ABS has developed a groundbreaking new methodology to measure cyber security risk associated with operational technology, providing marine and offshore clients a calculated risk index for vessels, fleets and facilities.
The index quantifies cyber security risk and gives owners and operators an actionable strategy to reduce cyber risk onboard a vessel.
The development follows ABS’ two-year research contract with the Maritime Security Center – a U.S. Department of Homeland Security Center of Excellence – led by Stevens Institute of Technology and including the US Department of Defense.
The research objectives included: better definition of risk-based performance standards; development of a maritime-specific framework for cyber policy; identification of critical points of cyber security failure; development of design requirements for a maritime cyber test-bed; and investigation of quantitative analysis tools to determine the effectiveness of cyber detection and deterrent strategies.
The result is a new model that helps owners proactively gain control over cybersecurity risks. By using the model, owners gain awareness of the relative impacts of specific risk types. This enables them select cyber security management decisions based on risk type and prioritize risk management resource commitments.
The new model is designed to shift industry cyber risk assessment practices away from estimates of an incident impact its likelihood to occur, to quantification and control of specific risk contributors – but it requires risk practitioners to change how they think about risk.
Until now, cyber risk assessment methods were largely qualitative, and characterized risk based on consequences, vulnerabilities and threats. These elements were useful in understanding risk; however, they were not inherently quantifiable. The new model directly addresses that issue.
To represent ‘Consequences, Vulnerabilities, and Threats’ as calculable elements of a risk equation for operating technology, we redefined them as ‘Functions, Connections, and Identities’ (FCI), respectively.
‘Functions’ are defined as industrial control systems that enable the crew to maneuver the vessel or perform its mission. In the FCI risk equation, they represent systems that a cyber attacker might attempt to control.
‘Connections’ are defined as the digital links that enable Functions to communicate with one another, to shore, to satellites, to the Internet, etc. Each Connection has endpoints or ‘nodes’ through which a cyber penetration can occur.
‘Identities’ are defined as unique humans or digital devices that can digitally access Connection nodes of the observed control system. By logically representing Threats as countable Identities, threats can be counted, a risk index number can be calculated, which is a breakthrough concept for advancing the understanding of maritime risk.
The quantitative data collected by identifying, characterizing, and counting asset Functions, Connections and Identities are then used to populate a worksheet that calculates levels of Risk contribution attributable to operational technology (OT) architecture designs, the number and accessibility of nodes in that architecture, and the number and trustworthiness of accessing human and digital identities. The resulting Risk Index primary elements and results is useable for modeling how specific FCI risk management controls change the relative risk contributions of the three primary risk factors, as well as the asset total Risk Index..
The process described here is simplified, but the Risk Index ultimately provides a quantitative view of the relative risk associated with the architectural design and implementation of individual systems onboard the vessel. That is something that has been missing in the maritime cybersecurity space.
As an industry, the ability to measure cyber risk will become a core foundation for operational efficiency and safety.
You may cast your vote for ABS at 2019 SMART4SEA Awards dedicated webpage till 21st of December 2018!
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.