Case Study: International Gas Company’s Cyber Resilience
With the release of the Tanker Management Self-Assessment Version 3 (TMSA3) in 2017 by the Oil Companies International Marine Forum (OCIMF), a new element – 13 – was introduced for Cyber Security. In support of Element 13, and working in conjunction with Lloyd’s Register, QinetiQ has introduced a number of service offerings to support companies demonstrate compliance to the guidelines, which cover the terminalling of crude oil, oil products, petrochemicals, and gas. QinetiQ’s services range from consultancy to technical testing of vessels, and a range of compliance assessments.
A company that transports Liquid Natural Gas on behalf of oil majors required to demonstrate its cyber preparedness and compliance with the TMSA3 standard in order to pass the auditing regime and inspections undertaken by their customers. The large international Gas company recognised that Cyber Security and robust protection controls offer a commercial advantage in the market place. Consequently, the company wanted to address not only the requirements of the TMSA guidelines, but also adhere to ISO 27001-2013 (Information technology – Security techniques – Information security management systems – Requirements). Lloyd’s Register and QinetiQ were engaged to help adjust its business processes to support ISO 27001 compliance.
QinetiQ, Lloyd’s Register and senior customer stakeholders worked together to define the scope of work. Collaboratively we assessed the current Cyber defence capabilities, before identifying gaps and potential blockers to TMSA3 and ISO 27001 compliance.
QinetiQ modelled the customer business operations by the use of Cyber Advantage, a QinetiQ-developed business modelling approach for the UK MOD based on domain-based modelling. The aim is not to show technical controls or a network diagram, but to understand the vital data flows within the client organisation. A workshop and full output report provided a benchmark view of the current business operations versus recommended industry good practices and other standards, such as ISO 27001, and the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF).
QinetiQ’s ‘Cyber Advantage’ approach facilitates modelling of an entire business’ operations on one page
Outcomes and benefits
Through the engagement process between QinetiQ and Lloyd’s Register, the customer was provided with a clear understanding of the current gaps, risks and threats it faced that would potentially act as a blocker to it achieving compliance to the TMSA guidance. This included:
- Compliance and gap analysis
- Understanding of the financial costs associated with cyber risk
- Remediation plans and mitigations required
Through this understanding, a bespoke assistance package was created to support our large Gas customer in its compliance endeavours, thus maximising the utilisation of time and effort spent on essential activities. The project spanned a number of months, closing the identified gaps, and supported the creation of the various security artefacts required to support the TMSA audit. With the customer’s desire to go beyond mere compliance to TMSA3, the support package addressed requirements as identified within ISO 27001. This included the development of the Information Security Management System (ISMS), which is a key component with the ISO standard.
TMSA3 has four levels within the guidance, with Level 4 being the highest. Following an audit by its oil major client, our large Gas customer successfully completed the audit achieving Level 4 compliance.