Building strong cyber security into ship design

As digitalization makes great strides in the shipping world, connectivity and system integration expose ships to growing cyber risks. This means that cyber security must be engineered into the design of every new vessel. Suppliers must deliver secure systems, and yards must combine these systems into a secure, painstakingly documented overall concept that provides a strong foundation for cyber-secure operation over the lifetime of the vessel.

Cyber security is a task for everyone involved in ship design and operation

In a world of smart ships, cyber criminals are constantly looking for loopholes in communications or tracking systems which they can use to “hack” into networks. Malware, ransomware, manipulation and other forms of abuse are daily threats to every digital system. 

Regulating bodies increasingly see cyber security as a critical element for the safe design of vessels with growing complexity and integration. The EU and many other countries are expressly including shipping in their critical infrastructure. “The IACS Unified Requirements will ensure that cyber security is well-handled as part of the design verification during the building phase,” explains Jarle Coll Blomhoff, Head of Section Digital Ship Systems – Ship Classification at DNV. “System suppliers need to engineer strong cyber security resilience into their systems, and yards and designers need to have cyber security on their priority list when they order and integrate systems and design the overall vessel network. Addressing this is becoming a ticket to trade in the maritime industry.” 

DNV Cyber Secure notation ensures compliance with IACS Unified Requirements

DNV’s Cyber Secure class notation looks at design aspects of the systems on board, the overall vessel design network and shore connectivity, as well as the operational phase including the crew and ship management procedures. It provides guidance and delivers proof of adequate cyber security measures while ensuring compliance with the upcoming IACS Unified Requirements. 

The IACS Unified Requirements for cyber security (UR) consist of two sets of rules: E26 governs system integration, while E27 applies to essential on-board systems. Both must be met by vendors and yards and will be mandatory for all newbuilds with contracts signed from July 2024 on. They can be seen as an addition to the IMO cyber security regulations in effect since 1 January 2021, which require ship managers to assess cyber risks and have a cyber security management system in place. The DNV Cyber Secure Essential class notation certifies that vessels are built according to cyber security standards equivalent to IACS UR E27 and E26. Currently still voluntary, the notation has been contracted by around 200 vessels in operation or on order and is expected to be ordered for 300 to 400 DNV-classed newbuilds annually from 2024.

Wan Hai Lines embraces the Cyber Secure notation to protect its business

The Taipei-based container liner company Wan Hai Lines Ltd has opted for a voluntary DNV Cyber Secure class notation for all its DNV-classed newbuilds. “DNV experts who have extensive knowledge and experience in maritime cyber security, IT and control systems have helped us obtain this class notation for 15 ships so far,” says James Yeh, Executive Vice President at Wan Hai. “Any information leakage or cyber attack against our systems would have a huge impact on business operations, potentially causing financial loss and affecting the safety and security of seafarers, ships, cargoes and IT/OT systems, not to mention the reputational damage and legal liability.” 

Investing in effective cyber security allows Wan Hai to share its data securely and transparently with all supply-chain stakeholders and provide customers with better and faster services, says Yeh. “We will continue to cooperate with DNV to make sure our newbuilds comply with all requirements.” 

First marine engine control system receives cyber-secure type approval

The Swiss marine power company WinGD is the first manufacturer of marine engines to be granted a DNV Security Profile (SP) 1 type approval, which corresponds to the Cyber Secure Essential vessel class notation, for its WiCE engine control system. The type approval assures that the system is technically ready to meet the IEC 62443 standards and the related IACS Unified Requirements. IEC 62443 covers a wide range of security items such as identification and authentication, software authenticity verification, backup and rollback functionality, cyber security event logging, and traffic monitoring and control. 

“As technology progresses and systems are more closely interconnected, the risk of cyber threats increases,” says WinGD Head of Digital Transformation & Technology, Peter Krähenbühl. “And just as we are beginning to use AI-based tools at WinGD to help detect and combat cyber threats, we realize that malicious actors are also finding ways to automate and improve cyber attacks based on artificial intelligence. Creativity has no limits – that goes for both sides, attackers and protectors.” 

DNV SP1 type approval is a competitive must-have

WinGD devotes special attention to remote engine maintenance, a key to reliable vessel operation but also a potential attack vector. The DNV type approval positions WinGD as a pioneer in cyber security of these essential ship systems. “It offers peace of mind to yards and shipowners that vessels powered by a WinGD engine will comply with the upcoming regulations,” says Krähenbühl. “DNV was selected as a partner because we consider them an early adopter of existing cyber security methods and standards, and a pioneer in bringing them to the marine world. To us, the DNV SP1 type approval is a crucial competitive advantage.” 

A class notation founded in international standards

The beauty of the Cyber Secure notation and the IACS URs is that they are founded in recognized international standards and cover the entire data value chain on land and at sea. The international IEC 62443 series of standards address cyber security for operational technology in automation and control systems. They form the foundation for both the DNV Cyber Secure rules and the IACS UR. This means that international system suppliers may develop their marine equipment according to practices used in other industries and apply such devices cost-efficiently. DNV is looking forward to supporting the maritime industry by sharing its competency in cyber-secure vessel and system design based on both its third-party class role as well as the independent second-party advisory branch, reassuring all stakeholders that appropriate action is taken and defences are in place to keep malicious actors at bay.

DNV cyber security expertise is expanding rapidly

In June 2023 DNV announced the acquisition of cyber security services leader Nixu. DNV is integrating Nixu with its own cyber security businesses to form one strong organization with more than 500 cyber security professionals dedicated to providing cyber protection solutions for demanding IT and industrial control system environments in the maritime, energy, telecommunications and financial services industries, among others.

View image copyright information