scope:

This Guide describes the requirements for equipment or a computer-based system to receive recognition for compliance as part of the ABS CyberSafety program. This can apply to a digitally-enabled component or a complex system. The recognition can be either an ABS CyberSafety Product Design Assessment Certificate or a Design Review Letter with an ABS CyberSafety declaration.

The criteria contained in this Guide are meant to be applicable to equipment under control by a computer-based system that, in its entirety, is collectively known as a "computer-based system". Cybersecurity vulnerabilities may be introduced into computer-based systems with some digital components, network architecture, system design, and software making up the computer-based system. Cybersecurity vulnerabilities become cybersecurity risks when they are accessed by persons or computers via digital endpoints. The owner risks from these vulnerabilities are mitigated by installing protective functions, or by using hardened configurations, controlled settings, and continuously monitoring the systems. This Guide is applicable to systems under control by one or more computer-based system(s) such as Power Management, Dynamic Positioning, Engine Control, etc.

A cybersecurity vulnerability is a condition that may allow a digital device or software application to be accessed by an unauthorized digital identity or human, resulting in potential digital corruption or functionality effects in the system or network. A vulnerability can exist in the equipment making up the computer-based system, third-party equipment connected to the computer-based system, and software and firmware executing on the components. These vulnerabilities can be eliminated with firmware or software updates, configuration changes, privilege changes, or architectural modifications. When found early in asset construction and system installation, integrators, shipyards, and owner/operators can manage related risks and/or embedded risk management solutions more efficiently and economically.

An ABS CyberSafety Product Design Assessment for a digitally-enabled component or complex system documents known cybersecurity vulnerabilities to facilitate an asset owner's cybersecurity risk analysis and remediation. The Original Equipment Manufacturer's (OEM) product receives an ABS CyberSafety Product Design Assessment Certificate or a Design Review Letter when it meets the requirements set forth in this publication.

The equipment may have cybersecurity vulnerabilities that may be mitigated by installing tested architecture equipment (routers, data diodes, etc.) or software (firewalls). Vulnerabilities also can be eliminated with software patches or updates. By understanding the unresolved vulnerabilities, the owner can choose to install hardware or other protective functions, modify architectures, or change processes to lessen the known vulnerability, and thus mitigate the owner's associated cybersecurity risk.

Computer-based systems that control production or operational systems, called Operational Technology (OT), are cyber-physical systems that control processes and systems. These OT systems have relevance to safety in their environments because they control the physical behaviors of connected equipment. They generally communicate with Information Technology (IT) general-purpose networks to provide sensed operational data to management personnel. Computer-based systems extend to the connected network and the components, as well as any IT equipment used to display data and for operator control.

Computer-based systems may be composed of the OEM's and sub-supplier's computer-based systems, computers, servers, or cyber-enabled and networking infrastructure components. Digitally-enabled Commercial-Off-The-Shelf (COTS) components may be installed in the computer-based system as well.