- Gas tankers operator tasked DNV Cyber to help meet a global cybersecurity standard.
- DNV Cyber identified and assessed the cyber risks, created a roadmap to compliance, and assisted in its practical implementation.
- DNV Cyber helped the shipping company toward a strong, future-proofed cybersecurity strategy.
This project was delivered by Applied Risk, a DNV company. DNV, Nixu and Applied Risk joined forces to form DNV Cyber in 2024, creating one of Europe’s fastest growing cybersecurity services businesses.
A European shipping company operating gas tankers sought to comply with current regulatory requirements. It approached DNV Cyber to help meet cybersecurity standards set by the International Maritime Organization (IMO).
In initial discussions, DNV Cyber identified four key drivers of the customer’s push for regulatory compliance:
- Inadequate defences against mounting threats: Cyber attacks on maritime are increasing. The customer knew its systems were not well protected against the specialized approaches and custom malware used by malicious actors.
- Health and safety: Cyber criminals have targeted bridge, navigation, and other operational technology (OT) systems critical to safe functioning of the customer’s fleet. Security breaches can lead to pollution and loss of physical safety for workers and surrounding communities.
- Business continuity: The customer’s OT systems must be able to operate continuously. Its tankers must be able to load, transport, and deliver shipments of liquefied natural gas (LNG) and other hydrocarbon-based liquids in the right places at the right times. Disruptions can damage the customer’s reputation and lead to financial losses, and may also cause undue physical damage to its ships.
- Consequences of non-compliance: Failure to comply with IMO standards can result in fines or the revocation of operating licences.
Making the business case
Under these circumstances, the shipping company had a strong business case for conducting risk assessment to develop a roadmap toward compliance with the IMO’s Resolution MSC.428(98).
Taking this step was seen as a way to help the shipping company improve its cybersecurity posture while also meeting regulatory requirements on schedule. The IMO resolution called for maritime operators to ensure that their existing safety management systems were appropriately protected against cyber attacks by the time of their 2021 annual verification.
DNV Cyber was selected over competing vendors because of its:
- Experience helping clients meet regulatory requirements including the high standards set by the IMO and other international bodies.
- Understanding of the need to maintain continuous operations to ensure timely loadings and deliveries, as well as ensuring the safety of crew members and the environment.
- Deep knowledge of complex attack surfaces such as tankers outfitted with multiple types of legacy safety management systems.
- Industry-specific expertise gained from working with maritime sectors including operators and shipyards.
[DNV Cyber’s …] vast cybersecurity knowledge has provided us with the security that we need to ensure that our operations continue to run smoothly, and our personnel are protected. Highly recommended.
Taking a pragmatic approach to compliance paid off
DNV Cyber aims to provide practical solutions that work in the real world. Its team took a pragmatic approach to assessing risks facing the customer. That approach, guided by the framework created by the US National Institute of Standards and Technology (NIST), had four phases:
Identify and assess: The team catalogued critical OT and IT systems and subjected them to asset discovery, vulnerability assessment, and gap assessment.
Plan and design: The team used data collected in the first phase to create a roadmap for achieving short- and long-term compliance with IMO Resolution MSC.428(98).
Implement and remediate: The team began carrying out tasks from the roadmap, emphasizing those with a fast turnaround.
Monitor, maintain, and respond: The team helped the customer to develop, launch, and maintain security solutions capable of responding to, monitoring for, and preventing cyber attacks.
This four-phase approach was more successful because of two initiatives. One involved stakeholders in ranking risks: after listing assets, DNV Cyber’s team consulted extensively with the customer’s engineering, operations, IT, and OT staff to prioritize risk-mitigation recommendations. The resulting rankings helped establish a path to identifying quick fixes versus high priority and long-term projects.
In the second initiative – training, awareness, and incident response, DNV Cyber’s roadmap laid a foundation for adopting security best practices including staff awareness and training programmes, and incident response drills.
In summary, DNV Cyber helped the shipping company achieve regulatory compliance and to transition from having very little security for its vessels to planning for the establishment of a strong and durable cybersecurity strategy.