Navigating Cybersecurity Challenges in Maritime Operational Technology


Navigating Cybersecurity Challenges in Maritime Operational Technology


The maritime industry – including container ships, bulk tankers, drillships, cruise ships, mobile offshore drilling units and the ports and terminals that support them – is critical to the global economy as well as national and international security. The global marine vessels market is projected to reach $220 billion USD by the end of 2026.1

Today, the maritime industry is highly vulnerable to cybersecurity threats due to the integration of previously standalone operational technology (OT) systems, which physically control multiple systems onboard the ship, with information technology (IT) systems that are deployed onboard and on shore. As the maritime industry continues to adopt cloud computing, the Internet of Things (IoT) and autonomous technologies, interconnectivity between OT and IT will rapidly increase, leading to ever-higher cybersecurity risks. In fact, cyberattacks on the maritime industry’s OT systems have already increased by 900 percent over the last three years.

A cybersecurity incident or a successful cyberattack on maritime interconnected IT and OT systems could have massive consequences, both regionally and globally. These include but are not limited to: health and safety impacts, environmental incidents, supply chain disruptions, reputational/brand damage and financial losses. 

To make matters worse, cybersecurity is a relatively new focus in the maritime industry, with rapidly evolving technologies and emerging threats. Many maritime organizations may lack the specialized experience and expertise to identify, assess, manage and respond to cyber threats. They may also lack the institutional knowledge needed to comply with cybersecurity requirements from regulatory agencies and standards bodies such as the U.S. Coast Guard, International Maritime Organization (IMO), National Institute of Standards and Technology (NIST) and International Society of Automation/Electrotechnical Commission (ISA/IEC). Further, the maritime industry is facing other challenges including lean staffing and disparities in operational procedures from vessel to vessel, which make it harder to implement and maintain cybersecurity measures.

This article presents a step-by-step work process based on industry standards and best practices for reducing cyber risks to critical infrastructure and complying with regulatory directives. It is advisable for maritime operators, and the consultants they may engage with, to follow this or a similar methodology when creating and implementing a maritime OT cybersecurity program.

The Critical Importance of Maritime OT Cybersecurity

As connected technology replaces or integrates with legacy systems, OT functions including bridge, navigation, communications, and cargo management and handling become more easily accessible by remote threat actors. These cybercriminals can use attack methods such as navigation spoofing and satellite communication hacking to manipulate a ship’s GPS and set it up for a collision or physical attack. Other cybersecurity methods aim to steal sensitive information or hold data or even cargo for ransom.

Over the past several years there has been a steady increase in cyberattacks on terminals and shipping companies. In fact, as shown in Table 1, all four of the leading shipping firms have experienced cybersecurity incidents. In September 2020, the French container shipping line CMA CGM SA reported an encryption malware attack at two of its Asia-Pacific subsidiaries. The company said some of its data may have been stolen during the attack, which forced a shutdown of its electronic booking platform, delayed cargo deliveries and interrupted electronic communications with customs authorities.

Table 1. Recent cyberattacks on maritime targets

Regulations and Standards

Around the world, regulatory agencies, industry associations and standards bodies all recognize the urgency in addressing maritime cybersecurity. Regulatory guidelines that maritime operators should be familiar with are:

International Maritime Organization (IMO) Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems, and MSC-FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Management. The resolution encourages organizations to ensure that cyber risks are appropriately addressed in existing safety management systems no later than the first annual verification of the company’s Document of Compliance after January 1, 2021. The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities. They include functional elements that support effective cyber risk management. The recommendations can be incorporated into existing risk management processes and are complementary to the safety and security management practices already established by the IMO. Owners risk having their ships detained if they have not included cybersecurity in vessel safety management systems by the deadline.

U.S. Coast Guard NVIC 01-20, Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities. This Navigation and Vessel Inspection Circular (NVIC) provides guidance to facility owners and operators in complying with the requirements to assess, document and address computer system and network vulnerabilities in facilities regulated under the United States Marine Transportation Security Act (MTSA) of 2002. Facility owners and operators are required to address cybersecurity in their Facility Security Assessments (FSAs) and Facility Security Plans (FSPs) by September 30, 2021. The Coast Guard also encourages facility owners and operators to apply the NIST Framework for Improving Critical Infrastructure Cybersecurity and NIST Special Publication 800-82 to improve their facility’s security posture.

To address the twin challenges of IT and OT system protection and regulatory compliance, maritime organizations need to develop a comprehensive cybersecurity strategy—either internally or by working with a consultant. In both cases, it is important to take a systematic, phased approach based on best practices. The following work process can serve as a guide.

Figure 1: Maritime Cybersecurity Methodology

A Proven Method for Navigating Maritime Cybersecurity

The Maritime Cybersecurity Methodology is a four-stage work process (Fig. 1). It is a fusion of the IMO guideline and the U.S. Coast Guard NVIC guidance with the NIST Cybersecurity Framework, and the ISA/IEC IACS Cybersecurity Lifecycle model. This methodology not only covers assessment, planning and implementation, but also makes provisions for monitoring, maintaining and responding to changes in threats, technologies and regulations throughout the lifecycle of the system.

Step 1: Identify & Assess

This step relates to the following aspects of the maritime regulatory guidelines:

  • The Identify function in the NIST cybersecurity framework
  • The Assess phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle (ref. 62443-1-1)
  • The assessment requirements of ISA/IEC 62443-3-2, Security Risk Assessment for Design
  • NVIC 01-20 requirements to incorporate cybersecurity in the FSA

Key tasks in Step 1:

  • Document the facility’s critical computer and network systems (both IT and OT), including an inventory of assets and “as-operated” drawings
  • Perform a vulnerability assessment to identify, classify and score cyber vulnerabilities
  • Perform a gap assessment of the IT and OT systems against relevant standards and regulatory guidance
  • Conduct a consequence-based assessment (using the Cyber PHA (Process Hazard Analysis) approach, for example) to identify the highest risk scenarios in which a cyber threat might exploit a vulnerability and lead to an unwanted consequence 

The assessment should encompass IT and OT systems, data and connections; threats relevant to the organization, its technologies and its geographic location; procedural vulnerabilities such as lack of staff training; and technical vulnerabilities such as software misconfigurations. Each of these elements should be assessed in terms of regulatory compliance, risk exposures and potential consequences of a cyberattack.

Many types of tools can be used for Step 1. These include asset inventory tools such as passive, active and configuration parsing to identify and document systems and dataflows; drawing tools to create network diagrams; and scanning tools to identify weaknesses. Also critical to this step are databases such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) database and the National Vulnerability Database (NVD) to research these vulnerabilities; threat intelligence reports for threat identification; gap assessment worksheets; and risk assessment tools.

The outcomes of Step 1 should be an “as-operated” inventory and series of diagrams; vulnerability, gap and risk registers; and a set of mitigation recommendations. This information should be presented in an internal report and as a cybersecurity annex to the FSA, in the case of regulated facilities.

It is advisable to repeat the Identify & Assess step at least every three years, or as required by local regulations.

Step 2: Plan & Design

The second step in the methodology relates to the following aspects of regulatory guidelines:

  • The Protect function in the NIST cybersecurity framework
  • The Develop & Implement phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle (ref. 62443-1-1)
  • The cybersecurity requirements specification section of ISA/IEC 62443-3-2, Security Risk Assessment for Design
  • NVIC 01-20 requirements to incorporate cybersecurity into the FSP

Key tasks in Step 2:

  • Prioritize recommendations from Step 1
  • Develop short- and long-term implementation roadmaps
  • Design solutions to mitigate risk
  • Verify that these solutions meet the intent of regulatory guidelines
  • Create a cybersecurity annex to the FSP for regulated facilities

This step focuses on ranking risk mitigation recommendations based on benefit/cost ratio and regulatory compliance mandates. Input from engineering, operations, IT and OT staff should guide this prioritization.

Based on the ranking, the team should create a short-term roadmap of tasks that can be quickly accomplished, and a long-term roadmap of more-complex projects. These tasks and projects can involve technology implementations, such as firewalls and intrusion detection systems, and new or updated procedures such as policies, standards and training.  

Step 3: Implement & Remediate

This step is tied to these regulatory aspects:  

  • The Protect function in the NIST cybersecurity framework
  • The Develop & Implement phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle

There is no relationship between this step and NVIC 01-20 because NVIC only requires facilities to assess and plan. There is currently no mandate to implement the plans. 

The main tasks in Step 3 are implementing the projects in the short- and long-term roadmaps and testing and verifying that they have achieved their intended cybersecurity objectives.

Step 4: Monitor, Maintain & Respond

The final step relates to these aspects of maritime regulations:

  • The Detect, Response and Recover functions in the NIST cybersecurity framework
  • The Operate & Maintain phase of the ISA/IEC 62443 IACS Cybersecurity Lifecycle
  • Various categories within the NVIC 01-20 requirements (personnel training, drills and exercises, security system and equipment maintenance, security measures for monitoring and audits)

Key tasks in Step 4:

  • Develop and maintain a sustainable cybersecurity program to ensure a constant state of readiness
  • Continuously monitor the organization’s cybersecurity posture
  • Maintain cybersecurity controls (e.g., antivirus) and perform data backups and software updates
  • Conduct incident response drills
  • Implement staff training and awareness programs

Note that Step 4 is an ongoing process and should be initiated as soon as Step 1 is completed due to constant changes in cyber threats and regulations and the availability of new tools and processes.  

Skills and Knowledge for Maritime Cybersecurity

Understanding the steps needed to create, implement and maintain a maritime OT cybersecurity program is just the beginning. Organizations also need specialized skills and expertise to successfully perform all these steps.

As shown in Table 2, qualifications range from security credentials such as the Certified Information Systems Security Professional (CISSP), the Cisco Certified Network Associate (CCNA) and the ISA 62443 Expert, to specialized knowledge of regulations and standards. Expertise in IT and OT systems, the ability to conduct OT risk assessments and the experience to make pragmatic, risk-based recommendations are also fundamental.

Table 2: Recommended skills and knowledge for implementing the Maritime Cybersecurity Methodology


Maritime operational technology systems are increasingly being integrated with IT systems and connected infrastructures like cloud computing. This integration opens up new opportunities for unintentional employee errors, malware attacks and remote access to OT systems by threat actors for the purposes of data theft, supply chain and transportation disruption, ransom demands, terrorism and more.

Due to the fast-changing threat landscape, emerging regulatory requirements and a shortage of qualified security professionals, many maritime organizations need assistance with their cybersecurity efforts. Working with an industrial cybersecurity consultancy that uses a proven methodology, such as the one described in this article, can expedite the development of comprehensive and effective programs without the need to acquire and train specialized staff.

In the current environment, where a pattern of increasing cyberattacks is raising concerns, maritime organizations should move quickly to learn about standards and regulations and begin the process of securing their OT and IT systems.

John Cusimano is Vice President of Industrial Cybersecurity at aeSolutions.

Marco Ayala is Senior Lifecycle Services Manager – Process Safety, Automation, Controls and Cybersecurity at aeSolutions.

Greg Villano is Senior Specialist Industrial Cybersecurity at aeSolutions.

The opinions expressed herein are the author’s and not necessarily those of The Maritime Executive.

Leave a Reply

SSCP   CAS-002   9L0-066   350-050   642-999   220-801   74-678   642-732   400-051   ICGB   c2010-652   70-413   101-400   220-902   350-080   210-260   70-246   1Z0-144   3002   AWS-SYSOPS   70-347   PEGACPBA71V1   220-901   70-534   LX0-104   070-461   HP0-S42   1Z0-061   000-105   70-486   70-177   N10-006   500-260   640-692   70-980   CISM   VCP550   70-532   200-101   000-080   PR000041   2V0-621   70-411   352-001   70-480   70-461   ICBB   000-089   70-410   350-029   1Z0-060   2V0-620   210-065   70-463   70-483   CRISC   MB6-703   1z0-808   220-802   ITILFND   1Z0-804   LX0-103   MB2-704   210-060   101   200-310   640-911   200-120   EX300   300-209   1Z0-803   350-001   400-201   9L0-012   70-488   JN0-102   640-916   70-270   100-101   MB5-705   JK0-022   350-060   300-320   1z0-434   350-018   400-101   350-030   000-106   ADM-201   300-135   300-208   EX200   PMP   NSE4   1Z0-051   c2010-657   C_TFIN52_66   300-115   70-417   9A0-385   70-243   300-075   70-487   NS0-157   MB2-707   70-533   CAP   OG0-093   M70-101   300-070   102-400   JN0-360   SY0-401   000-017   300-206   CCA-500   70-412   2V0-621D   70-178   810-403   70-462   OG0-091   1V0-601   200-355   000-104   700-501   70-346   CISSP   300-101   1Y0-201   200-125  , 200-125  , 100-105  , 100-105  , CISM   NS0-157   350-018  , NS0-157   ICBB  , N10-006 test  , 350-050   70-534   70-178   220-802   102-400   000-106   70-411  , 400-101   100-101  , NS0-157   1Z0-803   200-125  , 210-060   400-201   350-050   C_TFIN52_66  , JN0-102  , 200-355   JN0-360   70-411   350-018  , 70-412   350-030   640-916   000-105   100-105  , 70-270  , 70-462   300-070  , 300-070   642-999   101-400   PR000041   200-101  , 350-030   300-070  , 70-270  , 400-051   200-120   70-178   9L0-012   70-487   LX0-103   100-105  ,