By Elisa Cassi | Cyber Product and Services Manager
Nettitude and Lloyd's Register have released the LR Cybersecurity Framework (CSF) for the Marine and Offshore sector, to complement the Cybersecurity Strategy paper that was previously published. The two documents are part of a suite of marine specific documents to support shipping organisations defining and implementing a robust and appropriate Cybersecurity Strategy.
This post focuses on the LR Cybersecurity Framework and provides an overview of how to use it effectively to deliver relevant and pragmatic cyber capability within your organisation for addressing cyber-threats.
Why is the LR Cybersecurity Framework (CFS) needed?
Classification societies traditionally are very focused on the ships themselves. The whole Class system is based on vessels and their systems. The challenge when looking at cyber threats is that the physical parameters of a ship are not the same as the digital attack surface that is really in place. Internet connections and communication links brings the shore systems into scope along with cloud services, 3rd parties and laptops, phones and tablets being brought on and off by crews and passengers. This is why Nettitude and LR have developed a framework, which sits above the scope of Class itself; to address holistically the operational capabilities, the governance and the assurance aspects of managing cyber safety, resilience and risk, with an eye to the cloud adoption and new challenges coming from it.
What approach has been taken?
The LR Cybersecurity Framework is designed to be comprehensive and thorough, but at the same time practical and achievable.
1.Agnostic to industry standards and based on outcomes:
Our approach has been to develop a framework that is not prescriptive but based on security outcomes. It is not tied to any one single industry security framework, standard or regulation. Rational behind this is that evidence of meeting the stated outcomes may be provided through many ways and we leave down to the organisations to decide what is the most appropriate framework based on their business needs.
2.Holistic in nature, covers the attack surface relevant to cyber:
The approach to cybersecurity cascades down from the executive level, where support is provided thought the adopting an appropriate Cyber Strategy, to the operational capabilities and building blocks within the LR Cybersecurity Framework, through to the vessels, the onshore facilities and the third parties, themselves. Requirements and assessment procedures for ships will then produce formal evidence as Class Notations or Descriptive Notes.
3.Build around developing maturity levels:
Knowing where to start and how your organisation can build, improve and mature over time is essential and the LR CSF has been designed from the outset to encourage continuous development. Cyber is not something that you do once and you are done, but rather requires adaptation and improvement on an ongoing basis.
4.Mapped to international regulations:
The framework will adapt to the future development of Marine and Offshore Regulation and will help the industry to prepare for the future. The International Maritime Organization (IMO) is currently focused on the Risk Management aspect of cybersecurity and this is comprehensively addressed in the LR Cybersecurity Framework. As the requirements landscape from IMO, the National Governments and the Industry Bodies develops, the LR Cybersecurity Framework will adapt to accommodate new regulation areas and more specific controls.
The LR Cybersecurity Framework sets out to answer the fundamental questions of the WHY, WHAT, HOW in a pragmatic way.
The “WHY” question, to set the scene for a good Strategy
Our aim is to enable a cohesive and comprehensive cyber strategy that can be managed effectively. The CSF, together with the “Cyber Strategy” document, can be used by board members and executive teams to define their strategy and their long-term vision of what ‘good’ looks like for their organization. A cyber strategy is appropriate for the business requirements of an organisation only if the vision is clearly articulated, has board level engagement and is appropriate and relevant to the threats faced.
The following principles are considered key to achieving safe and effective cybersecurity in the maritime sector. They are built from best practice and knowledge of the operational context of ships.
- Resiliency: Build resiliency into the security controls deployed, being at the same time confident that controls do not adversely affect the performance of systems and services;
- Plan to the worst: Expect to be breached. Preventative measures (defence in depth) will never be enough so focus on detection and response;
- Know what you have: A clear list of assets, an understanding of their value/purpose within your environment;
- Look at the threat surface, not just the physical domain: Consider all aspects of the threat landscape and attack surface that critical functions on-board a ship are impacted by or dependent on (on shore, service suppliers and on-board);
- Robust governance: Build a robust governance framework that operates as a living process with accountability and measurements; and
- Realistic objectives: Start with an objective that is manageable and realistic, focused on priority areas. Build and develop to greater levels of maturity.
The “WHAT” question, to define the scope of work from holistic perspective
The LR Cybersecurity Framework can be used to assure the overall strategy, approach and implementation of cybersecurity across a whole organisation, with an eye to the ecosystem in which the organisation operates.
Potentially the LR Cybersecurity Framework can be used to assess the whole fleet management, a single ship, a ship’s system or shore-based remote operations at different levels (for example, navigational equipment, the vessels IT network, power management system, or safety management system).
However, the scope will be defined by the environment and attack-surface that will have an impact on the critical functions. Key factor to keep the approach pragmatic is to identify the critical functions within the given environment, and based on this define the scope.
Content wise, the LR Cybersecurity Framework is split into 2 sections:
- Oversight and Accountability: To ensure the effective ownership, delivery and execution of a cybersecurity strategy it is essential to define roles responsibilities, scope, strategy and expected performance based on the risks identified and the threat landscape relevant to the organisation.
- Control Mechanisms: The control areas are broadly based on the NIST Cybersecurity Framework but detail at a high level the areas to be considered as relevant for Ships. How these controls areas are met and which controls are deployed will depend greatly on the environment, technology and services provided.
The “HOW” question, to define controls at vessel level
Modern ship’s operating environments are changing with the adoption of cloud services, internet of things, connectivity and increasing automation. This can present a complex threat surface where many parties are responsible for meeting the cyber risks presented. Increasing needs to use specialist on shore-based parties to support the operational functions on-board and to provide crew and passengers Internet facilities require opening up the on-board networks to remote users and service providers. This increases the cyber risk faced.
The cyber risks presented through both on-board and any shore-based support services could impact the safety and functions of a vessel due to the ability to perform passive and offensive actions from anywhere on the globe. Threats from organised criminals, pirates, opportunists, insiders and even nation states now need to be considered. The LR Cybersecurity Framework support organisations in reducing the cyber risk by identifying the right controls to be implemented.
The LR Cybersecurity Framework is organised in maturity levels (currently four, but room to expand in the future) and the suitability of the levels for the different type of organisations is described.
A key aspect in the application of appropriate cybersecurity controls is an understanding of the ship’s critical systems, their dependencies and their connection to non-critical system networks, as well as the impact a cyber-incident will have on the safety of navigation and personnel and on the functions of the ship. Different environments may have different critical functions but should consider as critical, as a minimum, the functionality of all those items defined as essential by the LR ShipRight Procedures.
Assessments may be done to provide a level of assurance that a ship being built, or a system that will be sold to a ship builder will be suitable for use and can be managed securely by the final owner/operator.
Vessels being classed with LR or intended to be classed with LR can use the LR CSF to prepare and complete an assessment that will result in Descriptive Note being assigned. Periodical Surveys to maintain such Descriptive Note will be carried out as specified in the relative LR Ship Rules
To learn more about all these topics, get it touch with your local team.