Situation
NCC Group were engaged to complete a multi-vessel cyber security review of a maritime client's operational technology (OT) to determine where any vulnerabilities existed. The client suspected they had some weaknesses in their security due to a lack of a standardised OT security approach. The scope of each review covered marine systems, company IT-provided infrastructure, external communications and the connectivity to third-party supplied equipment.
Our review was based on National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and was completed over several months via remote workshops run for ships at sea and sailing in multiple time zones.
At a glance
Type of organisation: Research Vessel
Industry: Maritime Geoservices
Challenge: Review multi-vessel fleet with disparate systems over a wide range of technologies
Solution: NCC Group managed and delivered a series of workshops to understand the cyber security levels and processes in place for each vessel and on-shore facilities
Result: NCC Group provided a risk assessment report with an overarching gap assessment outlining where improvements should be made
Challenge
The client held vessels of differing ages and used various technologies. The vessels had an array of remote-controlled assets, differing external client survey teams, and were following operating models based on the survey mission type. Our primary challenge was determining a repeatable gap assessment process following a recognised industry cyber security framework while considering the variances for each ship and subsystem. In addition, due to the operational status of each ship, time with each crew would be limited, and for the majority of environments, our workshops had to be run over satellite broadband. and needed to cater for multi-lingual crews (not every crew spoke English as a first language).
Solution
NCC Group worked with the client to establish a consistent approach to the security assessments and extended that out to create a comprehensive report for each vessel that included:
1. Vessel Asset Register (system level) and Business Impact Assessment for each asset system
For an effective cyber security programme to be deployed, vessel assets must be recorded and categorised, and operational criticality ratings must be established. Thus, a baseline set of vendor-agnostic systems was defined based on operational requirements, such as:
-
- Bridge and Navigation,
- Propulsion,
- Communications,
- IT Infrastructure,
- Safety Systems,
- Fire and Gas Detection,
- Fresh Water, and
- Third-Party Client Connectivity.
Each vessel's crew, along with the fleet management team, completed the asset register and business impact assessment. This allowed us and the client to understand each vessel's security controls maturity and potential impact on operations.
2. NIST CSF gap assessment
The second phase of determining the capability of the cyber security programme is to assess the effectiveness of the cyber security controls that apply to the vessels. NCC Group worked with the client to create a question pack that would be easily interpreted by non-cyber security ship personnel. Their answers helped us to complete individual NIST CSFs for each vessel.
3. Threat to System mapping
Understanding the different threats a system could be subjected to helped the client to define what level of control (People, Processes and Technology) must be in place to defend against any given threat. We worked alongside the client to verify the threat analysis they’d completed prior to the start of our engagement, and NCC Group specialists determined if new threat types, actors and vectors needed adding to the model.
4. Threat to System Inherent and Residual Risk Matrix
We analysed the processes to protect their vessels to the company's operating risk model requirements. The client was now deploying a 'threat to system' model based on the asset impact assessment, and our analysis set out to establish the inherent risk. Once applied, the current controls would reduce the residual risk to within acceptable limits. If this was not achieved, recommendations for security improvement were rectified.
Result
Working as an extended member of the maritime company's security team, NCC Group provided the client with a comprehensive report into the current cyber security posture for individual vessels and across the fleet.
Areas of good practice were highlighted, and areas for improvement were recorded in collaboration with the team involved. With the assessments in place, the client now has a baseline from which improvements in the security posture can be measured, and a process for continual assessments at a more granular level has been defined.
Finally, a high-level executive summary report was commissioned to raise awareness of the current fleet situation and issues surrounding their supply chain and the maritime sector operating environment discovered by the assessment.
Get started on your CSR journey.
Our experts are ready to help you stay ahead in a constantly changing threat landscape. Contact us today to learn more about what NCC Group can do for your organization's unique cybersecurity needs.