- Maritime shipping companies, logistics and technology service providers; liquid natural gas processors (LNGP) and distributors; and petrochemical companies are common targets.
- Very basic cyber deficiencies persist. Patching and updating software, limiting network access and implementing multi-factor authentication are foundational cybersecurity measures and would go a long way towards safeguarding systems.
- Network-connected operational technology (OT) in port facilities and shore-side are being targeted. These systems are particularly vulnerable to attack as they often rely on outdated software and network protocols, and insufficient access controls.
An example of the impact a cyberattack can have, was the July 4th, 2023 attack at the Port of Nagoya, the largest and busiest port in Japan, which was targeted in a ransomware attack that impacted the operation of its container terminals.
The attack affected the “Nagoya Port Unified Terminal System” (NUTS) causing all container loading and unloading operations at the terminals using trailers to be cancelled, which resulted in massive financial losses to the port and severe disruption to the circulation of goods to and from Japan.
And while the new Regulations are designed to ultimately help safeguard the US’ Maritime infrastructure and supply chain, they come with significant challenges to the industry at large, requiring large-scale, transformational change in the approach to cyber security; covering key areas including account and device security, data security, governance, training, risk management, supply chain management, cyber resilience, secure network architecture, reporting and cyber-physical security.
Who is Included in the Proposed New Regulations?
The new regulations apply to all US flagged vessels over 500 gross tonnes and carrying more than 12 passengers.
On the facility side, any Maritime Transportation Security Act (MTSA) facility – container ports, oil and gas port facilities and cruise and ferry terminals, covering both inland and deep-water operations.
Challenges Adapting to Change
From a maritime perspective, cyber is challenging to regulate. A lot of the existing maritime regulations are black and white and rely on judgement calls from extremely experienced marine engineers and operators. Complex tasks, such as validating a vessel stability test or verifying that an electrical installation meets applicable standards for a vessel’s route and service, are vastly different to validating cyber risk management and controls considering the integration of heterogeneous and legacy systems, diversity of data sources, and the cybersecurity risks associated with increased digital connectivity, onboarding of digital technologies, and the push for autonomous vessel and facility operations.
Adapting to the new rule may be tricky and potentially expensive for the maritime industry if it is not approached properly. And while some of the larger operators are further along the cybersecurity- maturity curve - for example the Port of Los Angeles in 2021 was the first seaport in the world to establish a Cyber Resilience Center (CRC) - the new regulations will impact much of the industry on a fundamental level.
Physical and Financial Impact
From an executive management perspective – any organization with an immature cyber security posture may not only be challenged with understanding the practicalities of implementation but may also struggle to find skilled workers with the necessary combination of cyber and maritime expertise on which to assess and create an effective internal cyber infrastructure.
Added to this will be the cost implications that will have to be factored in. From small port facilities and vessel operators to larger operations, a myriad of new costs will be associated with the regulations. And as the complexities grow (depending on the size of the organization) the costs could grow exponentially.
The Importance of Managing the IT/OT Convergence of the new Regulations
While in recent years IT security has been a focal point of any organization using digital systems, the OT risk is a real and present danger that organizations in the maritime industry will also need to mitigate against under the new rule.
The MTS is one of the largest of the 16 critical infrastructure sectors in the United States. With over 900 ports and countless terminals and facilities, it includes vessels within the commercial, civilian, government and military sectors. As a result, it contains many thousands of OT systems that control anything from port cranes to a ship’s engine or navigation system.
THE REPORT | MAR 2025 | ISSUE 111 | 59
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68 |
Page 69 |
Page 70 |
Page 71 |
Page 72 |
Page 73 |
Page 74 |
Page 75 |
Page 76 |
Page 77 |
Page 78 |
Page 79 |
Page 80 |
Page 81 |
Page 82 |
Page 83 |
Page 84 |
Page 85 |
Page 86 |
Page 87 |
Page 88 |
Page 89 |
Page 90 |
Page 91 |
Page 92 |
Page 93 |
Page 94 |
Page 95 |
Page 96 |
Page 97 |
Page 98 |
Page 99 |
Page 100 |
Page 101 |
Page 102 |
Page 103 |
Page 104 |
Page 105 |
Page 106 |
Page 107 |
Page 108 |
Page 109 |
Page 110 |
Page 111 |
Page 112 |
Page 113 |
Page 114 |
Page 115 |
Page 116 |
Page 117 |
Page 118 |
Page 119 |
Page 120 |
Page 121 |
Page 122 |
Page 123 |
Page 124 |
Page 125 |
Page 126 |
Page 127 |
Page 128 |
Page 129 |
Page 130 |
Page 131 |
Page 132 |
Page 133 |
Page 134 |
Page 135 |
Page 136 |
Page 137 |
Page 138 |
Page 139 |
Page 140 |
Page 141 |
Page 142 |
Page 143 |
Page 144 |
Page 145 |
Page 146 |
Page 147 |
Page 148
