Matching Shipbuilding Schedules with Cybersecurity Deliverables
Aligning Shipbuilding Schedules with Cybersecurity Deliverables
With the recent strengthening of cybersecurity regulations by the International Maritime Organization (IMO) and the International Association of Classification Societies (IACS), cybersecurity management has become an essential aspect of newbuild vessels.
As a result, classification societies now require cybersecurity certification, and shipyards must consider security measures from the design stage.
In this post, we will match key shipbuilding milestones with the cybersecurity deliverables outlined in classification society guidelines, particularly those of Classification.
By doing so, we will identify the essential documents and verification procedures that need to be prepared at each stage of the shipbuilding process. 🚢🔐
⛵ The Intersection of Shipbuilding and Cybersecurity
Shipbuilding follows a structured process that consists of five key stages after contract signing:
Design → Procurement → Construction → Trials → Delivery
At each stage, it is essential to integrate the cybersecurity requirements outlined by classification societies. This necessitates close collaboration and agreement between shipyards, shipowners, and classification societies to ensure compliance. The responsibility for key cybersecurity deliverables is divided as follows:
⛵ Matching Shipbuilding Milestones with Cybersecurity Deliverables
| Key Event & Abbreviation | Description | Estimated Duration | Owner's Deliverables | Shipyard's Deliverables | Supplier's Deliverables |
|---|---|---|---|---|---|
| Contract Signing (C/S) | Shipbuilding contract signed between the owner and shipyard | 1–3 months | ✅ Ship Cybersecurity and Resilience Program | - | - |
| Basic Design (B/D) | Hull form selection and definition of main specifications | 2–6 months | ✅ Management of Change (MoC) | ✅ Cyber Security Design Description | - |
| Detail Design (D/D) | Development of construction drawings and production processes | 2–6 months | ✅ Management of Software Updates ✅ Management of Firewalls | ✅ Zones and Conduit Diagram ✅ Security Configuration Guidelines | - |
| Equipment Ordering (E/O) | Procurement of engines, propulsion systems, and major equipment | 5–12 months | ✅ Management of Malware Protection ✅ Risk Assessment for Exclusion of CBS | ✅ Secure Development Lifecycle (SDL) Documentation ✅ Management of Change Plan | - |
| Steel Cutting (S/C) | Start of hull construction | 3–6 months after contract | ✅ Management of Access Control ✅ Ship Asset Inventory | ✅ Computer-Based System Asset Inventory | - |
| Block Construction (B/C) | Fabrication of hull blocks | 4–12 months | ✅ Management of Remote Access ✅ Description of Compensating Countermeasures | ✅ Topology Diagram | - |
| Hull Erection (H/E) | Assembly of hull blocks into a complete structure | 2–6 months | ✅ Management of Mobile and Portable Devices | - | ✅ Description of Security Capabilities |
| Launching (L/A) | Launching of the vessel into the water | 2–6 months | ✅ Detection of Security Anomalies ✅ Ship Cyber Resilience Test Procedure | ✅ Test Procedure for Security Capabilities | - |
| Harbor Trial (H/T) | System testing while docked | ~1–2 months | ✅ Verification of Security Functions ✅ Cybersecurity FAT Test Reports | ✅ Incident Response and Recovery Plans | - |
| Sea Trial (S/T) | Full-scale navigation testing | ~1–2 months | ✅ Incident Response Plans ✅ Cybersecurity SAT Test Reports | ✅ Test Reports | - |
| Owner’s Inspection (O/I) | Final inspection by the owner and classification society | ~1–2 months | ✅ Recovery Plans ✅ Final Cybersecurity Audit | ✅ Plans for Maintenance and Verification | - |
| Delivery (D/L) | Official handover of the vessel | Final stage | ✅ Final Cybersecurity Certification ✅ Compliance Audit Report | ✅ Type Approval (TA) Certification | - |
📌 Cybersecurity Deliverables in Detail
🚢 Ship Cybersecurity and Resilience Program
- Establishing a management framework for IT/OT system protection
- Compliance with IMO MSC-FAL.1/Circ.3
🚢 Management of Change (MoC)
- Security risk assessment and approval procedures for IT/OT system changes
🚢 Management of Software Updates
- Managing OS, firmware, and security patch updates for CBS and IT/OT systems
🚢 Management of Firewalls
- Establishing firewall settings, maintenance policies, and log monitoring
🚢 Management of Malware Protection
- Implementing malware detection and defense measures for IT/OT systems
🚢 Management of Access Control
- Defining user access rights and preventing unauthorized access
🚢 Management of Remote Access
- Secure remote access management using VPN, MFA, and session logging
🚢 Management of Mobile and Portable Devices
- Security policies for USB storage devices and mobile equipment
🚢 Detection of Security Anomalies
- Monitoring security anomalies using IDS, SIEM, and log analysis
🚢 Verification of Security Functions
- Regular inspections to ensure proper operation of cybersecurity features
🚢 Incident Response Plans
- Defining detection, response, and recovery processes for cybersecurity incidents
🚢 Recovery Plans
- Strategies for rapid recovery from cyberattacks (e.g., ransomware, data breaches)
🚢 Ship Asset Inventory
- Recording IT/OT assets, network connections, and security statuses
🚢 Zones and Conduit Diagram
- Designing network segmentation and data flow analysis for cybersecurity zoning
🚢 Cyber Security Design Description
- Documenting the cybersecurity architecture and protection mechanisms applied during ship design
🚢 Risk Assessment for Exclusion of CBS
- Establishing mitigation measures for CBS that fail to meet cybersecurity requirements
🚢 Description of Compensating Countermeasures
- Applying security compensations for non-compliant systems and evaluating their effectiveness
🚢 Ship Cyber Resilience Test Procedure
- Defining security assessment and penetration testing procedures for IT/OT systems
🚢 Computer-Based System Asset Inventory
- Recording CBS inventory and security interfaces onboard
🚢 Topology Diagram
- Visual representation of CBS interconnections and data flow
🚢 Description of Security Capabilities
- Documenting security features such as encryption, intrusion detection, and access control
🚢 Test Procedure for Security Capabilities
- Establishing procedures to verify proper functionality of cybersecurity measures
🚢 Security Configuration Guidelines
- Providing security configuration guidelines for IT/OT systems and networks
🚢 Secure Development Lifecycle (SDL)
- Defining security requirements and verification processes for IT/OT system development
🚢 Plans for Maintenance and Verification
- Developing cybersecurity maintenance and periodic inspection plans
🚢 Test Reports
- Recording results of cybersecurity testing and audit processes
🚢 Conclusion: Cybersecurity is a Key Component of Shipbuilding
With the IMO and IACS (UR E10/22/26/27) cybersecurity regulations, shipbuilders must integrate cybersecurity considerations from the initial design phase to ensure compliance and resilience.
How important do you think cybersecurity is in the shipbuilding process?
Share your thoughts in the comments—we’d love to hear your insights! 😊
🔍 Stay tuned for our next post: "Key Checklist for Classification Cybersecurity Certification"! 🚀
Comments
Post a Comment