“Response to cyber threats is an urgent matter for the entire maritime industry,” ClassNK said in a March press release. “In the ClassNK Cyber Security Approach, ensuring navigational safety is regarded the most important goal of onboard cyber security. To achieve it, it is of high priority to ensure availability of systems in terms of operation technology (OT) as well as information technology (IT) systems, which support operation of ships.”
The Cyber Security Approach adopts a strategy of layered cyber security controls, with each layer supporting the others and designed to contribute to a “balanced combination of physical, technical, and organisational approaches” to cyber security.
ClassNK’s mutually reinforcing cyber security layers take in onboard hardware and software equipment, operational controls, organisational controls for information security management and developing more cyber-savvy shipboard products across the supply chain. Below is a breakdown of ClassNK’s cyber security layers and the key takeaways from the society’s recently published guidance documents.
EQUIPMENT AND OPERATIONAL CONTROLS
ONBOARD ELECTRONIC SYSTEMS ARE SEPARATED INTO CATEGORIES BASED ON THEIR SAFETY FUNCTIONS
ORGANISATIONAL CONTROLS: INFORMATION SECURITY MANAGEMENT
THE GUIDELINES RECOMMEND ALL SHIPPING COMPANIES DESIGNATE A SHORE-BASED PERSON OR TEAM FOR CYBER SECURITY MANAGEMENT
DEVELOPING SHIPBOARD PRODUCTS WITH REDUCED CYBER RISK
ClassNK’s fifth and broadest cyber security layer is the development of shipboard products with reduced cyber risk. The society’s guidelines on this topic, which mainly applies to the wider vessel equipment supply chain, are intended for shipboard equipment manufacturers, as well as shipping personnel involved in equipment procurement. The guidelines are set out in the most recent document ClassNK’s Cyber Security Series, ‘Guidelines for Software Security’.This is an important factor in onboard cyber security, because there has to be an expectation that the resilience of software against external attacks is as important as its intended functions. Growing demand for secure software will help shape the products that are offered on the market, and as Roi Mit of cyber security firm Regulus Cyber recently highlighted in the case of GNSS receivers, a lack of secure technology options is still an issue in some sections of the maritime sector.
SECURITY REQUIREMENTS SHOULD BE DEFINED AND ANALYSED FOR EACH AND EVERY STAGE OF SOFTWARE’S LIFE CYCLE