Navigating the seas of maritime cyber risk: prepare for new regulations

Cyber risk insights

• Maritime cybersecurity has become a critical issue, with the International Maritime Organization (IMO) defining maritime cyber risk as threats that could impact operations, safety or security due to compromised information or systems.
• Modern maritime operations’ increased reliance on technology and connectivity, combined with the use of legacy technologies, creates vulnerabilities that can be exploited by malicious actors.
• International guidelines and regulations, including the IMO Guidelines on maritime cyber risk management and the International Ship and Port Facility Security (ISPS) Code, aim to enhance cybersecurity in the maritime industry by requiring shipping companies and port facilities to assess threats and develop security plans.

Maritime cybersecurity has emerged as a critical concern for organizations around the world in the last several months. The International Maritime Organization (IMO) defines maritime cyber risk as the potential threat to technology assets that could lead to operational, safety or security failures due to the corruption, loss or compromise of information or systems.

Safeguarding vessels and their cyber environments is more difficult, and more important, because of increased reliance on technology and connectivity in maritime operations.

Legacy technologies vs. modern connectivity

Many maritime networks still rely on legacy technologies that were not originally designed to be connected to the internet. These intricate networks encompass both information technology (IT) and operational technology (OT) systems, creating vulnerabilities that can be exploited by hackers or insider threats. In the past, air gapping — a physical isolation of secure networks from unsecured ones — was a common security measure. However, modern vessels have become highly connected, making it easier for malicious actors to infiltrate critical systems using methods as simple as a USB flash drive or unsecured Wi-Fi connections.

Connectivity in modern maritime vessels extends to various systems and areas, including:

• Bridge control: Systems such as automatic identification, voyage data recording and radar plotting.

• Propulsion and power: Control of engines, steering, fuel management and onboard machinery.

• Navigation: Utilizing GPS/GNSS, electronic chart displays, radar and weather systems.

• Loading and stability: Managing ballast systems, hull stress and cargo.

• Safety systems: Overseeing fire and flood control, shipboard security and emergency shutdown.

• Communications: Satellite internet, ship-to-shore communication and voice-over-IP.

• Operations security: Human-machine interfaces, logic controllers and sensors.

• Network security: Implementing firewalls, segmentation, antivirus software and updates.

• Physical security: Protecting server rooms, access control and network infrastructure.

• Ship networks: Handling email, customs, personnel administration and maintenance.

• Crew network: Enabling email, Wi-Fi, wired connections and BYOD policies.

• Supply chain: Managing remote vendor updates, maintenance and administration.

International guidelines and regulations

Worldwide regulations for maritime cybersecurity aim to address the growing threats and vulnerabilities in the maritime industry’s digital infrastructure. Some of the key documents to review include:

• IMO Guidelines on maritime cyber risk management:
  • The International Maritime Organization (IMO) issued guidelines on maritime cyber risk management, emphasizing the need for shipping companies to establish cybersecurity policies and procedures.
  • IMO Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems encourages administrations to incorporate cybersecurity risks into safety management systems (SMS) as defined by the ISM Code. It sets a deadline for compliance with cyber risk management in SMS.
• International ship and port facility security (ISPS) code:
  • The ISPS Code includes cybersecurity aspects within its broader framework for enhancing the security of ships and port facilities. It requires the assessment of maritime cybersecurity threats and the development of security plans.
• International Association of Classification Societies (IACS) Unified Requirements (UR) E26 and E27:
  • These requirements are mandatory for classed ships and offshore installations contracted for construction on or after July 1, 2024; they are voluntary for existing fleets.
• Regional and flag state regulations:
  • Some regions and individual countries have developed their own regulations and guidelines to address maritime cybersecurity. These may include specific requirements for vessels operating within their jurisdiction.
  • Flag states often issue regulations and guidelines to their registered vessels, requiring compliance with international cybersecurity standards and practices.
• Industry standards:
  • Industry organizations, such as BIMCO and INTERTANKO, have developed cybersecurity guidelines and best practices that complement international regulations.

It’s essential for maritime organizations to stay informed about these regulations, as they vary by region and may evolve over time.

Original content can be found at Dragos.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.