The American Bureau of Shipping (ABS) has announced the successful development of a ground-breaking new methodology to measure cyber-security risk associated with operational technology.
The methodology will provide marine and offshore clients a calculated risk index for vessels, fleets, and facilities — quantifying cyber-security risk and delivering actionable strategy to owners and operators.
Previously, before the development of the methodology, cyber risk assessments methods were mostly qualitative — characterizing risk based on threats, vulnerabilities, and consequences.
ABS Chairman, President, and CEO, Christopher J. Wiernicki, said: “With assets increasing in complexity, comprising several interconnected control systems, it was critical to develop a simple, quantifiable method to measure cyber risk.
“The ABS FCI Cyber Risk™ model gives owners and operators a straightforward approach to understanding their existing cyber risk and a concrete approach to reducing that risk.”
Read the latest technical paper from CargoX — Blockchain for Maritime: Securing the Cyber Environment
The Functions, Connections, and Identities (FCI) model can calculate a cyber risk index for individual assets or entire fleets, allowing owners and operators to target cyber-security investments to focus on.
The quantifiable and calculable method evaluates not only the operational systems and connections of a vessel, but also the human and machine identities, clearly enumerating the level of cyber risk exposure.
Wiernicki commented: “This is data-driven decision making in action.
“With the results of the FCI Cyber Risk process, clients can apply a cost-effective risk mitigation strategy across their assets and fleets.”
The development follows ABS’ two-year research contract with the Maritime Security Centre — exploring a better definition of risk-based performance standards, the development of a maritime-specific framework for cyber policy, identifying critical points of cyber-security failure, and investigating quantitative analysis tools to determine the effectiveness of cyber detection and deterrent strategies.
