Threats to cybersecurity continue to increase in number and appear from unexpected new angles due to an increasing sophistication of cyber-attacks. A novel methodology is required not only for data protection but also to achieve safe and reliable operations at sea. The first step towards securing control systems is to make sure they are designed and operated per recognized international standards and recommendations, such as the ISO (International Organization for Standardization) 27000 series, the IEC (International Electrotechnical Commission) 62443 family of standards, the NIST (National Institute of Standards and Technology) framework, or the IADC (International Association of Drilling Contractors) cybersecurity guidelines. In addition, testing and probing these systems and their associated networks for possible vulnerabilities and robustness under high traffic loads are important to verify that the implementation of the design is safe, secure and carried out in accordance with the vendor’s or the system integrator’s documentation.
This paper provides tangible examples of findings from cybersecurity and network health tests performed on various vessels and installations, such as shuttle tankers, drilling rigs and FPSOs (floating production, storage and offloading), by DNV GL Marine Cybernetics Advisory. Typical pitfalls of on-board cybersecurity are discussed, such as inadequate protection mechanisms, installation failures and mismatches between documentation and installation, vulnerabilities in controllers, and insufficient network capacities.