The Cybersecurity Implications of IMO 2023

[By: Geoffrey Davis is Principal Cyber Consultant at ABS Group]

What is IMO 2023?

In 2011, the International Maritime Organization (IMO) established rules for new-build vessels to reduce the amount of CO2 generated from shipping called the Energy Efficiency Design Index (EEDI). In 2023, new IMO regulations created the Energy Efficiency Existing Ship Index (EEXI) to assess the efficiency of existing vessels. In addition to the IMO regulations, in 2021 the European Commission (EC) adopted a set of proposals called Fit for 55 with the aim of reducing net greenhouse gas emissions by at least 55 percent by the year 2030. IMO 2023 and Fit for 55 are aimed at reducing greenhouse gas emissions from the shipping industry through increasing the efficiency of vessels. While these regulations are essential for environmental sustainability, they will also have significant impacts on Operational Technology (OT) cybersecurity in the maritime industry.

These regulations require vessels to reduce their carbon intensity by a certain percentage compared to their baseline. To achieve this, shipping companies are investing in new technologies and equipment to increase vessel efficiency. These technologies generally require more integration between OT systems within a vessel and from those systems to cloud-based infrastructure for real-time monitoring.

What are OT systems and what cybersecurity challenges do they add in the maritime environment?

Operational Technology (OT) systems are used to control and monitor the operation of a vessel, they can include bridge and engine room systems like radars, Electronic Chart Display and Information Systems (ECDIS), Automatic Identification Systems (AIS), engine monitoring, and cargo monitoring. These systems are critical to the safe operation of vessels and need to be highly secure to prevent cyber-attacks. However, OT networks face unique cybersecurity challenges that make them more vulnerable to attacks.

Legacy Systems

One of the biggest challenges with OT networks is that many of these systems were designed decades ago and were not built with cybersecurity in mind. These systems may have outdated operating systems, applications, and protocols that are vulnerable to attacks. Moreover, many of these systems cannot be easily updated or replaced due to their critical nature or the cost involved.

Insufficient Authentication and Access Controls

Authentication and access controls are essential to prevent unauthorized access to OT networks. However, these controls are often not implemented correctly in OT networks. For example, passwords may be weak or shared, or access controls may not be enforced properly. This makes it easier for attackers to gain unauthorized access to the network and carry out attacks.

Lack of Visibility and Monitoring

OT networks often lack proper visibility and monitoring, which means that administrators may not be able to detect security breaches or anomalies in the network. This makes it difficult to respond to incidents quickly and effectively. Moreover, many OT systems were not designed to generate logs or alerts, which makes it even more difficult to monitor and detect attacks.

What are the cybersecurity risks associated with IMO 2023?

The new technologies on-board vessels required to meet the IMO 2023 efficiency standards generally require more integration between OT systems within a vessel and from those systems to cloud-based infrastructure.  This can increase cybersecurity in the following ways:

Increased Attack Surface

The need for real-time data flows and connections between vessel OT systems require those systems to be more connected to the shore-based systems. This will increase the potential attack surface for cyber threats as vessels' OT systems will be more exposed to other systems within a vessel, and to external networks and cloud-based infrastructure.

Supply Chain Attacks

Supply chain attacks are a growing concern across industries, as they become increasingly reliant on technology to manage their operations. A supply chain attack occurs when an attacker infiltrates a third-party vendor or supplier and uses this access to gain entry to the target organization's systems. For example, an attacker might target a software vendor that provides a critical system on a vessel, such as a cargo tracking system. Once the attacker has gained access to the vendor's systems, they can use this access to plant malware or gain access to the vessel's systems.

USB Devices

USB devices have become ubiquitous and are used extensively in the maritime industry, especially for moving data to and from segmented environments. However, they also pose a significant cybersecurity risk to OT networks. USB devices can introduce malware, viruses, and other types of malicious software into OT networks if not used properly. This is why USB device hygiene is crucial for the cybersecurity of OT networks.

What is network segmentation and why is it important?

Network segmentation is a critical security control in OT systems.  Network segmentation refers to the practice of dividing a network into smaller, separate parts, each with its own security controls. In OT systems, network segmentation is of particular importance for several reasons:

Minimizing the Attack Surface

Segmenting an OT network can help to minimize the attack surface of the network by reducing the number of devices that are accessible from any single point. By breaking the network into smaller segments, it reduces the number of systems that could be accessed by an unauthorized user.

Limiting the Scope of an Attack

If a cyber-attack does occur, network segmentation can help to limit the scope of the attack. By breaking the network into smaller segments, the attacker's access is limited to that segment only. This can help to prevent the attacker from moving laterally across the network and gaining access to sensitive systems.

Reducing the Impact of a Security Breach

Even with the best security controls in place, security breaches can still occur. Network segmentation can help to reduce the impact of a security breach by limiting the damage that can be done.

How do we address the increased cybersecurity risks coming out of IMO 2023?

Increased Attack Surface

To mitigate the risks of an increased attack surface, shipping companies need to implement robust cybersecurity measures in their OT environment. Network segmentation, access control, and intrusion detection systems are essential to ensure that OT systems are secure and resilient. Shipping companies must also ensure that their OT systems are regularly updated and patched to prevent vulnerabilities from being exploited.

Supply Chain Attacks

To mitigate the risk of supply chain attacks, shipping companies should carefully vet their third-party vendors and suppliers. This includes conducting regular security audits of these vendors and ensuring that they are following cybersecurity best practices. Vessels should also implement network segmentation to limit the damage that an attacker can do if they gain access to the vessel's systems through a third-party vendor.

USB Device Hygiene

Shipping companies should prohibit unapproved USB devices from being used on the OT network. This can be achieved by locking down USB ports on systems or by implementing USB access control policies. Vessel crew should also scan USB devices for malware before allowing them to be used on the OT network. This can be achieved by implementing antivirus software on all systems on the network or by using specialized malware scanning tools designed for USB devices. Finally, organizations should implement USB device usage policies that specify how USB devices should be used on the OT network. These policies should cover topics such as how USB devices are approved for use, how they should be scanned for malware, and how data should be encrypted on USB devices.

Article author:

Geoffrey Davis is Principal Cyber Consultant at ABS Group and is a consummate cybersecurity professional with over 15 years of experience.  He is a Certified Information Systems Security Professional (CISSP) with a career focus in Operational Technology (OT) cybersecurity. Geoffrey has worked in a variety of industries including DoD, maritime, and manufacturing, where he has helped organizations identify and mitigate cybersecurity risks in their OT environments.  He has a deep understanding of OT systems and has developed and implemented proven strategies to protect these critical systems from cyber-attacks.