"Cyber managed" from Bureau Veritas: the pragmatic path to cyber resilience and protection
Paris La Défense, 20 January 2020 Bureau Veritas Marine & Offshore (BV) is seeing a rapid growth in the number of ships applying for its ‘Cyber Managed’ notation.
The notation was co-developed by BV and external marine security experts as part of joint technical working groups organized by BV. It ensures compliance with the main existing cybersecurity standards (IMO MSC-Fal 1-Circ3, NIST, BIMCO etc.) and will enable shipowners to meet the requirements of IMO’s guidance to administrations that maritime cybersecurity risk should be reflected in ship security practice under the ISM Code by January 1, 2021.
Shipowners in Greece have been pioneers in applying the notation and now it is gaining traction with other shipowners and across the entire maritime ecosystem, including ship managers, charterers, insurers, and offshore operators.
BV expects that more than 100 ships will be operating under the ‘Cyber Managed’ notation in 2020.
Cyber Managed focuses on ensuring that cybersecurity is managed onboard as per industry best practice for change management and traceability of IS/IT systems onboard, emergency procedures and basic security protection measures.
Cyber Managed works because it is based on a security risk assessment developed from an initial mapping of onboard systems that result in a practical set of requirements.
The initial risk analysis and mapping exercise can be performed either during the newbuilding phase or at any time during the lifecycle of the vessel. As such, the notation is applicable to both new and existing ships.
This initial risk analysis results in the definition of mitigation actions that can be achieved through the development of ad-hoc procedures. These procedures are then incorporated into the ship management system (as per IMO MSC-Fal1-Circ3 requirements). The risks may also be mitigated through security protection of remote access and network connections that can usually be performed through software updates. Cyber Managed does not require new equipment to be fitted onboard.
Completion of an initial survey on board vessels allows the award of the ‘Cyber Managed’ notation. Annual surveys of similar scope combined with other class surveys ensure regular update of the documentation and crew training, and thus the maintenance of the notation.
Paillette Palaiologou, Vice President for the Hellenic Black Sea & Adriatic Zone, Bureau Veritas, said: “Cyber Managed provides a holistic yet pragmatic response to cyber threats to keep owners continually protected. BV’s network of surveyors are confirming compliance with the notation requirements on ships world-wide for Greek owners. We are stressing the practical – the pragmatic – approach that we have enabled. This solution was developed specifically for the marine industry.
“We see that shipowners are willing to invest in ensuring they are addressing cyber risks and their charterers are increasingly interested as well. We are seeing interest from insurers as well – and that this notation can be expected to be a factor in the response of underwriters’ assessment of risk.”
BV’s work is best built on an internal risk assessment conducted by a shipowners or manager. This assessment forms the foundation for applying Cyber Managed across an entire fleet. The assessment provides detailed mapping (a ‘repository’) of both the hardware and software installed on board and assessment of operational criticality.
BV cyber and marine experts support owners during the whole process, providing practical standard template and methodologies for the security risk analysis and technical assistance to develop procedures. This allows in-house teams to significantly increase their awareness of cybersecurity best practices while preparing for the certification.
BV reviews all documentation (onboard handbook, onshore security policies) prepared by the client against the requirements of NR659. Then vessels are surveyed to ensure that the documentation reflects the actual condition of hardware installed. Finally, a ‘Cyber Handbook’ is placed on board - and management practice should be that the crew are made aware of its contents and requirements. These requirements are, typically, to recognize emergency situations, to handle cyber lifesaving technique and, when possible, ensure restoration of systems.
BV has also developed a ‘Cyber Secure’ notation specifically for new buildings to help ensure the ‘security by design’ of ships where cyber security is most critical: remotely-operated vessels, autonomous vessels, military vessels as well as other sophisticated vessel types. This Cyber Secure notation will notably require the hardening of the most critical IS/IT equipment onboard.