Given cyber risks pose a great challenge to the shipping industry and the supply chain, ABS issued a Guide for suppliers to be able to manage cyber risks within their products, while also presents the requirements for equipment compliance, based on ABS’s ABS CyberSafety® program.
Specifically, the ABS CyberSafety PDA and DRL with ABS CyberSafety declaration is provided based on a review of OEM documentation for compliance with pertinent Rules or Guides and this Guide.
According to the Guide, the original equipment manufacturer (OEM) has to:
- should be in constant communication with ABS, submitting, when needed, documents for all locations where control system software is developed, tested, and maintained for the computer-based system(s) or components under consideration for an ABS CyberSafety PDAs or DRLs.
- has to state the foundational standards used in the development of their cyber security methodology.
- Submit the general cybersecurity policies and procedures
- Set an internal cyber security office, identifying a person, organization, or office responsible for the internal IT and OT cybersecurity of the OEM’s facilities in which product development is performed, as well as denote cybersecurity protections embedded in the product, as applicable.
- submit: a) Incident Response Policy and Procedure b) Mission statement of the IRT c) Roles and responsibilities of team members, including approvals and authority
- conduct periodic cybersecurity training of office and field personnel.
- document and implement change control procedures for internal enterprise business systems, product hardware, embedded software, and embedded cybersecurity controls, and production, testing, installation, and maintenance processes.
Equipment level requirements:
The cybersecurity equipment can be reviewed for either a Product Design Assessment or a Design Review Letter. Component selection, overall system design, architecture, and software may inadvertently introduce cybersecurity vulnerabilities that can be mitigated by appropriate cybersecurity controls.
Moreover, ABS presents the “Vulnerability report” consists of the functionality, Controlled Equipment List, Vulnerability Assessment, installed and/or recommended cybersecurity protective functions (hardware or software), topology drawing of OEM connected components network, potential vulnerabilities associated with any wireless networks and remote connections, and controls associated with wireless networks and remote connections.
Through the report, the OEM has to report cybersecurity vulnerabilities as reported by sub-suppliers concerning their sub-systems and sub-components provided to the OEM for installation in the computer-based system.
Surveyor Audits and Type Tests for ABS CyberSafety
The ABS CyberSafety type test consists of the following:
- Digitally-enabled components match the topology drawing and/or Controlled Equipment List.
Items to be verified are: 1) Computer-based System’s control system components (PLC, I/O cards, network, etc.) 2) Network equipment (wired and wireless), within the scope of supply. 3) Network infrastructure components, within the scope of supply. - Computer-based system software current version number(s) are displayed with documentation provided to Surveyor.
- OEM installed CSPF (hardware and software) software version number(s) with documentation provided to Surveyor.
- Accessible physical ports (USB and RJ45) are indicated to the Surveyor, either on the component or on the drawing, and these ports are blocked or disabled.
Recently, BIMCO and ICS published a new cyber security guidebook as a guide for the master and officers on board ships to help them prepare for a potential cyber incident.
To explore more click on the PDF herebelow
