• One of the world’s leading cruise line operators has trusted DNV Cyber since 2017 to provide cybersecurity verification for over 10 newbuild cruise ships. 

• Working efficiently on board, DNV Cyber has assessed yard and vendor OT cybersecurity processes, assessed and delivered the functional architecture and network topology, and conducted OT cyber-security verification inspection and testing. DNV Cyber has also verified the IT cybersecurity processes and performed IT penetration testing including vulnerability assessment and purple teaming. 

• New learnings from the multiple-ship projects improve cybersecurity design of next-generation vessels. 

• The operator has reported no significant cyber incidents on its ships. 

The major cruise line operator needs to ensure onboard cyber-resilience to ensure safe, efficient running of its expanding fleet for the benefit of its passengers, crew, and business. Profitability rests on its ships operating reliably and to schedule to give customers what they paid for and to communicate seamlessly with its onshore operations centres, more than 1,000 destinations worldwide, and its suppliers. It also needs to ensure that new ships on order will be ready to start paying back the investment as soon as they join the fleet. 

In looking at what the operator’s cyber-resilience journey would require, DNV Cyber recognized that: 

• Onboard cybersecurity testing could only be done when a newbuild ship’s IT and operational technology (OT) were mature enough to assess. 

• Cybersecurity assessment and testing on board needed to fit into limited time slots between the end of a ship’s commissioning and the start of sea trials. 

• The collaboration would require the long-term involvement of many experts across DNV business areas globally, and excellent communication with the customer at senior management, technical, and administration level. 

Multi-year, multi-vessel deals have been key factors in success 

Working on multiple liners has allowed the operator and DNV Cyber to optimize assessment and testing processes and relationships across three of the world’s four major cruise liner shipyards and 20 IT/OT vendors. It has resulted in a high level of communication and collaboration from the yards and the vendors. 

Among the benefits that have come through the multi-year, multi-vessel projects are: 

• Working on multiple newbuilds for many years has brought learnings and built relationships that make for smoother, improved, cybersecurity assessment, verification, and testing processes. 

• New learnings have been used to improve the cybersecurity design of the next generation of ships. 

• When the average value per ship is high enough across a multi-year, multi-vessel deal, a cybersecurity service can be more tailored to a customer. 

• Economies of scale in multi-ship deals can lead to contracts offering more value and providing better visibility on cybersecurity budgets over the medium term. 

• Tracking and comparing cyber-resilience capabilities of vendors and systems over time between different vessels. 

The continually updated framework used for the work in multi-ship projects for the operator can accommodate processes that respond to regulatory change, so that compliance should be less of a headache. 

Creating a framework for up-to-date security 

Supporting the operator’s aims has involved 15 experts across DNV Cyber and DNV Maritime business areas combining IT/OT cybersecurity expertise with deep experience of shipbuilding projects. 

Cybersecurity/Penetration testing is conducted within a joint cybersecurity framework set up by DNV and the operator for newbuilds and continually enhanced since 2017 to account for maritime’s evolving cyber risk profile. Extending the framework across the operator’s newbuild brands has made it possible to set measurable objectives and plot trends. DNV’s local relationships with yards and with DNV Maritime surveyors in them lets DNV Cyber set up penetration testing in advance so that all goes smoothly when the experts board. 

Process assessment dashboards and test findings across projects assist the operator’s own cybersecurity experts to build their cybersecurity dashboards for easier visual checks. This can provide advanced warnings for the next newbuilds and allows the operator to see how projects affect cyber resiliency and risk reduction. 

DNV Cyber’s customized test programme is proven to find the most significant weakness in the shortest time. 2,500 hours have been spent testing across all the vessels involved, with more than 2,000 OT and IT findings identified. 1,400 hours have been spent assessing vendors and following up mitigations and improvements to now. 

The results of testing help to recommend practical action plans to strengthen cyber defences from the inside out. Plans can involve empowering a client’s entire team to become cyber defenders by fostering a security culture to protect the business from the ground up. Awareness-raising and training can be a huge undertaking in large companies. The operator has more than 100,000 employees from more than 100 countries, for example. 

As well as increasing the operator's cyber-resilience, the partnership with DNV Cyber has brought the yards and vendors valuable experience and improvements in terms of resilience and how they tackle cyber risks and evolving regulatory requirements. 

Thanks to the projects with the operator, DNV itself is better serving customers with cybersecurity services.