Navigating Cybersecurity's Seas: Environmental Regulations, OT & the Maritime Industry's New Challenges

Stringent efficiency measures in new environmental regulations create an unintended consequence for the shipping industry: increased cybersecurity risks in operational technology systems.

Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

August 10, 2023

4 Min Read
Large ship
Source: Sorrorwoot Chaiyawong via Alamy Stock Photo

The International Maritime Organization (IMO) introduced the Energy Efficiency Design Index (EEDI) in 2011 to reduce CO2 emissions from shipping. In 2023, the IMO established the Energy Efficiency Existing Ship Index (EEXI) to assess the efficiency of existing vessels. Additionally, in 2021, the European Commission (EC) adopted Fit for 55, aiming to reduce net greenhouse gas emissions by 55% by 2030. These regulations prioritize increasing vessel efficiency to achieve environmental sustainability yet raise concerns about operational technology (OT) cybersecurity in the maritime industry.

An unintended consequence of these pivotal environmental regulations is an increased risk from using OT in the maritime industry due to the stringent efficiency measures. Vessels must now significantly reduce their carbon intensity by making substantial investments in advanced technologies and sophisticated equipment to enhance vessel efficiency. Integrating technologies with existing OT systems and real-time cloud-based monitoring presents a unique challenge to maritime cybersecurity, a field marked by inherent vulnerabilities.

Cybersecurity Risks Gain Steam

In the late 1800s, the naval industry underwent a significant transformation with the advent of steam propulsion technology. Just as the current regulations are pushing the maritime industry toward a greener future, the invention of steam engines represented a pivotal shift toward enhanced speed, maneuverability, and operational efficiency in the naval sector.

Integrating advanced technology with existing OT systems can be compared to how the industry changed to steam: Mariners had to adapt to the new technologies that came with unique challenges, akin to the current cybersecurity risks faced by the maritime industry.

Factors That Increase Maritime Cybersecurity Risks

OT systems are the backbone of a vessel's functionality, encompassing critical systems such as radar, electronic charts, cargo and engine monitoring, and automatic identification systems (AIS). The security of these systems is paramount in safeguarding the vessel from potential cyber threats. Given their antiquated design, legacy systems within OT networks are particularly susceptible to cyberattacks. These systems often operate on outdated software and protocols, amplifying their vulnerability. Replacing or upgrading them should be considered within strategic planning and resource allocation, given their functions' high costs and critical nature.

Authentication and access controls, the bedrock of cybersecurity, must be implemented appropriately within OT networks. Weak or shared passwords facilitate unauthorized network access, amplifying the risk of cyberattacks. The need for more visibility and monitoring in OT networks is critical. System administrators often struggle to detect security breaches due to the inherent design limitations of many OT systems.

The technological innovations integral to achieving the efficiency standards of EEXI demand increased integration between OT systems and cloud-based infrastructure, thereby expanding the potential attack surface for cyber threats. Vessels' OT systems are increasingly connected to shore-based systems, external networks, and cloud-based infrastructure, thus escalating the cybersecurity risk.

Supply chain attacks pose a significant concern across industries, including the maritime sector. Attackers exploit vulnerabilities in third-party vendors or suppliers to gain entry to target organizations' systems. Once an attacker obtains access to the vendor's systems, they can plant malware or gain unauthorized access to the vessel's systems.

Risks Created by New Regulations

As the maritime industry grapples with the regulatory imperative to reduce carbon emissions, they face a spectrum of cybersecurity risks, including:

  • Economic implications: Adherence to the new regulatory environment mandates considerable investments in advanced technology and equipment for enhancing vessel efficiency. These investments extend beyond acquiring technology to integrating it with existing OT systems, often resulting in high upfront costs and ongoing maintenance expenses.

  • Operational challenges: The necessity for real-time cloud-based monitoring and data transmission adds complexity to maritime operations. The greater integration between onboard OT and external systems increases the vulnerability to cyberattacks, potentially leading to severe operational disruptions.

  • Legacy systems vulnerability: With outdated designs and protocols, legacy systems within OT networks are particularly susceptible to cyberattacks. Replacing or upgrading them, essential for bolstering cybersecurity, poses a daunting task, given the high costs and operational criticality involved.

  • Authentication and access control issues: OT networks' common underimplementation of robust authentication and access controls exacerbates cybersecurity threats. The implications include unauthorized access and network breaches, impacting critical operations and data integrity.

  • Need for robust cybersecurity measures: To combat the augmented cybersecurity risks, maritime companies must implement robust cybersecurity measures, including intrusion detection systems, regular system updates, and enhanced access controls. The need for network segmentation to mitigate risks adds to the operational complexity of maritime companies. This represents both an operational challenge and a financial burden.

  • Third-party vetting and monitoring: Mitigating supply chain attacks requires maritime companies to vet and monitor third-party vendors thoroughly. This adds a layer of complexity to procurement processes and necessitates ongoing monitoring to ensure compliance with cybersecurity best practices.

An Urgent Call for Change

Amid escalating cybersecurity threats intensified by environmental regulations and critical OT systems, the maritime industry and its partners face profound challenges. The urgent call is to act boldly and decisively. Immediate investments in cutting-edge technologies, system upgrades, stringent access controls, network segmentation, and rigorous vendor vetting are paramount. The cost of delay is significant and potentially catastrophic. By acting swiftly and confidently, the maritime industry can protect itself, secure its resilience, and fortify it against future threats. The industry's future rests on resolute action today.

About the Author(s)

Jeffrey Wells

Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

Jeffrey Wells is a distinguished cybersecurity, technology, and geopolitical risk leader with over 35 years of experience. His expertise is crucial in addressing cyber threats with significant geopolitical and security implications. Wells is a Visiting Fellow at George Mason University's Cyber and Tech Center (CTC) and a Truman National Security Project Defense Council Fellow.

He has extensive experience helping organizations design and operationalize cyber resiliency strategies, programs, incident response, and instituting business continuity worldwide.

As a founding partner of the NIST's National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights