• The new procedure is part of the “ShipRight Procedures” within LR Rules. Compliance with it makes a ship or a ship system eligible for a ShipRight Notation and/or a Descriptive Note.
• In cases where a procedure is applied to a vessel outside of the classification regime, a certificate of compliance may be issued if appropriate.
• The procedure was developed to provide an independent assessment of the effectiveness of cyber security controls within connected, integrated and internet-enabled systems and environments.

The development of Lloyd's Register's classification standards is a dynamic process. As the threats evolve, the standards adapt to ensure that safety, operability, performance and the security of vessels are kept to the desired level during their service life.

The marine industry is far from immune to cyberattacks. Ships are becoming increasingly dependent on the use of digital, automated and connected technologies. The attack surface is increasing and the risks from cyber events can have significant impacts on both IT and OT systems.

Lloyd's Register’s standards and related classification procedures reflect extensive and continuous research and development on a number of different fields, including cyber security.

With the rise of the cyber threats in the marine industry, the ShipRight procedures extend beyond the structural design aspects. Such procedures offer ship builders, ship managers and ship owners a link to cyber security assurance services aimed at enhancing the security of a ship; their purpose is to verify that the optimum level of safety is being sought and applied.

The Cyber Security ShipRight procedure can be considered as a “route to cyber security compliance” in relation to the relevant rule criteria.

The LR Cyber Security ShipRight procedures have been designed as relevant and pragmatic controls that educate and enable baseline standards and mature roadmaps to be implemented whilst demonstrating compliance to IACS and IMO requirements.
Ben Densham, CTO, Nettitude

About the Cyber Security Assessment Procedure

Vessels in operation may not have been built with cyber security considerations in mind and operating environments can be very diverse with many parties involved.

Lloyd’s Register’s ShipRight cyber procedures were created based on these considerations. They have been designed with multiple levels of maturity across eight domain areas to enable organisations to reach a baseline while setting a desired future position that is appropriate for the risks faced.

In particular, the following eight cyber security risk areas (domains) have been established:

1. Asset management;
2. Authentication and authorisation;
3. Secure networks and systems;
4. Cyber policy;
5. Physical access;
6. Security awareness;
7. Detect and respond;
8. Assurance

For each domain, the procedure defines the evidence to be submitted as well as the outcomes required during the assessment of that evidence, for each level of maturity of cyber security in the domain.

The four levels of cyber security maturity have also been mapped to existing industry standards, where relevant, such as IEC 62443, ISO 27002, IACS Cyber Security Guidelines and NIST.

About the ShipRight Procedures in general

The “ShipRight Procedures” are a comprehensive system of procedures aimed at ensuring the highest standards of safety, quality and reliability at the design stage and during construction. These procedures also extend via Linked Supporting Services to ensure that these standards are met through the operational lifetime of the ship.

These procedures will be updated and reviewed on a regular basis to ensure they continue to be fit for purpose, address the current threats being faced and stay abreast with industry regulations and standards.

+++

October is Cyber Security Awareness Month, which is a great opportunity for companies and individuals to review and improve their cyber security processes and knowledge. At Nettitude, we will be releasing a new blog post every week of Cyber Security Awareness Month on our latest cyber security research, as well as our insights on the latest industry news and trends. We hope you’ll find them helpful, and as always please contact us with any questions.