Concerns as IMO carbon reduction policy poses cyber risk

Concerns as IMO carbon reduction policy poses cyber risk

There are concerns that the International Maritime Organisation (IMO) established rules for new-build vessels to reduce greenhouse gas emissions from the shipping industry may pose a fresh cybersecurity challenge in the maritime environment.

Recall that the IMO created new regulations for 2023 – ‘Energy Efficiency Existing Ship Index (EEXI)’ – to reduce greenhouse gas emissions from the shipping industry by increasing the efficiency of vessels.

These regulations require vessels to reduce their carbon intensity by a certain percentage compared to their baseline.Shipping companies, to achieve this, have started investing in new technologies and equipment to increase vessel efficiency.

Experts have said that, while these regulations are essential for environmental sustainability, they will also have significant impacts on Operational Technology (OT) cybersecurity in the maritime industry.

The Principal Cyber Consultant, ABS Group, Geoffrey Davis, explained that the OT systems are used to control and monitor the operations of vessels, which include bridge and engine room systems like radars, Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), engine and cargo monitoring.

He said these systems are critical to the safe operation of vessels and need to be highly secured to prevent cyber-attacks. Davis, who is also a Certified Information Systems Security Professional (CISSP), said the OT networks, however, face unique cybersecurity challenges that make them more vulnerable to attacks.

He said one of the biggest challenges with OT networks is that many of the systems were designed decades ago and were not built with cybersecurity in mind.

According to him, these systems may have outdated operating systems, applications, and protocols that are vulnerable to attacks, adding that many of them cannot be easily updated or replaced due to their critical nature or the cost involved.

“The new technologies onboard vessels required to meet the IMO 2023 efficiency standards generally require more integration between OT systems within a vessel to cloud-based infrastructure, which can increase cybersecurity.

“OT networks often lack proper visibility and monitoring, which means that administrators may not be able to detect security breaches or anomalies in the network. This makes it difficult to respond to incidents quickly and effectively. Moreover, many OT systems were not designed to generate logs or alerts, which makes it even more difficult to monitor and detect attacks,” he said

Davis also pointed at supply chain attacks and USB devices as a growing concern across the maritime industries that are becoming increasingly reliant on technology to manage their operations.

Speaking on how to address the challenges resulting from the IMO 2023 regulation, Davis said shipping companies should implement robust cybersecurity measures in their OT environment. He noted that network segmentation, access control and intrusion detection systems are essential to ensure that OT systems are secured and resilient.

Davis also noted that shipping companies must ensure their OT systems are regularly updated and patched to prevent vulnerabilities from being exploited.

On mitigating the risk of supply chain attacks, Davis said shipping companies should carefully vet their third-party vendors and suppliers, which includes, conducting regular security audits of the vendors and ensuring they are following cybersecurity best practices.

He also advised shipping companies to prohibit unapproved USB devices from being used on the OT network, as they have become ubiquitous and are used extensively in the maritime industry, especially for moving data to and from segmented environments.

Read More

Leave a Reply

Your email address will not be published.