Ensuring cyber-secure vessel designs and supply
To ensure vessels are designed and built according to the latest cyber security standards, the entire supply chain needs to be cyber-resilient. Moreover, IACS new Unified Requirements (UR E26 and UR E27) for cyber security will be mandatory from 1st of January 2024.
The advances in vessel design and construction have been rapidly developing over the past years, and the level of system integration and connectivity of vessels is increasing quickly. This requires yards to thoroughly consider system integration, network topology and remote connection of their vessel design, and select system manufacturers not only based on the functionality of their system, but also on the system’s security.
Cyber risk should in addition to cyber security (intentional attacks), also look into cyber safety (software lifecycle management, quality and reliability). On this site, we will focus on cyber security, however, DNV also has a standard for cyber safety, called ISDS (Integrated software dependent systems, link).
In addition to keeping vessels safe and secure, it is important for yards to focus on the corporate security of their own IT infrastructure in order to avoid interruption of production or theft of IP rights for these advanced and tailored designs.
Recommended steps for yards in building cyber security resilience
Secure vessel design: Apply relevant cyber security rules and standards to your vessel design in order to offer compliant and secure designs. This will allow your future-oriented vessel designs to take advantage of new digital technologies.
Secure supplier integration: Implement cyber security in new designs, which requires close cooperation between yards and suppliers of the main software-based control systems. By providing clear requirements to manufacturers and suppliers, the yard may reduce costs and improve security, with less effort for integration and testing.
- DNV’s Cyber Secure rules offer a flexible framework for different levels of vessel complexity and are based on recognized IEC standards to support vendor’s implementation of system security controls (IEC62443 for control and automation systems, and IEC61162-460 for navigation and communication systems), compliant with the IACS unified requirements for Cyber security.
DNV’s advisory and testing units can also support with gap assessment and preparation on behalf of the yard, supplier and owner.
Secure yard infrastructure: Ensure your own information (IT) and control (OT) system infrastructure is cyber secure in order to safeguard production and intellectual property (IP) rights of innovative designs and solutions. We recommend the yard’s IT follow best practice cyber security using recognized standards such as ISO 27001 and NIST Cyber Security Framework. When it comes to OT infrastructure for production, we recommend applying the IEC 62443 practice and aligning IT and OT efforts to make implementation more efficient. Personnel should be trained, procedures should be implemented, and technical barriers should be in place.
- DNV has competent advisory and testing resources which can support you in this task with broad industry coverage and a range of trainers, management system expertise and Certified Ethical Hackers