Mitigating Cyber Risk in Maritime Applications

Author photo: Larry O'Brien and Guest Blogger: Gregory Villano
ByLarry O'Brien and Guest Blogger: Gregory Villano
ARC Report Abstract


The cybersecurity threat landscape is ever-changing.  Attacks are becoming more sophisticated, advanced persistent threats from nation states are becoming more common and even blended with criminal activity.  There are also untold unknowns.  As the scope of threats seems to widen, we are discovering that a much wider spectrum of systems and assets are at risk.  Threats are no longer limited to DCSs, PLCs, and SCADA systems.  Process safety systems, turbine control systems, terminal automation systems, and many other kinds of systems and assets must be considered in a comprehensive cybersecurity risk management strategy. 

The maritime sector, which includes transportation of hazardous chemicals and other materials and critical maritime port infrastructure, provides an excellent example of an industry sector abundant with safety-critical assets with potential cyber risks.  The sector has its own diverse installed base of systems and assets.  These range from shipboard control systems to systems used in cranes and container ports to petroleum terminals, custody transfer, physical controls access, and metering.  The marine sector’s own wave of digitalization creates unique challenges, from increased remote connectivity to wholesale modernization of legacy shipboard controls.  This year’s ARC Industry Forum in Orlando featured a session on the convergence of safety and cybersecurity.  During that session, a cybersecurity engineer from Moran Shipping Agencies, Inc., the largest independent steamship agency in North America, discussed some of the associated risks, challenges, and solutions.    

Digitalization of the Maritime Industry

Greg Villano, senior maritime cybersecurity engineer for the division of Moran Shipping known as Moran Cyber (and co-author of this report), summarized the key cybersecurity challenges facing the maritime industry.  Moran Shipping, the largest independent ship agency in North America, handles over 5,000 merchant vessel port calls per year.  Companies like Moran play a big role in shaping the security of both the vessel owners’ fleets and the nation’s ports.  Protecting sensitive vessel, port, voyage, and financial data is an intrinsic requirement for Moran, and overlaying industrial control system (ICS) and operational technology (OT) cybersecurity is a natural next step as a business. 

The maritime industry does not always receive much public attention but is a key part of what keeps industry and commerce moving.  Roughly 90 percent of the world's goods are transported by sea, with over 70 percent as containerized cargo.  Cargo transported by the liner shipping industry represents about two-thirds of the value of total global trade.  This equates to more than $4 trillion worth of goods each year. 

Today’s maritime industry is becoming more connected through digitalization and adoption of a wide range of new technologies being used to manage an extremely sensitive ecosystem of data that spans the entire planet.  Like all other industries, access and retrieval of data, as well as some remote maintenance and control, has created opportunities to increase operational visibility, optimize, and reduce administrative burdens.  Port coordination and voyage optimization is even a priority of the International Maritime Organization through the “Maritime Single Window” requirement passed in April 2019.  This is an important step for the maritime industry, but digital security must be prioritized to receive the full value of investments in technology and to help ensure safe and profitable operations. 

An “Ocean” of Sensitive Data

The maritime industry is a truly global business that is interconnected with its principals and with the government, making it a common target for espionage and cyber-attacks.  The ecosystem of sensitive data includes touchpoints with the US Coast Guard, Department of Homeland Security (DHS), and other government organizations.  Ship owners and operators, vessels, terminals, and third-party vendors and service providers are also part of the ecosystem. 

Potential attackers are familiar with working in complex industrial ecosystems, have resources, and are often highly mobile.  Known cyber incidents in the maritime sector include attempted fictitious ship appointments, ransomware incidents, and email spoofing and spear phishing of executives. 

Digitalization Changes Approaches to Cybersecurity

Digitalization and its ubiquitous impact on both the information technology (IT) and operational technology domains has driven Moran Shipping to take a more holistic approach to security that encompasses multiple domains in the enterprise and industrial controls.  The company uses the term Digital Security to describe this approach, which unifies cybersecurity, information security, IT security, OT security, physical and environmental security, and privacy.  This reflects an understanding of the real-world safety considerations posed by OT and the Internet of Things (IoT), and the physical threats to life, property, and the environment.

Risk in Maritime Maritime%20Sector%20Has%20a%20Complex%20and%20Sensitive%20Ecosystem%20of%20Data.JPG

Maritime Cyber-human Capital in High Demand, Short Supply

In addition to the challenges of digitalization and convergence of IT and OT, vessel and terminal owners and operators face an increased need for the human capacity to manage cyber risk holistically.  The maritime sector sorely needs digital innovations and connectivity to enable commerce to not only flow freely and with continuous growth, but also improve efficiency.  Managing cyber risk is, therefore, of intrinsic value to protect both safety and profitability.  Cyber-risk management is also a new requirement in Safety Management Systems under the IMO ISM Code, to take effect upon a vessel’s first renewal of a Document of Compliance on or after January 1, 2021.

ARC Advisory Group clients can view the complete report at ARC Client Portal   

If you would like to buy this report or obtain information about how to become a client, please Contact Us



Keywords: Cybersecurity, Safety, Maritime, Moran Shipping, ARC Advisory Group.

Engage with ARC Advisory Group

Representative End User Clients
Representative Automation Clients
Representative Software Clients