Unit7 Assignment Group Assignment – Risk Analysis and
Identification
Assignment 7 will also be completed as a team assignment. Teams for the Group Assignment will
be assigned by the end of week 2. Each team will be randomly assigned in Blackboard. At the
beginning of or prior to Week 4, the team should assign a team leader to coordinate the team’s
work due in Week 7.
Your team represents the State’s contractor selected by the State to carry out the Risk Assessment
Project for this case study. Your company’s senior management and the State’s Project Manager
have requested that you prepare a risk management plan that identifies potential risks and identifies
risk management strategies. From the course content and readings, you know that the overall
purpose of risk planning is to anticipate possible risk events and be ready to take appropriate action
when risk events occur—to eliminate or reduce negative impacts on the project.
Scenario
As the industry moves into a smart-shipping era, the risk of cyber threats is at an all-time high.
Digitalized ships, increasing interconnectedness, the extended use of electronic data exchange and
electronic navigation increases the likelihood of cyber-attacks in variety, frequency and sophistication.
Cyber threats are one of the most serious economic and international security challenges facing the
maritime industry today. The need for protection and security enforcements to mitigate the threats is
more important today than ever. Guidelines to support secure cyber operations and contingency plans
to be followed in a case of cyber incident have become necessary. The XYZ Shipping Chamber
recognizing the increasing concern of its Members with regards to the cyber security and their
protection, developed this document with the intention to create awareness of the threat and provide
guidance to its Members.
Company Description
“We own and/or operate over 100 ships which include tankers, bulkers, and container ships. We employ
directly over 3,000 employees in seven offices worldwide. The company operates as an owner and
technical operator, including crewing services”.
Motivation
“Driving this shipping company’s cyber security initiatives is the increasing awareness of the invasive
nature of cyber-criminal activity in the shipping industry. Cyber threat has imposed an elevated cyber
security related risk awareness from ship owners, the company board of directors, cargo owners, and
legal / regulatory bodies such as TMSA, IMO and USCG to name some, as well as P&I club coverage”.
4.1 “Reducing the risk should be the main deliverable of the company’s cyber security strategy and
outcome of the risk assessment decided by senior management. At a technical level, this would include
the necessary actions to be implemented to establish and maintain an agreed level of cyber security.”
4.2 Ships entering / leaving management pose added challenge to maintaining a uniform application of a
cyber security program as each ship differs in communication systems, ship technology, and operations
budget. Efforts to establish a fleet wide standard cyber security strategy is an efficient way to maintain a
consistent and effective level of defense and response across a fleet. “A further complexity is that
shipping lines operate a mix of vessels which they either own or charter for a short period of time…”.
4.3 Company employees, port agents, service vendors, equipment manufacturers, and crewing services
do introduce a significant cyber security risk for a ship’s commercial operations due to the large number
of persons routinely visiting the ship or joining as crew. These ship visitors are often routine in nature
and are left minimally monitored while they complete their tasks onboard. There is no company
cybersecurity policy in place for ship related services that use the ships network.
4.4 Knowing who is using your ship network and for what purpose is important and a real concern
relating to cyber security. Discovering early malicious intent, unintentional mistakes, or poor cyber
security practices are a risk that needs to be addressed. Ship network monitoring and analysis is one way
to have this capability.
4.5 There is a need to have a clear policy and practical procedures for all crew and visitors who use the
ship’s network in the cyber security policy and proper use expectations.
4.6 Cyber Incident insurance coverage will grow in importance as a part of a company’s risk
management strategy. Using their assessment and audit standards is a good start and should be
reviewed for applicability to your cyber security strategy and for possible future insurance coverage.
Driving Cyber Security for the Fleet
“Currently, the company is undergoing a transition from the current Fleet Broadband communication
services to a higher broadband capable VSAT system. This ‘open to the internet’ situation will drive the
company towards more vigilance and the need for a Cyber security program to be put in place”.
Further Consideration:
5.1 “The rapid development in maritime broadband satellite coverage combined with the introduction
of highly sophisticated equipment, such as computer-controlled engine systems, has changed the
structural risks to maritime vessels. Ships are no longer protected by an airgap from external systems.
Today, an estimated 30,000 vessels globally have equipment providing them with constant internet
access, which is an increase from only 6,000 in 2008. Even if networks on board are separated between
systems for ship operation, crew welfare and remote access to suppliers, separations can over time be
compromised by ad hoc interventions by the crew or suppliers, for instance in connection to
maintenance…”.
5.2 “Cyber security refers to the security of information networks and control systems and the
equipment and systems that communicate, store and act on data. Cyber security encompasses systems,
ships and offshore assets, but includes third parties – subcontractors, technicians, suppliers – and
external components such as sensors and analytic systems that interface with networks and data
systems. This includes human interaction of crews and other Company personnel, customers and
potential threat players. In such a dynamic system, cyber security is an evolving set of capabilities inside
the Company, developing and adapting as technology and threats evolve.”
Moving to VSAT from Fleet Broadband (FBB)
Company comment: “The VSAT broadband ability allows ships to have direct connection to the Internet.
Your Submittal for Assignment 7
You may wish to begin this exercise with a brainstorming session about potential risks to get
candidate risks “on the table” for consideration by the team and then identify and refine that wording
for risks that have some realistic chance of occurring in this project. For example, work schedules,
family obligations, etc., may interfere with completing the project by the planned completion date. It
is also an issue that the project manager will ultimately have to plan for, as opposed to other issues
that may more align with company policy such as employee retention policies. Also, a major disaster
(e.g., your office burning down), is not a high-enough probability event that requires much time in
planning. As described below, you will select several of the identified risks and carry out a risk
analysis.
Your team will use one of the examples from the textbook of risks to make a risk probability/impact
matrix. The matrix will have at least three categories (high/medium/low) for probability and impact.
You may include a more detailed impact or probability categorization if you like. All team members
should contribute to identifying risks and organizing them into the matrix. Remember that it is
important to name risks effectively—use words that describe the risk event and point to the impact
on the project (e.g., “injury of field technician disrupts data collection work”) After completion of the
risk matrix, each team member should then select one of the identified risks which the team finds
critical to the project. The team members will carry out and document a risk analysis for their
selected risk. This detailed documentation for that selected risk will include:
• a description of the risk and potential impacts (schedule, quality of work, cost, etc.) on the
project
• indicators or triggers that would be monitored to help identify the risk as early as possible
• specific risk response strategies to take (specific risk response actions that Schwalbe
categorizes as Avoidance, Acceptance, Transference, and/or Mitigation).
The team leader will have the main responsibility for assembling contributions from team members
into a final deliverable and submit the assignment for the team.
The risk probability/impact matrix and the risk analysis write-ups on selected risks should be about
1200 to 2500 words in length. As is the case for all written assignments, the word count is a target to
give you an idea about the level of detail expected. As a rule, it is best to keep it concise and as brief
as possible while still covering the necessary topics. No points will be deducted for submittals if they
exceed the maximum word count by a small amount.
As in all assignments, your document should include a title, identification of the Assignment # and
name, your group#, names of each participating team member, and date.
Grading
Assignment 7 is worth 200 points. The points awarded from the Instructor’s grading of this
Assignment will be given to all members of the team. Late submissions will not be allowed. *Each
team member MUST submit their work product from their assigned task for the project to the group
leader for submission in the final package. Your final package will include:
The final project submission scanned by the plagiarism checker.
A list of the group members who participated in the project and their assigned tasks.
The work product created by each team member which will be scanned by the plagiarism checker.
Please note: any team member who has not provided their work product to the team leader to be
included in the submission in the submission area will NOT receive credit.