Unit 7 Assignment Group Assignment – Risk Analysis and
Identification
Assignment 7 will also be completed as a team assignment. Teams for the Group Assignment will
be assigned by the end of week 2. Each team will be randomly assigned in Blackboard. At the
beginning of or prior to Week 4, the team should assign a team leader to coordinate the team's
work due in Week 7.
Your team represents the State’s contractor selected by the State to carry out the Risk Assessment
Project for this case study. Your company's senior management and the State's Project Manager
have requested that you prepare a risk management plan that identifies potential risks and identifies
risk management strategies. From the course content and readings, you know that the overall
purpose of risk planning is to anticipate possible risk events and be ready to take appropriate action
when risk events occur—to eliminate or reduce negative impacts on the project.
Scenario
As the industry moves into a smart-shipping era, the risk of cyber threats is at an all-time high.
Digitalized ships, increasing interconnectedness, the extended use of electronic data exchange and
electronic navigation increases the likelihood of cyber-attacks in variety, frequency and sophistication.
Cyber threats are one of the most serious economic and international security challenges facing the
maritime industry today. The need for protection and security enforcements to mitigate the threats is
more important today than ever. Guidelines to support secure cyber operations and contingency plans
to be followed in a case of cyber incident have become necessary. The XYZ Shipping Chamber
recognizing the increasing concern of its Members with regards to the cyber security and their
protection, developed this document with the intention to create awareness of the threat and provide
guidance to its Members.
Company Description
“We own and/or operate over 100 ships which include tankers, bulkers, and container ships. We employ
directly over 3,000 employees in seven offices worldwide. The company operates as an owner and
technical operator, including crewing services”.
Motivation
“Driving this shipping company’s cyber security initiatives is the increasing awareness of the invasive
nature of cyber-criminal activity in the shipping industry. Cyber threat has imposed an elevated cyber
security related risk awareness from ship owners, the company board of directors, cargo owners, and
legal / regulatory bodies such as TMSA, IMO and USCG to name some, as well as P&I club coverage”.
4.1 “Reducing the risk should be the main deliverable of the company’s cyber security strategy and
outcome of the risk assessment decided by senior management. At a technical level, this would include
the necessary actions to be implemented to establish and maintain an agreed level of cyber security.”
4.2 Ships entering / leaving management pose added challenge to mai ...
Unit 7 Assignment Group Assignment – Risk Analysis and Ident
1. Unit 7 Assignment Group Assignment – Risk Analysis and
Identification
Assignment 7 will also be completed as a team assignment.
Teams for the Group Assignment will
be assigned by the end of week 2. Each team will be randomly
assigned in Blackboard. At the
beginning of or prior to Week 4, the team should assign a team
leader to coordinate the team's
work due in Week 7.
Your team represents the State’s contractor selected by the State
to carry out the Risk Assessment
Project for this case study. Your company's senior management
and the State's Project Manager
have requested that you prepare a risk management plan that
identifies potential risks and identifies
risk management strategies. From the course content and
readings, you know that the overall
purpose of risk planning is to anticipate possible risk events and
be ready to take appropriate action
when risk events occur—to eliminate or reduce negative impacts
on the project.
2. Scenario
As the industry moves into a smart-shipping era, the risk of
cyber threats is at an all-time high.
Digitalized ships, increasing interconnectedness, the extended
use of electronic data exchange and
electronic navigation increases the likelihood of cyber-attacks
in variety, frequency and sophistication.
Cyber threats are one of the most serious economic and
international security challenges facing the
maritime industry today. The need for protection and security
enforcements to mitigate the threats is
more important today than ever. Guidelines to support secure
cyber operations and contingency plans
to be followed in a case of cyber incident have become
necessary. The XYZ Shipping Chamber
recognizing the increasing concern of its Members with regards
to the cyber security and their
protection, developed this document with the intention to create
awareness of the threat and provide
guidance to its Members.
Company Description
“We own and/or operate over 100 ships which include tankers,
3. bulkers, and container ships. We employ
directly over 3,000 employees in seven offices worldwide. The
company operates as an owner and
technical operator, including crewing services”.
Motivation
“Driving this shipping company’s cyber security initiatives is
the increasing awareness of the invasive
nature of cyber-criminal activity in the shipping industry. Cyber
threat has imposed an elevated cyber
security related risk awareness from ship owners, the company
board of directors, cargo owners, and
legal / regulatory bodies such as TMSA, IMO and USCG to
name some, as well as P&I club coverage”.
4.1 “Reducing the risk should be the main deliverable of the
company’s cyber security strategy and
outcome of the risk assessment decided by senior management.
At a technical level, this would include
the necessary actions to be implemented to establish and
maintain an agreed level of cyber security.”
4.2 Ships entering / leaving management pose added challenge
to maintaining a uniform application of a
4. cyber security program as each ship differs in communication
systems, ship technology, and operations
budget. Efforts to establish a fleet wide standard cyber security
strategy is an efficient way to maintain a
consistent and effective level of defense and response across a
fleet. “A further complexity is that
shipping lines operate a mix of vessels which they either own or
charter for a short period of time…”.
4.3 Company employees, port agents, service vendors,
equipment manufacturers, and crewing services
do introduce a significant cyber security risk for a ship’s
commercial operations due to the large number
of persons routinely visiting the ship or joining as crew. These
ship visitors are often routine in nature
and are left minimally monitored while they complete their
tasks onboard. There is no company
cybersecurity policy in place for ship related services that use
the ships network.
4.4 Knowing who is using your ship network and for what
purpose is important and a real concern
relating to cyber security. Discovering early malicious intent,
unintentional mistakes, or poor cyber
security practices are a risk that needs to be addressed. Ship
network monitoring and analysis is one way
5. to have this capability.
4.5 There is a need to have a clear policy and practical
procedures for all crew and visitors who use the
ship’s network in the cyber security policy and proper use
expectations.
4.6 Cyber Incident insurance coverage will grow in importance
as a part of a company’s risk
management strategy. Using their assessment and audit
standards is a good start and should be
reviewed for applicability to your cyber security strategy and
for possible future insurance coverage.
Driving Cyber Security for the Fleet
“Currently, the company is undergoing a transition from the
current Fleet Broadband communication
services to a higher broadband capable VSAT system. This
‘open to the internet’ situation will drive the
company towards more vigilance and the need for a Cyber
security program to be put in place”.
Further Consideration:
5.1 “The rapid development in maritime broadband satellite
coverage combined with the introduction
of highly sophisticated equipment, such as computer-controlled
engine systems, has changed the
6. structural risks to maritime vessels. Ships are no longer
protected by an airgap from external systems.
Today, an estimated 30,000 vessels globally have equipment
providing them with constant internet
access, which is an increase from only 6,000 in 2008. Even if
networks on board are separated between
systems for ship operation, crew welfare and remote access to
suppliers, separations can over time be
compromised by ad hoc interventions by the crew or suppliers,
for instance in connection to
maintenance…”.
5.2 “Cyber security refers to the security of information
networks and control systems and the
equipment and systems that communicate, store and act on data.
Cyber security encompasses systems,
ships and offshore assets, but includes third parties –
subcontractors, technicians, suppliers – and
external components such as sensors and analytic systems that
interface with networks and data
systems. This includes human interaction of crews and other
Company personnel, customers and
potential threat players. In such a dynamic system, cyber
7. security is an evolving set of capabilities inside
the Company, developing and adapting as technology and
threats evolve.”
Moving to VSAT from Fleet Broadband (FBB)
Company comment: “The VSAT broadband ability allows ships
to have direct connection to the Internet.
Your Submittal for Assignment 7
You may wish to begin this exercise with a brainstorming
session about potential risks to get
candidate risks “on the table” for consideration by the team and
then identify and refine that wording
for risks that have some realistic chance of occurring in this
project. For example, work schedules,
family obligations, etc., may interfere with completing the
project by the planned completion date. It
is also an issue that the project manager will ultimately have to
plan for, as opposed to other issues
that may more align with company policy such as employee
retention policies. Also, a major disaster
(e.g., your office burning down), is not a high-enough
probability event that requires much time in
planning. As described below, you will select several of the
identified risks and carry out a risk
8. analysis.
Your team will use one of the examples from the textbook of
risks to make a risk probability/impact
matrix. The matrix will have at least three categories
(high/medium/low) for probability and impact.
You may include a more detailed impact or probability
categorization if you like. All team members
should contribute to identifying risks and organizing them into
the matrix. Remember that it is
important to name risks effectively—use words that describe the
risk event and point to the impact
on the project (e.g., “injury of field technician disrupts data
collection work”) After completion of the
risk matrix, each team member should then select one of the
identified risks which the team finds
critical to the project. The team members will carry out and
document a risk analysis for their
selected risk. This detailed documentation for that selected risk
will include:
• a description of the risk and potential impacts (schedule,
quality of work, cost, etc.) on the
project
• indicators or triggers that would be monitored to help identify
9. the risk as early as possible
• specific risk response strategies to take (specific risk response
actions that Schwalbe
categorizes as Avoidance, Acceptance, Transference, and/or
Mitigation).
The team leader will have the main responsibility for
assembling contributions from team members
into a final deliverable and submit the assignment for the team.
The risk probability/impact matrix and the risk analysis write-
ups on selected risks should be about
1200 to 2500 words in length. As is the case for all written
assignments, the word count is a target to
give you an idea about the level of detail expected. As a rule, it
is best to keep it concise and as brief
as possible while still covering the necessary topics. No points
will be deducted for submittals if they
exceed the maximum word count by a small amount.
As in all assignments, your document should include a title,
identification of the Assignment # and
name, your group#, names of each participating team member,
and date.
10. Grading
Assignment 7 is worth 200 points. The points awarded from the
Instructor’s grading of this
Assignment will be given to all members of the team. Late
submissions will not be allowed. *Each
team member MUST submit their work product from their
assigned task for the project to the group
leader for submission in the final package. Your final package
will include:
The final project submission scanned by the plagiarism checker.
A list of the group members who participated in the project and
their assigned tasks.
The work product created by each team member which will be
scanned by the plagiarism checker.
Please note: any team member who has not provided their work
product to the team leader to be
included in the submission in the submission area will NOT
receive credit.