRQA Nettitude has developed guidance on how to build an effective cybersecurity strategy and program and can assist your organization in implementing this from the board room to the engine room.
Research Activity
LRQA Nettitude has a dedicated team of vulnerability researchers focusing on cybersecurity in marine and offshore. They work with clients and partners to identify security vulnerabilities and they have already identified “zero-day” vulnerabilities in IoT components deployed onboard commercial vessels.
This work has uncovered zero days in many products from sat com units to VDRs, from remote management and monitoring solutions to fleet management systems.
Threat Intelligence for IoT and marine technology is an active area of research for LRQA Nettitude, with researchers focusing on applied threat models for on-ship systems and floating assets.
Another key area of activity is around optimizing the processing of security events from devices deployed on board a vessel for continuous security monitoring.
To find out more about how LRQA Nettitude can help you build resilience in your organization and face the particular threats of the Marine and Offshore industries, please complete our contact form and a consultant will respond to your inquiry.
Get a free quote
speak to our experts