Endpoint Security , Governance & Risk Management , Internet of Things Security
New Rules for Shipbuilding Focus on IT/OT Cybersecurity
New IACS Rules to Secure Onboard Digital Systems, Equipment Go Into Effect July 1As ships increasingly rely on digital technology to operate, they become more vulnerable to cyberattacks. While the recent crash of the Singaporean-flagged cargo ship Dali into Baltimore's Francis Scott Key Bridge is not linked to cyber terrorism, according to preliminary investigations, the crippling blow to both shipping and transportation in the region shows just how bad the fallout from an attack could be.
See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines
"We need look no further than the very recent Francis Scott Key Bridge incident … an onboard electrical failure, disruption of the GPS, failure of the propulsion system, a discrepancy in the loading and stability system - any of these as well as numerous other fiascos could occur as a result of a cyber incident, putting the ship on an errant course, killing people and causing considerable physical damage," said Ilan Barda, founder and CEO of Radiflow, a cybersecurity firm with a focus on industrial and maritime security.
Barda and other IT and OT experts say these threats underscore the need for more stringent cybersecurity regulations for passenger, cargo and high-speed vessels by the International Association of Classification Societies. After a six-month delay, new IACS cybersecurity and resilience requirements will go into effect July 1.
IACS, which provides technical support, compliance verification and R&D services to the industry, influences more than 90% of the world's cargo-carrying tonnage through its classification design, construction and through-life compliance rules and standards.
With the deadline for compliance approaching, tech vendors are offering a range of OT security services to shipbuilders. Samsung Heavy Industries, a provider of shipbuilding and offshore development services, recently partnered with cybersecurity provider Fortinet to focus on maritime cybersecurity.
Mandatory Requirements
"At a time when rapid advancements in maritime connectivity and shipboard technology are leaving vessel networks increasingly vulnerable to attack, the IACS unified requirements aim to minimize the frequency and impact of cyber incidents at sea," said Jongung Choi, director of autonomous ship research center at Samsung Heavy Industries.
IACS revised two sections of the regulations - UR E26, which pertains to operational resilience of the ship, and UR E27, which focuses on securing and hardening system integrity provided by third-party equipment suppliers. The requirements are mandatory for new ships contracted for construction on and after July 1, 2024.
UR26 covers the secure integration of both IT and OT equipment in a vessel's network, ensuring security controls from design to operational life. It covers critical systems including propulsion, steering, anchoring and mooring, electrical power, fire protection, bilge and ballast systems, watertight integrity, and lighting.
UR E27 sets stringent cybersecurity standards for ships and requires robust security features in ship equipment from the outset.
Under the revised regulations, vessels must meet specific cyber resilience criteria, especially for computer-based systems, to mitigate potential cyberthreats that jeopardize safety and operational efficiency.
Extensive documentation, including asset inventories and test procedures, is mandatory, and suppliers are responsible for rigorous compliance testing. They also must implement controls to safeguard private keys and ensure the availability of security updates.
Ultimately, IACS requires surveys and testing to demonstrate adherence to cybersecurity standards, overseen by classification societies.
Critical Cyber Challenges
While the deadline for compliance poses challenges for manufacturers, such as increased costs for technology, training and compliance, the benefits are worth the investment, Barda told Information Security Media Group.
Ship systems have undergone a profound digital evolution, replacing manual processes with advanced technologies such as solar panels and smart energy optimization systems. Modern ships predominantly depend on digital navigation systems connected to satellites. But cybersecurity standards have not kept pace with digital change, he said.
"Those systems are not up to the cyber challenges of today, let alone tomorrow," Barda said.
While onboard systems were designed with a certain level of security, they are still vulnerable to attack. Hackers are constantly evolving their tactics, and digital onboard systems lack the resilience needed to withstand the latest sophisticated attacks, he said.
Hacking into communication or navigation systems is a critical area of concern, according to Gabriela Michael, a faculty member at Symbiosis Law School and an LLM gold medalist at the Coastal and Maritime Security Law and Governance. For example, manipulation or disruption of communication systems could impede the ability to send distress signals or communicate with other vessels, port authorities or emergency response teams during emergencies, she said.
"Compromised data integrity or confidentiality could undermine the reliability of navigational charts, weather forecasts or operational information, affecting decision-making and situational awareness onboard vessels. Cyberattacks targeting maritime systems and networks could also have broader consequences, including environmental damage, economic losses and reputational damage for shipping companies and maritime stakeholders," Michael said.
Third-Party Risks and Vulnerabilities
Barda said that many technical activities on vessels involve third-party technicians called in to update or replace network-connected devices and systems. "Even today, there is inadequate detailed logging of what these people did within the network," he said.
Inside onboard networks, the level of segmentation - a key element in OT security - is insufficient to offer the needed level of protection. IT teams often overlook essential practices such as isolating critical or hazardous systems from other network segments to prevent intrusion or limit the spread of threats, Barda said.
Shipping companies also need ongoing cybersecurity measures to protect operations, such as reliable patching mechanisms and continuous anomaly detection, he said.
Increased Focus on Government Regulations
Even before the Baltimore bridge crash, the U.S. government made plans to step up cybersecurity in the maritime industry. In February, the Biden-Harris administration announced an initiative to address maritime cyberthreats, including through cybersecurity standards to ensure that the country's ports' networks and systems are secure.
The U.S. Coast Guard gained the power to tackle cyberthreats in maritime zones and mandated vessels and facilities to address cyber risks. It introduced mandatory reporting of cyber incidents and has authority to regulate vessel movement and inspect those posing cybersecurity risks, according to the announcement.