The biggest barrier to improving OT security in shipping is that it often needs a pervasive, transformational plan. But what if we took a more incremental approach?
Vessel OT security is really a commercial challenge
Operational technology (OT) has been the most challenging part of vessel cybersecurity. It isn’t because of technical hurdles – solutions like our own have proven effective – but is mainly a commercial and organisational challenge.
Gaining control of OT cyber risk requires a number of behaviours to align:
- Strong internal collaboration and alignment between the Technical, IT and HSQE teams on the OT security mission is critical.
- The leadership team needs to champion the business case for OT security and empower the whole organisation to prioritise their time and resources.
- Original equipment manufacturers (OEMs) and integrators of shipping systems must be engaged in constructive discussion about the inherent risks of their systems and strongly encouraged to support plans to address them.
These are significant hurdles and all the more so because OT security must be recognised as an ongoing challenge. Leadership teams hope the problem can be eliminated and “go away”. Touch once, fix forever. Sadly, this isn’t possible. The continuing digitalisation of vessels and evolving cyber threats means that OT security must be continuously improving, iterative and sustainable for the long term.
Holistic approaches are great in theory, but difficult to deliver
They become complex, multi-year cyber security programmes built on comprehensive risk assessments and spinning out major initiatives like rearchitecting networks to improve segmentation, upgrading controls and reviewing supplier risk management. And once those initiatives are delivered ongoing security operations must be established to respond to the influx of alerts that will be generated.
Unsurprisingly then, such programmes are the exception and not the norm in shipping. Many who might aspire to this holistic approach often fail in the early stages. Getting all the stakeholders aligned is such a challenge, it becomes debilitating. The result is that no meaningful progress is made.
A more practical approach is needed.
Stop waiting for transformation, start with one simple change
Some savvy shipping operators are looking to achieve incremental improvements to OT security by leveraging a well-understood process in shipping operations – the management of change (MOC). Effective MOC is a requirement in ISM Code, ISPS Code, TMSA Element 7 and ISO 9000. As such, all shipping operators have embedded a robust change management process to protect the integrity of existing systems.
This is a practical approach to OT security. The key is inserting a process for assessing cyber risks within MOC procedures. By ensuring that cybersecurity implications are considered during changes to vessel OT systems it creates an opportunity for cyber security officers to introduce applicable cyber controls every time the risk profile evolves as a result of a change event.
Over time the deployment of OT controls becomes pervasive without the need for holistic transformation. This can be game-changing for your vessel cyber risk management programme.
To get some tips and tricks on how to bring such an approach to life at your organisation and share lessons with shipping peers who have explored OT cyber risk management, come join our workshop on 7th July by registering at this link.