Prior to 2016, maritime cyber security wasn’t a major consideration for shipping stakeholders and bodies. Shipping was a typically staid industry, relying heavily on traditional pen and paper methods and not necessarily partaking in the digital revolution evolving other industries. However, as digital tiptoed its way into the maritime environment, technological systems and the processes in place to properly control them became increasingly more complex, taking essential time away from fleet IT managers to develop the business further. Not only that, but hackers began to realize the potential for profiteering off how exposed maritime had become and thus cyber-attacks costing hundreds of thousands in monetary terms, jeopardizing sensitive information, and putting seafarers at harm, increased tenfold. To elaborate, Hellenic Shipping News reports a 900% increase in reported cyber attack incidents over the last 3 years. Therefore, cyber security frameworks have had to become a fundamental part of shipping; integrated in the heart of its operations in order to protect and prevent an attack.
During its 96th session in 2016, the Maritime Safety Committee implemented a Maritime cyber security framework for the first time, named the “Interim guidelines on maritime cyber risk management”. These guidelines set the initial structure for dealing with the cyber threat through including recommendations to safeguard shipping from current and emerging cyber vulnerabilities. Since its implementation, there have been many classifications, regulations, and bodies that have emerged to offer regulatory support to the maritime industry. Common Framework providers are NIST – a worldwide leader in cyber frameworks, IASME consortium, ISO and CIS.
But what is the actual focus of these frameworks? As digital infrastructure is so vast and ever-expanding, so are the frameworks addressing them; covering aspects such as recommendations for security policies, asset management, access management – such as when someone external to the company needs to enter the infrastructure to carry out work, account monitoring, wireless access control, data protection, and so forth. Being able to combine all of these frameworks into an organizations operations and address essentially every aspect of the digital architecture would represent the next step for the maritime digital revolution; a highly advanced and progressive mode for both protecting against cyber threats and complying with expanding regulation.
And this is what Navarino’s new Quazar service does. It’s a polymorphic umbrella of solutions, addressing each and every part of these frameworks in order to provide holistic and all-encompassing protection / compliance. What makes Quazar so advanced is that it isn’t just one singular service, but it expands across multitudinous layers of the digital spectrum by providing ‘IT’ itself as a service, including the management of the entire vessels’ IT infrastructure with onboard hardware and software included, a 24/7 personal Navarino IT Manager, and support from a dedicated team of IT specialists. This assures full compliance with IMO regulations as Quazar undertakes tasks in every digital domain.
For example, administrative and technical controls are deeply considered, analyzed, and implemented by Quazar to address and mitigate risk according to the organizational objectives and risk tolerance of the vessel owner. Policies involve aspects such as management intent, expectations, and directions, whilst procedures introduce how to execute such policies – providing the systems, software, and rubrics for enforcing them. Before implementation, vessel IT admins review the policies / procedures, from which they can then be customized accordingly, in order to reflect existing policies of the organization. Additionally, technical controls address the specific technology being utilized for controlling the access and usage of data. Quazar undertakes responsibility for all such tasks; freeing up essential time for vessel IT Managers to ‘focus on the bigger picture’ and develop the organization further.
Through working with the world’s biggest technology providers including Microsoft, Dell, Connectwise, Canon, and more, Quazar allows for the implementation of advanced security policies that safeguard all digital infrastructure, promoting a digitally advanced and technologically evolved organization. Most importantly, Quazar frees up time for organization IT managers who can turn their attention to the development and evolution of the business itself through the unparalleled support of Navarino’s personal IT Manager.
At a more technical level, Quazar allows ship operators full compliance with certificate Standard NR659 of the Bureau Veritas cyber managed Class notation at a 50% discount, irrespective of the class they are using. Specifically, the Bureau Veritas Cyber Managed class notation is a set of IMO requirements that fully Quazar complies with, dealing with the following elements:
- Equipment identification: As defined in Ship Rules, NR467, Pt C, Ch 3 Sec 3.
• Equipment criticality assessment: Systems criticality is assessed in order to focus the cyber security effort on the right place.
• Cyber risk assessment: Cyber security is to be assessed for the vessel by taking into account shipowner risks and constraints.
• Monitoring procedures: Compliance procedures are used to anticipate and detect cyber incident by verifying the integrity of the critical equipment. The principle is to have a picture of standard equipment from its initial state, or last known as proper.
• Maintenance procedures: System everyday life can introduce cyber risks, that are to be mitigated by both updating the systems and preventing unexpected effects during maintenance operations.
• Incident response procedures: In case of system failure, shipowner and crew members have to ensure safety and, whenever possible, to restore critical systems in a safe state.
• Cyber Security Policy: A policy is to define governance, cyber operations management, physical security and change management.
So, how does Quazar offer approval from Bureau Veritas for the Cyber Managed notation? The class notation Cyber Managed is assigned to a ship in order to reflect the fact that a procedure including periodical and corrective maintenance, as well as periodical and occasional inspections of information systems or equipment and ICS or equipment, are dealt on board by the crew and at the Owner’s offices according to approved procedures. The assignment of the notation implies that requirements for assignment of Cyber Managed notation have been fulfilled in accordance with the following, all of which Quazar provides:
- Equipment are identified, inventoried, categorized in accordance with Ch 1, Sec 2
- Criticality, incident impact and cyber attack likelihood of equipment are assessed in accordance with Ch 1, Sec
- Vital functions, treatment opportunity and risk mitigation are assessed in accordance with Ch 1, Sec 5
- Monitoring, maintenance and incident response procedures are delivered in accordance with Ch 1, Sec 6
- Governance, cyber operations management, physical security and change management policies are delivered in accordance with Sec 2.