IMO Rules to reduce the amount of CO2 generated from new-build vessels (EEDI) and existing vessels (EEXI) as well as local measures such as the European Commission (EC) ‘Fit for 55’ may be essential for environmental sustainability, but will have significant impacts on cybersecurity in the industry.
Geoffrey Davis (pictured), Principal Cyber Consultant ABS Group said: “These regulations require vessels to reduce their carbon intensity by a certain percentage compared to their baseline. To achieve this, shipping companies are investing in new technologies and equipment to increase vessel efficiency. These technologies generally require more integration between Operational Technology (OT) systems within a vessel and from those systems to cloud-based infrastructure for real-time monitoring.”
Operational Technology (OT) systems are used to control and monitor the operation of a vessel, and can include bridge and engine room systems including radars, Ecdis, AIS, engine monitoring, and cargo monitoring.
Davis said: “These systems are critical to the safe operation of vessels and need to be highly secure to prevent cyber-attacks. However, OT networks face unique cybersecurity challenges that make them more vulnerable to attacks. One of the biggest challenges with OT networks is that many of these systems were designed decades ago and were not built with cybersecurity in mind. These systems may have outdated operating systems, applications, and protocols that are vulnerable to attacks. Moreover, many of these systems cannot be easily updated or replaced due to their critical nature or the cost involved. Authentication and access controls are essential to prevent unauthorised access to OT networks.”
OT networks often lack proper visibility and monitoring, which means that administrators may not be able to detect security breaches or anomalies in the network. This makes it difficult to respond to incidents quickly and effectively. Moreover, many OT systems were not designed to generate logs or alerts, which makes it even more difficult to monitor and detect attacks.
Davis explained: “The new technologies on-board vessels required to meet the IMO 2023 efficiency standards generally require more integration between OT systems within a vessel and from those systems to cloud-based infrastructure.”
Key to this is:
- Increased Attack Surface. The need for real-time data flows and connections between vessel OT systems requires those systems to be more connected to the shore-based systems. This will increase the potential attack surface for cyber threats as vessels’ OT systems will be more exposed to other systems within a vessel, and to external networks and cloud-based infrastructure.
- Supply Chain Attacks. These occur when an attacker infiltrates a third-party vendor or supplier and uses this access to gain entry to the target organisation’s systems. For example, an attacker might target a software vendor that provides a critical system on a vessel, and thus plant malware or gain access to the vessel’s systems.
- USB Devices. These are used extensively in the maritime industry, especially for moving data to and from segmented environments. USB devices can introduce malware, viruses, and other types of malicious software into OT networks if not used properly.
Davis said: “Network segmentation is a critical security control in OT systems. Network segmentation refers to the practice of dividing a network into smaller, separate parts, each with its own security controls.”
Network segmentation can minimise the attack surface, reducing the number of systems that could be accessed by an unauthorised user. If a cyber-attack does occur, network segmentation can help to limit the scope of the attack by limiting access to that segment only. Even with the best security controls in place, security breaches can still occur. Network segmentation can help to reduce the impact of a security breach by limiting the damage that can be done.
To mitigate the risks of an increased attack surface, shipping companies need to implement robust cybersecurity measures in their OT environment. Network segmentation, access control, and intrusion detection systems are essential to ensure that OT systems are secure and resilient. Shipping companies must ensure that their OT systems are regularly updated and patched to prevent vulnerabilities from being exploited, and should prohibit unapproved USB devices from being used on the OT network.