“Ships and offshore structures are becoming more and more interconnected,” said Tor Svensen, CEO DNV GL - Maritime, when taking the stage at this year’s CMA (Connecticut Maritime Association) event in Stamford, CT. “In theory, all programmable components may be exposed to cyber threats, be it machinery, navigation or communication systems.”
Cybersecurity in the maritime and offshore industry was also up for discussion at this year’s CMA Shipping event during a session with the US Coast Guard, ship owners and class representatives.
In the past, critical network segments onboard vessels used to be kept isolated. This has changed.
“This is a weak spot,” said Svensen. “There are many ways something can go wrong with the systems or software – be it caused by technical or human error, or cyber criminals.” According to Svensen, cyber-attacks pose an additional risk of someone with evil intent exploiting already existing vulnerabilities. The industry has seen its first cyber events, e.g. the manipulation of AIS, ECDIS and GPS data. Just last year, more than 50 cyber security incidents were detected in the Norwegian energy and oil and gas sector.
There is, however, much that can be done to improve protection against cyber-attacks.
“At DNV GL, we have always favored a risk-based approach and also advocate this to reduce cyber risks,” Svensen said. He also recommended that asset owners and operators should consider cybersecurity self-assessments, third-party assessments, audits, testing and verification, and suggested that such requirements could also be implemented into future regulations.
Cybersecurity audits or “health checks” are starting points. With a combination of so-called Hardware In-the-Loop (HIL) and cybersecurity testing, DNV GL’s Marine Cybernetics unit offers tests addressing typical threats such as network storms and penetrations, password attacks, disconnections and communication failures.
Focusing on the integration of software dependent systems, DNV GL introduced its own Integrated Software Dependent Systems (ISDS) standard in 2009. Originally developed for the offshore industry and enhanced ever since, ISDS helps ensure that the integrated and stand-alone control-systems of a vessel perform reliably and safely.
DNV GL has long-standing experience and a dedicated service portfolio addressing risks related to integrated information systems and also consults organizations such as the US Coast Guard (USCG) on building a regulatory framework. Recently, DNV GL provided comments to the USCG on "Guidance on Maritime Cybersecurity Standards," drawing on DNV GL's competence and cross industry cyber security knowledge in the Maritime, Oil & Gas and Energy industries.
“If regulating authorities such as the USCG define cybersecurity requirements, DNV GL is well positioned to contribute to regulations, and to establish rules, class notations, recommended practices and guidelines,” Svensen promised.
