The International Maritime Organization (IMO) has established regulations to reduce CO2 emissions from the shipping industry through the Energy Efficiency Design Index (EEDI) for new-build vessels and the Energy Efficiency Existing Ship Index (EEXI) for existing vessels, which will come into effect in 2023. These regulations are aimed at increasing vessel efficiency through new technologies and equipment, which require more integration between Operational Technology (OT) systems within a vessel and from those systems to cloud-based infrastructure for real-time monitoring. However, this integration also increases cybersecurity risks for the maritime industry.
OT systems are used to control and monitor the operation of vessels, including bridge and engine room systems like radars, Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), engine monitoring, and cargo monitoring. These systems must be highly secure to prevent cyber-attacks, but legacy systems, insufficient authentication and access controls, and lack of visibility and monitoring make them more vulnerable to attacks.
The new technologies required for IMO 2023, which rely on real-time data flows and connections between vessel OT systems, increase the potential attack surface for cyber threats, including supply chain attacks and USB device risks. To mitigate these risks, shipping companies need to implement robust cybersecurity measures, such as network segmentation, access control, and intrusion detection systems, and regularly update and patch OT systems. They should also vet their third-party vendors and suppliers, prohibit unapproved USB devices from being used on the OT network, and implement USB device usage policies.
Network segmentation, which divides a network into smaller, separate parts, each with its security controls, is critical in OT systems to minimize the attack surface, limit the scope of an attack, and reduce the impact of a security breach. To ensure the safety and resilience of OT systems in the maritime industry, organizations must develop and implement proven strategies to protect them from cyber-attacks, such as those of Principal Cyber Consultant Geoffrey Davis at ABS Group. Davis is a Certified Information Systems Security Professional (CISSP) with a career focus on OT cybersecurity, who has helped organizations identify and mitigate cybersecurity risks in their OT environments.
Share it now