Call
Ask an Expert
Tel: +1-281-673-2800
Fax: +1-281-673-2931
Find an Office
Email
Email Us
Insight

Cyber Security: A Simple Approach to Understanding Cyber Risk in OT Assets

Marine and Offshore Solutions

Cyber Security - Understanding Cyber Risk Simply

Using the FCI Cyber Risk process, marine and offshore owners/operators can apply a cost-effective risk mitigation strategy across their assets and fleets. Here's how.

Industry Awakening to Cyber Security

Inviting a cyber incident takes no more than a flash drive plugged into a ship system USB port, or a phishing e-mail containing a malicious link – unfortunately clicked on a company laptop. Once inside one computer, the demon can spread to any other it contacts. In 2017, a malicious update to a popular Ukrainian accounting program released ransomware, which ultimately ended up inside several global organizations including shipping giant Maersk, where it caused some $300 million worth of trouble and interfered with operations in several of the world's major ports.

While the maritime industry has been slow to acknowledge cyber security as a relevant issue, a growing number of companies are now working on addressing cyber risks. Historically, ships and offshore units were remote from a company's main information technology (IT) systems. Clearly, now they are increasingly connected — to maintain ship functions (propulsion, thrusting, ballast), which rely on industrial control systems, provide internet access to crew or stream data ashore to monitor vessel health.

Over the past two years, our parent organization, American Bureau of Shipping (ABS), and ABS Group have invested significant resources to close a critical gap in cyber security capabilities for the marine and offshore industries. Together, ABS and ABS Group have developed industry-leading capabilities that empower owners and operators to identify and measure cyber risk in their operational technology (OT) environments.

A Practical Approach

Until now, descriptions of cyber security risk and resulting management plans were anecdotal and largely an educated guess made by vessel OT environment managers — which characterized risk based on abstract concepts — perceived threats and vulnerabilities. Fundamentally, we were using educated guesses as the foundation for maritime OT risk assessment.

A new, practical and quantifiable model to define maritime OT risk analysis was badly needed. Our Cyber Risk Management team began this effort as basic research with the U.S. Department of Homeland Security, the U.S. Coast Guard and the Stevens Institute of Technology. Our work with government agencies and researchers demonstrated that available guidance for developing the required Cyber Security Risk Management Plan was insufficient (C2M2 CERT-RMM [C2M2: U.S. DHS Cybersecurity Capability Maturity Model, CERT: Computer Emergency Readiness Team, and RMM: Resilience Management Model] specifically calls for implementation actions based on a detailed Risk Management Plan).

Following on from the joint research effort, we applied research and development resulted in methods and tools that describe cyber risk on vessels as readily observable and quantifiable cyber risk constructs. In contrast to commonly used risk elements in the cyber security risk equation defined by the FBI Risk = Consequence x Vulnerability x Threat (This model is often referred to as the "FBI Risk Equation"), we defined OT risk elements to reflect countable maritime OT realities: Functions, Connections and Identities, respectively.

ABS FCI Cyber Risk Model

The ABS FCI Cyber Risk™ model is simple in its structure, but sophisticated in its application. The FCI Model transforms the abstract constructs of the commonly used risk equation into physical constructs that are observable and countable in a vessel OT system. The revised equation for maritime is, Risk = Functions x Connections x Identities.

Using the FCI Cyber Risk equation, we can calculate a cyber risk index for clients that is actionable and easily understood by senior management and C-Level executives. From the risk index, an actionable report details how to reduce cyber risk, enabling owners and operators to prioritize OT cyber security design and investments across their assets.

First, consider Functions of an OT system, which represent Consequences in the original equation. Failure of critical Functions, like navigation, steering or engine management controls, has serious consequences. Solutions to reduce risk for vessel Functions are basically constrained to network architecture management activities, such as distributing critical functions to segmented and protected networks, which reduces risk that a single cyber incident could impact several critical Functions simultaneously.

Second, consider Connections to potential cyber threats which represent Vulnerabilities. Digital Connections are the pathways to critical functions that must be operational, and therefore protected from a cyber incident. The gateways to connections are network nodes. Logically controlling access to critical Functions through digital Connection nodes, reduces risk.

In the end, what are we protecting Functions from? In the common risk equation, Functions must be protected from Threats. The concept of a cyber threat is widely assumed to be malware, software viruses, ransom-ware and the like. A Threat has an agenda that may or may not be malicious. Most importantly, a Threat has an Identity that is either known or unknown. Threats are merely methods by which Identities impose a threat. Untrusted Identities introduce threats into connection nodes that can, or are intended to, impair critical Functions.

Eliminating the Uncertainty of Cyber Risk

Controlling access to important Functions, through vulnerable Connection nodes, by untrusted Identities capable of delivering an infinite number of potential threats, reduces or eliminates Cyber Risk. So there it is — cyber security in a nutshell. Once described in these terms, cyber security becomes simple to understand and just detailed and tedious to define and design.

By applying the FCI Risk constructs to an OT system, risk elements can be observed, defined, counted and reduced or eliminated within the risk tolerance limits of the concerned organization. All risk management requirements imposed by international cyber security guidance standards and regulations can be prioritized and clearly explained in real risk elements using the FCI Cyber Risk model. Finally, with the results of the FCI Cyber Risk process, owners/operators can apply a cost-effective risk mitigation strategy across their assets and fleets.

Need to develop a comprehensive cyber security risk management program? Discover our Cyber Security capabilities and contact an expert to learn more about our Safety, Risk and Compliance Management solutions.

Back to top