22|The risk is growingCyber crime and cyber terrorism have been growing exponentially in recent years. While few attacks on maritime stakeholders have become known, this is no reason to let down the guards: Cyber security agencies around the world warn of an increasing focus of potential attackers on transportation and infrastructure.It is easy to see why. Shipping is a potentially attractive target. The value of cargos is often substantial, the potential damage and publicity that can be generated – especially in some segments – worrisome. The ever growing proliferation of cyber physical (software enabled) systems is creating more and more points for attack – be it intentional or through the uncontrolled spread of malware.It’s not just about data protection, it’s about safety, availability...The proliferation of these cyber physical systems leads to another phenomenon: We are used to thinking of cyber security mainly around protecting the confidentiality of information or of viruses that harm computers and e-mail systems. This is largely related to IT. With cyber physical OT (operational technology), systems like power management and engine systems, hatch control systems, mooring systems, ECDIS, AIS, etc. gaining importance and being increasingly integrated into complex networks, the possible consequences become more severe: Cyber security is becoming a threat to the availability and safety of an asset as well.Risks differThe maturity of maritime stakeholders concerning cyber security differs widely – for good reasons. It’s obvious that an operator of cruise vessels will need to be more concerned than a player in e.g. the bulker segment. Similarly, a pure vessel manager will have a risk-picture that differs from that of an integrated liner operator. As a result, there is no “one size fits all” solution to building cyber security resilience. And with the risk (likelihood of a successful attack combined with the consequence of such an attack) differing by system and company, the cost benefit ratio of protection initiatives will differ substantially between different companies – something to watch out for in today’s challenging markets.Key is that owners and managers across segments look for guidance and solutions to cyber security threats before makingTHOUGHT LEADERSHIPBuilding Cyber Security ResilienceBy Steen Brodsgaard Lund, Vice President and Regional Manager South East Asia and India, DNV GL and Albrecht Grell, Head of Digital Solutions and Innovation, DNV GLWAVES | ISSUE 51investment decisions towards a more substantial use of digitalisation, let alone application of possible Big Data solutions.Assessment is keyBefore any money is being spent on a cyber security enhancement initiative, a structured and targeted assessment of the risk picture is of paramount importance. In our experience, we see three approaches:• A high level assessment by senior management will help identify areas with the most severe consequences of possible cyber attacks as well as systems that are least protected / offer the highest likelihood of a successful attack. Such an assessment should help identify the most cyber critical systems.• If the number of critical systems is limited and the overall risk picture is within an acceptable range, a more focused assessment should be conducted for the specific critical systems. The “bow-tie methodology”, a well established visualisation methodology in risk management, should be applied. For each of the most critical cyber security incidents, the methodology focuses on barriers that help prevent such an