Bureau Veritas launches cyber-security ‘health check’ tool

In an interview at Seatrade Cruise Global in Fort Lauderdale, BV head of cyber security department Philippe Vaquer told PST the driving forces behind the new initiative. “The IMO resolution MSC 42898 entered into force 1 January 2021. It said all shipowners must implement effective cyber-risk management on vessels, that will be audited by the flag states once a year.”

He warned shipowners need to understand it is not compliance for compliance’s sake but rather compliance to be protected. 

To implement an effective risk-management programme, Mr Vaquer said, “The first thing you have to do is make a cyber-security inventory, as if you don’t know about your digital assets on board, you won’t be able to protect them. This inventory is mostly something ship operators don’t have – they don’t have a real vision of the cyber inventory but this is the fundamental document if you want to do cyber security. It is necessary shipowners have this.”

Once a shipowner has the inventory, they can carry out risk analysis and implement procedures on critical equipment.

But there are challenges when it comes to the inventory. Mr Vaquer said, “When you build the inventory, you take documents from other places [such as the ship yard] and consolidate, but who guarantees it is true? Clients told us they are happy about the inventory but is it the truth, can they trust the document?”

This is why CHART steps in. The driver for it came from clients, but Mr Vaquer highlights there was a double intention: the clients’ need to check but also to think of the future of the class society’s surveyors, as at some point they will have to check some aspects related to cyber security on board.

The tool provides a comprehensive audit of the vessel’s equipment, networks, security mechanisms and interconnections, to ensure these systems are fully known to the owner and validate their compliance with cyber-security standards. The analysis delivered provides a “cyber-security health check report”, together with recommending mitigation measures. 

The aim is to offer a comprehensive technical assessment of a vessel’s cyber resilience at specific moments in its lifetime, responding to the need to constantly review, maintain and update systems in the face of evolving cyber threats.

CHART is plugged into different places on board, into the entry points of all networks; it collects data, scans and listens to the network.

Mr Vaquer said, “It is taking a picture; if there is equipment that is not supposed to be there, we find it, if networks are meant to be segregated but are not, this will be found. It checks all inconsistencies.”

The scan allows the consistency of the inventory to be checked. The tool, only six months old, is already being implemented on cruise vessels.

Increasing the cyber resilience of vessels is a core priority. Mr Vaquer commented, “Cyber security is new for the maritime industry – they are starting to discover it, but they don’t always understand what is at stake. 90% of global trade goes through maritime and when hackers understand what money is involved, they will turn to where the money is.”