Over the next few years, brownwater operators in the U.S. and elsewhere will come under increased pressure to document and upgrade their cybersafety regimes.
Whether they are vying for blue chip contracts or fulfilling more modest roles as part of the nation’s critical maritime infrastructure, regulators and the sector’s top companies will put workboat operators under increasing pressure to prove they have their cyber risks in hand.
While the cybersecurity needs vary widely between operators, solutions should be scaled based on the size of the enterprise, embedded expertise and observed cyber risks on vessels. This approach to defining and measuring cyberrisk should be standardized to assure consistency across a large modern fleet.
To help navigate these challenging waters, ABS will publish the second edition of its cybersafety guide for the maritime sector in the second quarter of 2019. The guidance will include a new, simplified method for measuring and mitigating cyberrisk and defining related security requirements.
Traditionally, the most common equation used to represent cyberrisk has been: ‘Risk = Threat x Vulnerability x Consequence’. It has helped analysts to understand that risk has three contributing elements, and infers that reducing any one of those reduces the risk.
However, its role in risk analysis has been limited to that of a reference model rather than a mathematical equation, and is commonly used to understand the nature of cybersecurity risk. Because those cyberrisk elements are abstract, they are difficult to quantify when designing a solution. This shortcoming has contributed to cyberrisks being poorly measured and managed throughout the marine industries.
This means marine cybersafety would benefit from having its language move beyond abstract concepts, such as ‘threat’ and ‘hygiene’ to terms that can be observed, defined and measured.
To calculate the risks to brownwater operating technology, abstract concepts such as ‘consequence’, ‘vulnerability’ and ‘threat’ need to be replaced as the calculable elements in the “cyberrisk equation” with the observable and countable ‘functions’, ‘connections’ and identities’ (FCI). This is not merely a cosmetic substitution; it leads to measurable outcomes.
In the FCI model, ‘functions’ define an activity that the equipment or system is designed to perform, whether that is powering a vessel, supplying fuel, navigating, etc. The functions that are critical to operations must be protected from interruption – either by careless employees, or hackers – and the redefinition helps to identify those that are mission-critical.
‘Connections’ describe how the functions communicate with one another, to shore, to satellites, to the Internet, etc. From a digital perspective, connections are the access points for intruders, as well as the doorways to safety-critical systems and equipment.
‘Identities’ are simply either a human, or a digital device. Replacing ‘threat’ with ‘identity’ allows the threats to be defined and counted, providing a breakthrough for advancing the calculation of risk.
The FCI methodology is grounded in the cybersecurity framework offered by the National Institute of Standards and Technology (NIST), which is mature guidance.
It helps owners to gain control of their assets’ cybersecurity risks. By identifying specific risk contributors, they can target engineering decisions and prioritize their resources effectively. Solutions are computationally engineered, highly detailed and respond to the risks that need to be managed.
The data generated by observing, characterizing, and counting the functions, connections and identities are used to build a risk index, which demonstrates how specific FCI alterations could change the risk of each system’s configuration.
This is a simplified account of the process, but the Index ultimately quantifies the risks associated with the architectural design of each system connected to the asset, a result that has been missing from marine cybersecurity assessments.
The U.S. brownwater fleet is exceptionally diverse. While there are some hi-tech operators, the majority can be characterized as comparatively cost-conscious about cyberdefense spending.
A scalable solution helps to ensure that the owner can keep cybersafety efforts cost appropriate by customizing it to fit their systems, corporate goals, finances and ability to staff a response.
Ultimately, the driver of the depth and complexity of the defense is the number of critical digital functions, connections and threats, ie., digital identities and people who have access to an asset’s operationally critical systems.
Simple systems with limited access points don’t require complex solutions. But even owners of assets with the simplest systems will eventually need to offer proof that their cyberrisks are measured and managed.
Rick Scott is a Technical Advisor at ABS and an author of the FCI Cyberrisk Model