Working together for a safer world
Preparing for Tanker Management Self-Assessment Make sure you’re ready to meet the new requirements.
Version 1.0, February 2018
NEW THRESHOLDS
OUR SERVICES
TMSA3 INTRODUCES NEW THRESHOLDS We help you understand what they mean to you.
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
What's new?
How we can help you
A new cyber security component has been incorporated into the third edition of Tanker Management and Self Assessment: A Best Practice Guide (TMSA3), released by the Oil Companies International Maritime Forum in 2017. The cyber security component is directly addressed in two of the performance elements: management of change (element 7) and marine security (element 13).
Our service supports tanker operators in their implementation of a cyber risk management plan by addressing the new cyber security KPIs set out in TMSA3 and providing documented evidence of compliance.
Why is this relevant to you?
To support the implementation of the new cyber security component found in TMSA3 (requirements 7 and 13), we have identified potential phases that can be followed and tailored to your specific needs. These start from the achievement of the minimum expected level (level 1) and can ultimately bring the company to the full achievement of the management of changes and marine security objectives, which are identified as level 4 by TMSA3.
For each element in TMSA3, tanker operators should carry out a self-assessment and rate themselves (their safety management systems, operations and practices) against the key performance indicators (KPIs) defined in TMSA3. TMSA3 defines four levels: a minimum base level of expectation (level 1) and three levels of development. To facilitate any external verification, tanker operators should produce documentary evidence of what is declared as part of the self-assessment.
Our approach
Learn more about TMSA3 requirement 13 (levels 1, 2, 3, and 4) and requirement 7.
2
NEW THRESHOLDS
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
TAILORED PACKAGES FOR YOU Our services. Click to view our offerings.
Level 1
Cyber security procedures definition
Level 2 Risk assessment
Cyber security procedures audit
A number of supporting documents will be supplied; standard documents based on good industry practice. As part of a one-day workshop, we will show you how to tailor these to suit the operational model of your business. On completion of the workshop additional support can also be discussed if required.
An example risk assessment will be provided, showing how to assess the threats and apply mitigating controls; this will be in the form of a standard template showing the approach to and methodology for conducting a risk assessment. Standard assets will be pre-populated, which need to be tailored to suit your business model. After instruction provided by our consultants, you will need to populate the compensating controls within the template to mitigate the identified risks. A cyber security audit will be undertaken by an ISO 27001-qualified auditor; the scope of the audit will be agreed with you and will be based on a selection of agreed controls, as opposed to every control. This will ensure the audit can be managed and completed in one day.
Level 3 Onboard audit
Level 4
Vulnerability assessment
The main aim of an onboard audit is to determine the effectiveness of the ship’s security measures, policies, procedures and preparedness for cyber-related incidents. The audit will determine whether controls, processes and procedures conform to the requirements of the TMSA3 standard, whether the policies and procedures are effectively implemented and maintained, and if they perform as expected. A vulnerability assessment on your computer-based systems (navigation, cargo control, power management, communication, etc) will be delivered. The assessment will also check the ship networks and any automation on board the selected vessel, and check false positives and preliminary information gathering and related reporting. If a specific goal is identified by the client, penetration testing can also be performed. Penetration testing is the attempt to actively exploit weaknesses in the environment from the perspective of an attacker with direct access to the network being tested.
3
NEW THRESHOLDS
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
SUPPORTING YOU IN SATISFYING THE TMSA3 REQUIREMENTS The cyber security components in TMSA3. Our TMSA3 offering
Level 1 – TMSA3 requirements Cyber security procedures definition Documented security plans are in place. The company has documented procedures in place to identify security threats applicable to vessels' trading areas and shore-based locations. Measures have been developed to mitigate and respond to all identified threats to vessels and shore-based locations. Procedures include the reporting of potential security threats and actual security incidents. Procedures identify emerging requirements.
Risk assessment
The company actively seeks out improvements for newbuild design specifications.
Risk assessment
Cyber security procedures audit
Onboard audit
Vulnerability assessment
✓
Formal risk assessments of company activities are undertaken to identify and mitigate potential security threats.
The company actively promotes cyber security awareness.
Vulnerability assessment
Our TMSA3 offering Cyber security procedures definition
Policies and procedures include cyber security and provide appropriate guidance and mitigation measures.
Onboard audit
✓ ✓ ✓ ✓ ✓
Level 2 – TMSA3 requirements
The personnel responsible for security receive training appropriate to their role and the company’s activities.
Cyber security procedures audit
✓ ✓ ✓ ✓ Page 1 of 2 4
NEW THRESHOLDS
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
SUPPORTING YOU IN SATISFYING THE TMSA3 REQUIREMENTS The cyber security components in TMSA3. Level 3 – TMSA3 requirements
Our TMSA3 offering Cyber security procedures definition
A travel policy is in place to minimise security threats to personnel. Security procedures are updated taking into account current guidance.
Risk assessment
Cyber security procedures audit
Onboard audit
✓ ✓ ✓ ✓
The security policy and related procedures are included in the internal audit programme.
✓
A software management procedure covers all shipboard and shore systems.
✓ ✓
Our TMSA3 offering
Level 4 – TMSA3 requirements Cyber security procedures definition
Risk assessment
Cyber security procedures audit
Onboard audit
Independent specialist support is used to mitigate identified security threats. Vessels are provided with enhanced security and monitoring equipment.
The company is involved in the testing and implementation of innovative security technologies and systems. Independent specialist support is used to mitigate identified security threats. The company actively seeks out improvements for newbuild design specifications.
Vulnerability assessment
✓
Assessments of the company’s security measures and preparedness are undertaken.
Security enhancements are considered for inclusion in refit specifications and newbuild design.
Vulnerability assessment
✓ ✓ ✓ ✓
✓ ✓
✓ ✓
✓
✓
Page 2 of 2 5
NEW THRESHOLDS
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
WHAT TO DO NOW Whatever your requirements are, we can help. 1. Check the TMSA3 requirements at www.ocimf.org Click to find out more.
2. If you need support performing the self-assessment, you can:
Visit our TMSA3 webpage
Click to find out more.
Get in contact with your local sales office
Reach out to our specialist cyber security team Elisa Cassi, Product Manager, Cyber Security, Marine and Offshore Based in Southampton, UK
Graeme Ripley, Consultancy Manager, Data, Digital and Security, Marine and Offshore Based in Fort Lauderdale, US
JP Cavanna, Head of Business Development – Cyber Security, LR Group Based in London, UK
T: +44 7966 176 122 E: elisa.cassi@lr.org
T: +1 754 304 1001 E: graeme.ripley@lr.org
T: +44 207 423 1596 E: JP.Cavanna@lr.org
Click to find out more.
6
NEW THRESHOLDS
OUR SERVICES
OUR ADDED VALUE Shaping the future and delivering solutions today.
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
Information technology is playing an increasingly important role within the marine sector. This revolution is fundamentally changing the way our world works – presenting new and exciting opportunities to our businesses, but also creating new challenges. In a cyber-enabled environment, systems no longer keep to their traditionally recognised boundaries. The blurring of hardware and software over the last decade has evolved further through increased (and often remote) connectivity. Augmented capabilities permit new variants of services by changing where these are performed or delivered, and by whom. The opportunities offered by this shift also bring new challenges that need to be managed throughout the lifecycle as the cyber-security landscape evolves. New technology will be developed, new platforms will be needed, new threats and countermeasures will emerge and new regulatory frameworks will be implemented. The reality is that safety-critical systems that are not secure should not be considered safe.
LEADING THE WAY
OUR WIDER CAPABILITY
We provide independent assurance and expert advice to companies operating high-risk, capital-intensive assets in the marine, energy and transportation sectors, and we have a unique insight into ship and cyber security. We know both the operational technology systems that drive performance and the information technology platforms. We understand the changing regulations being faced by the industry and we know how to deliver a cost-effective solution while reducing our clients’ vulnerability to cyber threats. Our work helps to ensure that our clients’ assets and processes are secure, safe, sustainable and compliant with the regulations.
Learn more about our cyber security services.
7
NEW THRESHOLDS
DELIVERING THROUGH INNOVATION New thinking and transformative technologies.
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
CO2
CYBER AND DIGITAL TRANSFORMATION
REDUCING CO2
Cyber safety We guide you through a non-prescriptive, fully integrated, risk-based approach to assuring the safety of cyber-enabled ships from concept to operation. We’ve developed technical guidance and the first ShipRight procedure for autonomous ships and autonomy levels that allow you to adopt cyber technology safely.
Gas as a fuel Being the world’s leading class society for liquified natural gas (LNG) and liquefied petroleum gas (LPG) carriers has enabled us to produce definitive Rules for gas-fuelled ships that provide you with a robust basis for technology selection to meet your current and future business needs.
Cyber security From guidance and training to vulnerability and impact assessments, we can help you develop a cyber security strategy that will work for your business now and in the future. We can help you keep your connected assets secure from cyber-attack and compliant with any forthcoming regulation. Cyber performance We apply our knowledge and expertise to extract value for you from your data, enabling you to make informed, actionable decisions to improve performance and efficiency.
Gas bunkering While gas-fuelled ships are regulated by the international maritime organisation IGF Code, ports have their own regulatory regimes for such vessels to conduct bunkering while in their waters. We can provide robust, impartial advice on gas bunkering. Batteries We are continuously looking at new technologies and our experience with large battery installations is captured in a guidance document aimed at facilitating a risk-based approach to battery use.
We use your data to co-create digital twins of your systems or assets in operation. We use these digital models to optimise performance by identifying improvements through advanced algorithms, artificial intelligence and machine learning.
Hydrogen as a fuel Our leading technical knowledge in the safe transportation of gases means that we are uniquely positioned to develop the safety requirements to enable hydrogen as a viable alternative energy source. We can work with you to identify and mitigate hydrogen-specific risks throughout the supply chain.
NEW TECHNOLOGIES
SERVICE INNOVATION
Additive manufacturing Additive manufacturing, also known as 3D printing, is set to revolutionise our approach to components. We have issued guidance on additive manufacturing and are working with clients to advance this technology and its applicability to the marine environment.
Concept designs We want to ensure that our customers are satisfied with the vessel that they build. We help you achieve your goals by working with you at the concept stage to develop innovative design solutions that work for you, your operations and your customers.
Blockchain technologies Blockchain technologies can provide a secure, auditable record of activities across distributed networks. We are working with a range of partners to explore where such technologies could be used to address marine challenges.
3D plan approval We are always trying to make our approval process as efficient as possible and offer you a responsive and competitive service during design. We are developing 3D plan approval capability that allows for faster approval, which is of particular advantage during early design iterations. Drones for increased safety and operational efficiencies We are testing drones in order to decrease the frequency of humans operating at risk, such as when entering confined spaces or working at heights. The use of drones could reduce the risk of human incidents, accidents and injuries. We are also exploring how drones can be used to deliver alternative, more flexible compliance services.
8
NEW THRESHOLDS
OUR WIDER CAPABILITY One constant, wherever and whenever you need us. Our network of 300 national and regional offices, spread across six operating areas, puts our customers around the world first, giving you access to our advice and expert service delivery from Åalesund to Zhoushan. And, wherever you are, you can be confident that our entire team of over 8,000 specialists is never more than a phone call or email away.
OUR SERVICES
SUPPORTING YOU
WHAT TO DO NOW
OUR ADDED VALUE
LEADING THE WAY
OUR WIDER CAPABILITY
ADDING VALUE AT EVERY STAGE
Innovation
Design
Build and commissioning
Operation
Life extension
Decommissioning and recycling
We are conducting world-class research and development into design, construction and operation for the next 20 years and beyond. If you are developing novel technology, we can qualify its compliance and performance, helping you attract investment, prove your business case and find a route to market.
At the design stage, our appraisal services and software give you confidence that your asset will comply with all class and statutory requirements. We can also work with you to optimise your design so it achieves the best possible performance and return on investment.
At the build and commissioning stage, we help you ensure that assets are delivered to meet all contractual requirements.
In service, we help you keep your assets compliant, safe and performing reliably, enabling you to deliver business as usual and minimise downtime.
We can help you best manage the operational life of your assets. By assessing their condition, we provide you and your clients with assurance of their integrity. We can also work with you to extend the life of your assets.
At the end of your asset’s life, our services help you comply with recycling requirements and provide added confidence that you are conducting a safe and sustainable decommissioning process.
We also help you make the right decisions when investing in designs and technologies.
We can also help you implement the latest technologies and understand what return on investment to expect, so that you can increase performance and be more competitive in the market.
In line with your business needs, we can identify any remedial work or renovations that are required.
info.lr.org/tmsa LR’s six operating areas
February 2018 Lloyd’s Register and variants of it are trading names of Lloyd’s Register Group Limited, its subsidiaries and affiliates. Copyright © Lloyd’s Register Group Limited. 2018. A member of the Lloyd’s Register group. MO-Cyber-TMSA3-brochure-v1.0-201801
9