Skip to main content
The Dragos Blog

12.13.23 | 2 min read

Navigating the Seas of Maritime Cyber Risk: Prepare for New Regulations

Dragos, Inc.

Maritime cybersecurity has emerged as a critical concern for organizations around the world in the last several months. The International Maritime Organization (IMO) defines maritime cyber risk as the potential threat to technology assets that could lead to operational, safety, or security failures due to the corruption, loss, or compromise of information or systems.

Safeguarding vessels and their cyber environments is more difficult, and more important, because of increased reliance on technology and connectivity in maritime operations.

Legacy Technologies vs. Modern Connectivity

Many maritime networks still rely on legacy technologies that were not originally designed to be connected to the internet. These intricate networks encompass both information technology (IT) and operational technology (OT) systems, creating vulnerabilities that can be exploited by hackers or insider threats. In the past, air gapping—a physical isolation of secure networks from unsecured ones—was a common security measure. However, modern vessels have become highly connected, making it easier for malicious actors to infiltrate critical systems using methods as simple as a USB flash drive or unsecured Wi-Fi connections.

Connectivity in modern maritime vessels extends to various systems and areas, including:

  • Bridge Control: Systems such as automatic identification, voyage data recording, and radar plotting.
  • Propulsion & Power: Control of engines, steering, fuel management, and onboard machinery.
  • Navigation: Utilizing GPS/GNSS, electronic chart displays, radar, and weather systems.
  • Loading & Stability: Managing ballast systems, hull stress, and cargo.
  • Safety Systems: Overseeing fire and flood control, shipboard security, and emergency shutdown.
  • Communications: Satellite internet, ship-to-shore communication, and voice-over-IP.
  • Operations Security: Human-machine interfaces, logic controllers, and sensors.
  • Network Security: Implementing firewalls, segmentation, antivirus software, and updates.
  • Physical Security: Protecting server rooms, access control, and network infrastructure.
  • Ship Networks: Handling email, customs, personnel administration, and maintenance.
  • Crew Network: Enabling email, Wi-Fi, wired connections, and BYOD policies.
  • Supply Chain: Managing remote vendor updates, maintenance, and administration.

International Guidelines and Regulations

Worldwide regulations for maritime cybersecurity aim to address the growing threats and vulnerabilities in the maritime industry’s digital infrastructure. Some of the key documents to review include:

  • IMO Guidelines on Maritime Cyber Risk Management:
    • The International Maritime Organization (IMO) issued guidelines on maritime cyber risk management, emphasizing the need for shipping companies to establish cybersecurity policies and procedures.
    • IMO Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems encourages administrations to incorporate cybersecurity risks into safety management systems (SMS) as defined by the ISM Code. It sets a deadline for compliance with cyber risk management in SMS.
  • International Ship and Port Facility Security (ISPS) Code:
    • The ISPS Code includes cybersecurity aspects within its broader framework for enhancing the security of ships and port facilities. It requires the assessment of maritime cybersecurity threats and the development of security plans.
  • International Association of Classification Societies (IACS) Unified Requirements (UR) E26 and E27:
    • These requirements are mandatory for classed ships and offshore installations contracted for construction on or after 1 July 2024; they are voluntary for existing fleets.
  • Regional and Flag State Regulations:
    • Some regions and individual countries have developed their own regulations and guidelines to address maritime cybersecurity. These may include specific requirements for vessels operating within their jurisdiction.
    • Flag states often issue regulations and guidelines to their registered vessels, requiring compliance with international cybersecurity standards and practices.
  • Industry Standards:
    • Industry organizations, such as BIMCO and INTERTANKO, have developed cybersecurity guidelines and best practices that complement international regulations.

It’s essential for maritime organizations to stay informed about these regulations, as they vary by region and may evolve over time.

CTA Image

Support for Maritime Cybersecurity Regulations

Learn how Dragos OT cybersecurity solutions can help you meet the IACS Unified Requirements E26 and E27 for classed ships and offshore installations.

Ready to put your insights into action?

Take the next steps and contact our team today.