Omny: making cybersecurity easier to manage

While people may create most cybersecurity risks, only people can manage them – automated tools are not enough. But digital tools can make cybersecurity easier to manage. Andreas Grefsrud from Omny explained

With cybersecurity, “humans are very often the weak link,” said Andreas Grefsrud, security specialist, Omny, speaking at People Tech Maritime event in Bergen.

“You can buy the best security product in the world, but that won't help if your people don't understand the importance of their assets and how they support business operations, where the vulnerabilities are, and how certain threats may want to compromise your company.”

Mr Grefsrud has been working in cybersecurity for about 20 years, including as a consultant, auditor, and head of cybersecurity in a shipping company. Omny is owned by Aker and Telenor.

Jaguar Land Rover attack

“An adversary will exploit any vulnerability to get to your crown jewels,” he said.

Consider the Jaguar Land Rover cyberattack in the UK. The attack started in March 2025, likely with the compromise of Jira accounts. Jira is a project management tool.

Once the attackers had done this, they employed at least 16 further tactics in order to access and gain control of the digital infrastructure of the company.

Eventually, they were able to “launch a denial of service at end points,” so people were not able to get access to IT systems. The costs were estimated at £1.9bn. “This happened because someone was negligent about their credentials,” he said.

Cannot rely on AI cybersecurity

There are many claims that AI can help with cybersecurity. “It can be dangerous if the belief is that AI can replace the cybersecurity professionals,” he said.

For example, “you will hear AI handles everything automatically, no need for any intervention by humans. Engineers can focus on operations while AI protects in the background,” he said.

But an AI system may not realise how critical a certain component is to the safe running of the ship. It may automatically shut it down because of a hack, leading to operational risks. In a safety critical situation, “human expertise is irreplaceable,” he said.

Instead, Omny emphasises that digital tools should “augment” human capability, rather than seek to replace it. For example, digital tools can give people advice about what they need to do in natural language, such as "controller can be remotely stopped, prepare check in the next window.”

Digital tools “need to translate and not complicate,” he said. They need to “guide, never dictate.”

In the company, “we need to build security intuition, making people better at cybersecurity,” he said. “The best security tools are ones that makes the user smarter about their own solutions.”

Cataloguing your assets

In order to manage cybersecurity, first you need to know what you have. Many shipping companies do not have a clear idea of how critical the operational technology is onboard their vessels.

You can make a list of assets manually doing a survey, which is labour intensive, or use network scanners which look for devices on the network.

A third way to do it is to use platforms like Omny where AI is used to parse network documentation and create digital representations of them.

This representation can also be merged with any other list of devices you have, such as from a manual survey or from using a scanner.

The Omny platform then generates a network schema, enabling contextual visibility between the digital assets and the physical processes, and how everything is connected. This is what is needed for an OT engineer or cybersecurity professional to work effectively.

The Omny platform classifies devices and components into Purdue levels. Most cybersecurity tools only scan the network layer, and will never be able to capture what is happening on the physical level (level 0 in the Purdue model), he said.

The capability of connecting devices to physical processes, combined with the platform's agentic AI which connects vulnerabilities and assess how threats could disrupt the operations, is key to understanding and prioritising security risks.

When there is an announcement about a critical vulnerability affecting certain devices, the Omny software can determine which of your devices may be affected, how the operations are affected, and then give you a prioritized list of what to do.

The solution can also consider the geographic location of a vessel, which may be useful if the threat only applies in a certain part of the world.

NIS2 regulations

European shipping companies will shortly need to comply with European Union NIS2 cybersecurity regulations. It builds on the first NIS Directive (NIS1), which had been in force since 2018, including in the UK.

“NIS2 is more relevant and stringent than the existing NIS,” he said. “It is based on good practise and internationally recognised standards.”

All NIS2 measures should be “risk based,” dependent on an assessment of the risk. The regulation states security measures and barriers you should implement but does not specify how it should be done or how strict they should be. The robustness of the measure should align with the assessment of the risk.

NIS2 also includes a requirement to report incidents.

Digital tools like those from Omny can help you navigate legislation frameworks like NIS2, he said.