There was a time, not too long ago, when shipping had its head in the sand with respect to its cyber vulnerability. Many just did not want to know and others believed it was a remote risk and somebody else’s problem.
Attitudes have certainly changed since IHS Markit launched its first maritime cyber security survey in 2016, and now barely a week goes by when one does not hear about a new development in this space to assist shipowners with preparedness.
Getting one’s head around the risk environment remains one of the major hurdles, and many companies rely on risk assessment methods using three variables – threat, vulnerability, and consequence – to help them identify, protect, detect, and recover from cyber-security breaches. These exercises are useful as they foster a better understanding of the risks, but the results are qualitative. They do not measure risk.
The challenge of producing a method that defines cyber risk so it can be counted, computed, and modelled for maritime operating systems has been taken up by classification society ABS, headquartered in Houston, Texas.
Working with the Stevens Institute of Technology, ABS has developed what it calls the FCI risk equation. To represent ‘consequence, vulnerability, and threat’ as calculable elements of risk for operating technology, it has replaced them with the concepts of ‘functions’, ‘connections’, and ‘identities’.
Function refers to the systems that a cyber attacker would seek to control or defeat. Connections represent how the functions communicate with one another, as well as to shore, to satellites, and to the internet – each connection is a ‘node’, the point at which a cyber incursion gains access. Finally, identities are a human or a digital device.
Under the FCI model, an identity needs to have an agenda, and this could be anything from a lack of awareness – say, a crew member inserting a USB into a bridge system or opening an email from an unknown source – to a deliberate action, such as the hijacking of a navigational system. According to ABS technical advisor Rick Scott, replacing threat with identity means threats can be counted. This was a breakthrough concept for cyber risk calculation.
Using the FCI equation, data are collected to produce a risk index that illustrates each component’s contribution to a vessel’s overall risk. This means a shipowner can take a fleet-wide view of the risk associated with each of its vessels based on the way its digital systems are designed, the way people are allowed to access them, and the way communication nodes are protected.
Armed with this information, an owner is in a much better position to make the required changes to improve cyber security on board, either by making network architecture changes and/or re-engineering or restricting how systems are accessed.
Crew awareness and training are vital when it comes to defending against cyber risk, but we all know the old adage ‘you can’t manage what you don’t measure’. So this approach should go some way towards enabling owners to quantify the efficacy of their cyber security activities.