As smart ships and smart technologies onboard have been increasing and developing, the matter of risk assessment and report has been at the centre of discussions, with the shipping industry highlighting the importance of being cyber resilient.
Recently, the International Association of Classification Societies (IACS) published its Recommendation on Cyber Resilience which applies to the use of computer-based systems which provide control, alarm, monitoring, safety or internal communication functions which are subject to the requirements of a classification society.
The recommendation applies to onboard OT systems and other systems which are connected to onboard OT systems in a way that may affect their operation, as identified by risk assessment.
To remind, risk assessment is defined as the process which collects information and assigns values to risks as a base on which to make decision on priorities and developing or comparing courses of action.
The report focuses on the implementation of a detailed risk assessment on onboard computer based systems using standard risk assessment techniques.
The risk assessment includes a risk analysis able to identify the immediate effect on the smart technologies on board and the overall impact on ship operation which can affect human safety, safety of vessel and environment.
The risk analysis should consider the effect on the systems integrated or interfaced to other systems,
… the report notes.
In the meantime, the consequences and the impact of the assessment should be analysed for availability, integrity and confidentiality of the data for the computer based system due to cyber threat, which could eventually affect human safety, safety of vessel and threat to environment.
The report advises that the type of the vessel, the extent of connectivity between various systems and between ship and shore, should be considered in risk assessment, which should also include identification of each designed safe state.
Concluding, after the risk assessment, it is recommended to develop a document which will contain a description of the safeguards (controls) and instructions on how to verify their effective implementation, or a rationale for those not implemented.
