Page 17: of Maritime Reporter Magazine (April 2018)

can be counted, measured, computed tioners think about risk. from lack of awareness of cyber risks to those individual risk contributions, for and modeled for maritime operating sys- To represent ‘Consequence, Vulnera- unintentional behaviors – “I’m not going example, the owner can redesign a net- tems. bility, and Threat’ as calculable elements to adhere to company rules and perform work architecture to re-engineer how the

ABS recently collaborated with Ste- of a risk equation for operating technol- my duties in a secure way” – or actions system is being accessed, either through vens Institute to research this problem ogy, we replaced them with the concepts such as the hijacking of navigational sys- human-machine interfaces, cell phones, for the maritime sector and rede? ne the of ‘Functions, Connections, and Identi- tems to steal or destroy a vessel, or other thumb drives, or connections to the In- equation in terms that are countable, ob- ties’ (FCI), respectively. acts disruptive to normal operations, ternet.

servable and easily understood. One of ‘Functions’ allow the crew to maneu- typically for monetary gain. This new approach allows the owner to the things our research with the Stevens ver the vessel or perform its mission, The quantitative data from the Func- take a ? eet-wide view to determining the

Institute discovered was that the nature which can be anything from drilling oil, tions, Connections and Identities are relative risk associated with each vessel of maritime risk within cybersecurity is to carrying people and cargo, or combi- then counted and used to populate a based on the way its digital system is de- not well de? ned or understood. Nor is it nations of each. In the FCI risk equation, worksheet that builds a Risk Index to signed, the way people are allowed to ac- particularly well managed. they represent systems that a cyber at- demonstrate how speci? c FCI altera- cess it, and the way the nodes, or access

The result is a new model that helps tacker would seek to control or defeat: tions would change the relative risk of points, are protected.

owners proactively gain control over cy- steering, location monitors, propulsion each system’s con? guration. ABS delivers a risk index calculated bersecurity risks. systems, communications, anything to The process described here is simpli- through the FCI approach, which is a

These risks in turn drive speci? c re- serve their purpose. ? ed, but the Risk Index ultimately pro- number that represents the relative level quirements, engineering decisions and ‘Connections’ represent, in relation to vides a quantitative view of the relative of risk inherent in the design and opera- resource commitments. The model fo- maritime operating technology, how the risk associated with the architectural de- tion of the digital system on the ship. It cuses on identifying solutions that are functions communicate with one anoth- sign of individual systems onboard the helps owners to decide where to deploy computationally engineered, highly de- er, to shore, to satellites, to the Internet, vessel. That is something that has been their often-limited cyber-defense re- tailed and in context with the risks to be etc. missing in the maritime cybersecurity sources.

managed. Within each connection is a ‘node’, the space. There is an old adage in industry: you

Effectively, it places the controls for point through which a cyber incursion The FCI method determines whether can’t manage what you don’t measure. responding to cyber risks back into the gains access. Connection nodes (the access points) are As the maritime industry continues its hands of the asset owner. ‘Identities’ are either a human, or a adequately protected, and whether or not march towards auto¬mation, companies

Shifting industry cyber risk practices digital device. Replacing Threat with the asset owner has controlled the Identi- that can measure and manage cyber risk away from more traditional defensive Identity allows threats to be counted, ties of those who have been provided ac- will be better positioned to tackle chal- methods to a measurable process will a breakthrough concept for advancing cess to nodes and restricted areas within lenges in the new digital era.

require the industry to change the con- maritime risk calculation. the vessel control system architecture. As an industry, the ability to measure versation, but most importantly it also In the context of the FCI model, a threat The Index illustrates each component’s cyber risk will become a core foundation will require a change in how risk practi- has to have an agenda. These can range contribution to the overall risk. Based on for operational ef? ciency and safety. www.marinelink.com 17

MR #4 (10-17).indd 17 MR #4 (10-17).indd 17 4/5/2018 10:36:14 AM4/5/2018 10:36:14 AM