Cyber Security Guidance Services

The Vendor is required to provide for cyber security guidance for agency.
- Comprehensive Risk Management Framework:
•    Methodologies for identifying, analyzing, evaluating, and treating cyber security risks throughout the agency lifecycle (design, build, commissioning, operation, maintenance, and decommissioning).
•    Integration with existing safety management systems (SMS) as per the ism code and security plans as per the ISPS code, adapted for autonomous operations.
•    Requirements for continuous risk assessment and adaptation to evolving threat landscapes.
- Asset Identification and Management:
•    Detailed inventory and classification of all cyber-relevant assets, including information technology (IT), operational technology (OT), and networking components specific to agency (e.g., sensor suites, autonomous navigation systems, remote control systems, communication links).
•    Secure configuration management and change control processes.
- Robust Access Control Mechanisms:
•    Strong authentication and authorization protocols for all human (local and remote operators, maintenance personnel) and machine-to-machine interactions.
•    Implementation of role-based access control and the principle of least privilege.
•    Secure management of physical access to critical agency components and shore-based control infrastructure.
- Network Security and Segmentation:
•    Requirements for secure network architecture, including effective segmentation to isolate critical control systems from other onboard and external networks.
•    Protection of data-in-transit and data-at-rest using encryption and other security measures.
•    Security of all communication links (ship-to-shore, ship-to-ship, intra-ship), including satellite, VDES, LTE/5g, and other wireless technologies.
- Software and System Integrity:
•    Secure software development lifecycle (SSDLC) practices for all software and firmware used in agency.
•    Robust patch management and vulnerability management processes for both it and ot systems.
•    Measures to protect against malware, unauthorized modifications, and counterfeit components.
- Data Security and Privacy:
•    Protection of sensitive operational, navigational, and commercial data generated, processed, and transmitted by agency.
•    Compliance with country and relevant international data privacy regulations.
•    Secure data logging, storage, backup, and recovery mechanisms.
- Continuous Monitoring and Threat Detection:
•    Requirements for continuous cyber security monitoring of agency systems, networks, and communication links for anomalous activities and potential threats.
•    Implementation of intrusion detection and prevention systems tailored for agency environments.
•    Comprehensive event logging and auditing capabilities to support forensic analysis.
- Incident Response and Resilient Recovery:
•    Development and regular testing of a comprehensive cyber incident response plan specific to agency operations, including scenarios like loss of control, data breach, or system compromise.
•    Clear procedures for reporting incidents to relevant country authorities
•    (e.g., transport country for cyber security).
•    Mechanisms for safe fallback modes, manual override (where applicable and secure), and rapid recovery of critical functions.
- Supply Chain Cyber Security Risk Management:
•    Cyber security requirements for the entire supply chain, including hardware manufacturers, software developers, system integrators, and third-party service providers.
•    Secure procurement, integration, and maintenance processes for all components and services.
- Personnel Competency, Training, and Awareness:
•    Cyber security training and awareness programs for all personnel involved with agency, including remote operators, shore-based support staff, and maintenance crews.
•    Clearly defined cyber security roles, responsibilities, and authorities.
- Remote Operation Centre (ROC) and Shore Control Security:
•    Specific cyber security standards for the design, operation, and maintenance of ROC and other shore-based infrastructure used to monitor and control agency.
•    Defining safeguards for roc with respect to the entire supply chain
•    Secure physical and logical environments for rocs.
- Testing, Validation, and Assurance:
•    Requirements for rigorous cyber security testing, simulation, and validation throughout the agency lifecycle.
•    Consideration of a framework for conformity assessment, certification, or type approval related to agency cyber security.

- Contract Period/Term: 2 years