[By: Geoffrey Davis is Principal Cyber Consultant at ABS Group]
What is IMO2023?
In 2011, the International Maritime Organization (IMO) enacted rules for new ships to reduce the amount of CO2 emitted by ships, called the Energy Efficiency Design Index (EEDI). In 2023, a new IMO regulation created the Energy Efficiency Existing Ship Index (EEXI) to assess the efficiency of existing ships. In addition to IMO regulations, in 2021 the European Commission (EC) adopted a series of proposals called Fit for 55, aimed at reducing net greenhouse gas emissions by at least 55% by 2030. . IMO 2023 and Fit for 55 are below. It aims to reduce greenhouse gas emissions from the shipping industry by increasing the efficiency of ships. While these regulations are essential for environmental sustainability, they also have a significant impact on operational technology (OT) cybersecurity in the maritime industry.
These regulations require vessels to reduce their carbon intensity by a percentage compared to their baseline. To achieve this, shipping companies invest in new technologies and equipment to increase the efficiency of their ships. These technologies typically require greater integration between her OT systems onboard the vessel and from those systems to cloud-based infrastructure for real-time monitoring.
What are OT systems, and what are the cybersecurity challenges that OT systems add to the marine environment?
Operational Technology (OT) systems are used to control and monitor vessel operations. This includes bridge and engine room systems such as radar, electronic chart display and information system (ECDIS), automatic identification system (AIS), engine monitoring, and radar. Cargo surveillance. These systems are essential for the safe operation of ships and require a high degree of security to prevent cyber-attacks. However, OT networks face unique cybersecurity challenges that make them more vulnerable to attacks.
One of the biggest challenges with OT networks is that many of these systems were designed decades ago and were not built with cybersecurity in mind. These systems may have outdated operating systems, applications, and protocols that are vulnerable to attacks. Additionally, many of these systems cannot be easily updated or replaced due to their critical nature and cost.
Poor authentication and access control
Authentication and access control are essential to prevent unauthorized access to OT networks. However, these controls are often incorrectly implemented in his OT network. For example, passwords may be weak or shared, or access controls may not be properly enforced. This makes it easier for attackers to gain unauthorized access to your network and carry out attacks.
Lack of visibility and oversight
OT networks often lack proper visibility and monitoring, and administrators may not be able to detect security breaches or anomalies within the network. This makes it difficult to respond to incidents quickly and effectively. Additionally, many OT systems are not designed to generate logs or alerts, making attack monitoring and detection even more difficult.
What are the cybersecurity risks associated with IMO 2023?
New technologies being installed on ships to meet IMO 2023 efficiency standards generally require greater integration between OT systems on board ships and from those systems to cloud-based infrastructure. This enhances cybersecurity in the following ways:
Increased attack surface
The need for real-time data flow and connectivity between ship OT systems requires these systems to be further connected with shore systems. This exposes his OT system on the ship to other systems on board, external networks and cloud-based infrastructure, thus increasing the potential attack surface for cyber threats.
supply chain attack
Supply chain attacks are a growing concern across the industry as we increasingly rely on technology to manage our operations. A supply her chain attack occurs when an attacker compromises a third party her vendor or supplier and uses this access to infiltrate the target organization’s systems. For example, attackers may target software vendors that provide critical systems on board ships, such as cargo tracking systems. If an attacker gains access to the vendor’s system, they could use this access to plant malware or gain access to the ship’s systems.
USB devices are ubiquitous, especially in the maritime industry to move data to and from segmented environments. However, it also poses significant cybersecurity risks to OT networks. USB devices can bring malware, viruses and other types of malicious software into his OT network if not used properly. This is why USB device hygiene is critical to his OT network cybersecurity.
What is network segmentation and why is it important?
Network segmentation is an important security control in OT systems. Network segmentation refers to the technique of dividing a network into smaller, discrete parts, each with its own security controls. Network segmentation is especially important in OT systems for the following reasons:
Minimize your attack surface
Segmenting your OT network reduces the number of devices that can be accessed from a single point, minimizing your network’s attack surface. Dividing the network into smaller segments reduces the number of systems that unauthorized users can access.
Limited attack range
In the event of a cyber-attack, network segmentation helps limit the scope of the attack. By dividing the network into smaller segments, an attacker’s access is restricted to that segment only. This helps prevent attackers from moving laterally within the network and accessing sensitive systems.
Mitigate the impact of a security breach
Even with the best security controls in place, a security breach can still occur. Network segmentation helps reduce the impact of security breaches by limiting damage.
How do we address the increased cybersecurity risks implied by IMO 2023?
Increased attack surface
To mitigate the risks posed by the increased attack surface, shipping companies must implement robust cybersecurity measures in their OT environments. Network segmentation, access control, and intrusion detection systems are essential to ensuring the safety and resilience of OT systems. Also, the carrier must ensure that his OT systems are regularly updated and patched to prevent exploitation of vulnerabilities.
supply chain attack
To mitigate the risk of supply chain attacks, shipping companies should carefully scrutinize their third-party vendors and suppliers. This includes conducting regular security audits of these vendors to ensure they follow cybersecurity best practices. Vessels should also implement network segmentation to limit the damage an attacker can do if they gain access to the vessel’s systems through a third-party vendor.
Sanitation of USB devices
Carriers should prohibit unapproved USB devices from being used on the OT network. This can be achieved by locking down USB ports on the system or implementing a USB access control policy. Vessel crews should also scan USB devices for malware before allowing them to be used on the OT network. This can be accomplished by implementing antivirus software on all systems on your network, or by using specialized malware scanning tools designed for USB devices. Finally, organizations should implement USB device usage policies that specify how USB devices are used on the OT network. These policies should cover topics such as how USB devices are authorized for use, how they are scanned for malware, and how data on USB devices is encrypted.
Geoffrey Davis is the Principal Cyber Consultant at ABS Group and a leading cybersecurity expert with over 15 years of experience. He is a Certified Information Systems Security Professional (CISSP) with a career focused on operational technology (OT) cybersecurity. Geoffrey has worked in a variety of industries including the Department of Defense, Maritime and Manufacturing, helping organizations identify and mitigate cybersecurity risks in his OT environments. He has a deep understanding of his OT systems and has developed and implemented proven strategies to protect these critical systems from cyberattacks.
The opinions expressed herein are those of the author and not necessarily those of The Maritime Executive.