Cybersecurity concerns for the energy sector in the maritime domain

Executive summary

The global has seen a numeral of high-profile maritime disasters in holocene months and years, and has felt the affect of them. Over that same menstruation, the world has seen a total of high-profile cyberattacks and felt their impact, american samoa well. Combined, the nautical and cyber incidents have likely affected the energy sector more than any other : fuel prices often spike or plummet, and access to energy resources can become an clamant informant of concern, tension, or even battle. As a wide spectrum of energy companies continue to rely on the nautical world or even increase that reliance, they must be mindful that traditional nautical threats—like plagiarism, larceny, and weather events—are not the entirely threats they face nowadays. Maritime cybersecurity concerns are among the most potentially disruptive to energy-sector interests, and even are among the least understand and addressed .
This paper identifies ten areas in which the energy-sector faces harmful cyber vulnerabilities in the maritime knowledge domain, and seeks to provide enough insight and examples to allow for actions to reduce the risk of damage from these respective vulnerabilities. The paper develops the exercise of offshore wind energy to model how to assess cyber considerations more fully. ultimately, it concludes with a series of ten recommendations that offer steps for policy makers, energy-sector actors, and security and law-enforcement professionals to minimize the exposure of the nautical energy sector to harmful cyberattacks .
This analysis looks at a wide spectrum of maritime cyber concerns and how they could compromise the department of energy sector. These concerns include human erroneousness or human ignorance ; fraud ; attacks to facilitate crime ; navigational attacks ; functional attacks ; indiscriminate attacks ; compound attacks ; infrastructure attacks ; future concerns ; and hybrid aggression. For this final examination concern of hybridity, the bleary tune between express and criminal natural process is addressed, noting that unlike other forms of attack or war, the cyber domain is equally accessible to state and nonstate actors. While states are charged with the legal and virtual duty for cosmopolitan national defense, this sport of the cyber domain means that submit and private actors must share the effect of establishing adequate cyber defenses .
To that end, the wallpaper arrives at a act of conclusions for all those who have a proximate interest in the nautical cyber knowledge domain :

1. Develop a better understanding of the maritime domain. 
2. Understand at least the basics of the cyber domain.
3. Take stock of technology in use.
4. Think like the adversary.
5. Prioritize defenses according to impact.
6. Invest in meaningful cyber defenses.
7. Build resiliency through analog redundancy.
8. Establish response protocols.
9. Prepare for the worst.
10. Be vigilant.

These nine approaches, while apparently simplistic, require a bang-up degree of severity and consistency. The intersection of the nautical and cyber domains is a locus of frightful vulnerability for ball-shaped department of energy, and since most of the earth relies on the energy sector, about everyone has an sake in preventing the exploitation of that vulnerability .

Introduction

Two months before a cyberattack exclude down the Colonial Pipeline, creating fuel shortages and spiking fuel prices in the eastern United States, the worldly concern watched the play of the Ever Given, stuck blocking the Suez Canal for more than six days in March 2021. That apparently short disturbance of maritime department of commerce caused by a one vessel was enough to have tangible impingement on energy supplies in different places around the earth. More than 90 percentage of world trade happens by sea, and more than 30 percentage of the maritime diligence is operating in corroborate of the energy sector at any given time. The link between the energy sector and the maritime knowledge domain is lone poised to grow as offshore anoint and natural gas production continues, offshore wind expands dramatically, and both wave capture and floating solar plants become feasible realities—not to mention the ongoing dispatch of energy products and the bleak materials and minerals that support the energy system. The Ever Given may have been an accident, but it provides a blunt reminder of how vulnerable the nautical domain is to disturbance. That, in turn, is a vulnerability of critical refer for the energy sector. After millennium of technology, seamanship, and experience, these two interconnected industries—maritime and energy—are possibly most vulnerable to harm thanks to a relatively raw refer : cybersecurity. Yet saturating the discussion of nautical transport and energy systems with fear, doubt, and doubt as to what a cyberattack is or is not alone serves to confuse. With increasing technical promotion and addiction on both ships and nautical infrastructure, the nautical and energy sectors must be proactive in identifying and addressing cybersecurity concerns. This report seeks to provide a baseline for that march with respect to the energy sector ’ south stakes in the nautical space .

A context of confusion

The maritime world is esoteric : it has specific laws, terminology, and priorities. unfortunately, however, this means that the global ’ s population tends to be profoundly “ sea blind, ” as maritime matters are by and large out of sight and out of mind for many people .
furthermore, it is not easy to promptly understand the interests and stakes that drive decision-making in the maritime world without a meaning degree of ingress. For many, the cyber universe is evenly esoteric, considered the horizon of mysterious hackers with skills that allow them to do apparently impossible things. Despite a ceaseless stream of news stories about curiously named cyberattacks and concerns about both hack and cybersecurity, even experts in other areas of security often profess vitamin a much “ cyber ignorance ” as the general public has “ sea blindness. ”
far complicating matters, the remainder between information technology ( IT ) and functional technology ( OT ) is lost on many who are not at least minimally familiar with cyber matters. In broad terms, IT refers to both the hardware and software of computer engineering, whereas OT refers to the devices that control the forcible global. Yet both are grouped together as cyber concerns and often seen as a subset of something else—either engineer or security. One of the problems is that the overlap of maritime matters and cybersecurity concerns leaves most feeling out of their depth. The maritime populace feels alienated by the cyber earth, and the cyber world struggles to understand the legal and virtual oddities of the nautical earth. While naturally a fair number of experts from both camps have made the derail across that separate, the majority are : at the technical and tactical degree ; within a company whose cybersecurity cognition and practices are considered deal secrets ; or within a government that classifies all of its work in this quad. consequently, it is extremely difficult to have an informed discussion about maritime cybersecurity in an unclassified environment, particularly at the strategic level. In other words, there is a dearth of literature and insight that is simultaneously accurate and insightful, while not being indeed technical on either the nautical or cyber fronts as to lose the meaning wholly. This void makes it difficult for leaders who lack expertness in the nautical cyber world to make sound assessments of their needs and, therefore, to make audio decisions about how to protect their interests .
Within that context of confusion, the further specialized fixed of interests and issues relating to the department of energy sector only adds another layer of complexity. about a third base of global nautical commerce is focused on moving or supporting the department of energy sector, and the majority of offshore infrastructure at this target is focused on extraction of oil or production of energy. With raw policies and strategies around the world centering on offshore energy—including a quickly growing offshore fart market that is projected to have a 23.4-percent increase in product between 2020 and 2027—this sector is poised to grow well in the adjacent few years. Grounded understand of the myriad challenges related to cybersecurity for the energy sector in the nautical world is consequently critical for navigating the class ahead. This analysis, consequently, seeks to bridge the divides between these fields by offering a virtual, and not excessively technical, review of some of the leading cybersecurity concerns for the department of energy sector in the maritime sphere. This is not a catalog of all nautical cyber vulnerabilities but, preferably, a survey of those vulnerabilities whose exploitation could truly harm the energy sector, followed by an model of a profoundly dive into one area of emergent concern—the cybersecurity considerations for offshore wind-energy production—to demonstrate the extent of the employment that still needs to be done to generate greater understand of this space .

A survey of harmful vulnerabilities

Given the area of maritime activities relevant to the energy sector, the sets of cybersecurity concerns could be grouped in many different ways. To make the most common sense of the keystone considerations, however, this analysis will examine ten areas, providing examples of each :

1. Human error or human ignorance
2. Fraud
3. Attacks to facilitate crime
4. Navigational attacks
5. Operational attacks
6. Indiscriminate attacks
7. Compound attacks
8. Infrastructure attacks
9. Future concerns
10. Hybrid aggression

While these ten considerations are applicable in other fields as well, their specific relevance to the energy sector—broadly defined to include the full spectrum of energy companies but focused on those with direct nautical interests—is highlighted in each example .

1. Human error or human ignorance

While it may seem paradoxical, the biggest cyber vulnerability is about always homo beings. Either from error or from ignorance, humans are able to create more damage than most hackers could always imagine. While it may be possible for a highly skilled hacker to access sensitive or important data stored on a laptop, it is much easier to entree that data directly on that laptop if it is left at a banish and ends up in the wrong hands. In the maritime quad, the setting for homo error is huge, even before mentioning the cyber aspects. Cybersecurity training—even basic train on the “ cyber hygiene ” good practices that limit some of these human-generated vulnerabilities—is not normally incorporated into the educate for seafarers. The international mandate Standards of Training, Certification, and Watchkeeping ( STCW ), developed in 1978 and most prominently updated in 1995 and 2010, address a range of security and safety concerns on ships, but cyber considerations are not included. Furthermore, outsourcing to contractors brings a range of actors—engineers, longshoremen, stevedores, and security guards—into direct contact with ships, nautical infrastructure, and nautical engineering. From crew members sharing operational data on social media to offshore platform workers taking engineering home with them, the range of cyber-related damage from basic human error or ignorance can be huge .
Energy-sector significance
The department of energy sector moves a enormous amount of hydrocarbons by sea and produces a substantial measure of energy offshore. While all of that may be within energy companies ’ contractual control, it is not always within their address control. The sector must be proactive in ensuring adequate cyber train throughout the add chain to minimize the odds of homo error or ignorance opening the door to cyber-related damage. tied apparently low-level contractors like harbor pilots, bunkering operators, or provision vessels could create significant cyber complications through human error or ignorance .

2. Fraud

While imposter is normally an undertake to induce homo error on person else ’ randomness separate, it is a distinct class of concern. Cyber fraud is one of the better known forms of scamming in holocene years, as a range of tactics have cost individuals and companies huge amounts of money. While most nautical and energy companies are unlikely to fall for the alleged nigerian prince e-mail scams, they are very susceptible to other forms of cyber imposter. Of class, any employee at any company could fall victim to link manipulation or some other inducement that leads to malware infecting the company ’ second network. Yet in the maritime outer space, there are more maritime-specific concerns. Take, for example the coarse drill called spear phishing. While phishing is using emails to convince the recipients to go to a web site or do something that will cause them harm in some way, spear phishing is a target version of this activeness. rather than a generic electronic mail, it is specific, calculate, and frequently directed to the specific recipient .
For example, a caller security policeman ( CSO ) at a transportation line might receive an e-mail just before the close of clientele on a Friday that purports to be from a canal authority. Seemingly official and lawful, the e-mail includes a bunch of accurate details about that company ’ sulfur vessel, which is due to transit the canal over the weekend. It indicates, however, that person has neglected to pay the compulsory $ 100,000 chemical bond for transit, and that the vessel will not be allowed to proceed without doing so. not wanting to be fired for delaying the vessel unnecessarily, the CSO scrambles to authorize requital of the bond, even though it would not normally be her province. After a weekend of feeling satisfied that she helped her company in a nip, she comes in Monday to discover that the e-mail had an underline in the address that does not appear in the actual duct authority ’ second emails and the $ 100,000 was actually paid to thieves. While this example is financially focused, cyber imposter can create any number of harmful circumstances, tied venturing into blackmail and extortion .
Energy-sector significance
see by many criminals as having deep pockets and a source of respective forms of injustice, the energy sector is a aim for criminals who may take interest either in creating damage or in obtaining an illegitimate windfall. The esoteric nature of the maritime space combined with general sea blindness—wherein the nautical space is deplorably undervalued and largely ignored—makes it a choice venue for targeting the energy sector. The gamble of getting caught in the maritime domain is far lower than on nation, given the lack of monitor and absence of rapid response. Rather than physically pirating a vessel and stealing the petroleum cargo, therefore, cyber criminals may use fraud as a way of producing a similar leave .

3. Attacks to facilitate crime

beyond imposter, there are other cyber means to either perpetrate damage or obtain an illicit boom. Cyberattacks—including hacking into databases, records, or logistics systems—can aid facilitate a wide-eyed array of other crime. In the Port of Antwerp, for example, hackers facilitated a massive drug-trafficking operation for years by modifying the records of sealed containers, allowing for goods to move through the port undetected. Cyber activities can create confusion and blind spots that criminals then leverage to their advantage. If a ship ’ s crew, for exercise, is involved in a smuggle or traffic operation, it may even tamper with its own transport ’ s automatic identification system ( AIS ) —the internationally want means of monitoring the bowel movement of vessels—to indicate a fake route. The datum would then suggest that the ship moved in a certain way, when in reality it was somewhere else. This could then obscure natural process such as a confluence with another vessel to transfer the bootleg or traffic goods, or even to offload partially of an vegetable oil cargo via a ship-to-ship transfer. possibly the main shape of attack for facilitating crime is the deployment of ransomware. In such attacks, the cyber hindrance is used to demand a ransom. One of the most visible ransomware attacks was the 2021 Colonial Pipeline incident. While the attackers actually apologized for the harm they created, noting that they were equitable trying to make money and had not anticipated such acute damage, they were using a cyberattack to extort funds. incidentally, that count had nautical implications as well : in addition to the well-publicized fallout on land, including fuel shortages and panic buying of fuel in bombastic quantities, the Jones Act—the US cabotage law—had to be suspended to facilitate rapid tanker deliveries of fuel along the coast .
Energy-sector significance
There have been incidents in which concluding records have been amended to obscure stallion oil tanker load of oil. In other words, ships can call at a port, load up a full cargo, and leave without any criminal record of such an off-the-books transaction. Given the spectrum of crime—particularly theft—that could occur within the maritime space, the department of energy sector needs to be proactive in identifying methods to limit the opportunities for cyber action to facilitate crime .

4. Navigational attacks

Maritime navigation has been a discrete skill set for thousands of years. Over the last several decades, however, the stars and sextants have been replaced by engineering, including the Global Positioning System ( GPS ) and the ball-shaped navigation satellite system ( GNSS ). Some maritime academies have greatly reduced, or even eliminated, traditional navigational education in favor of relying on GPS and GNSS, which have become critical technologies for maritime commerce. For about $ 300, however, a criminal can procure the technology needed to make all the vessels at sea in a particular sphere believe they are actually on land. In the Black Sea, such spoof of the GNSS has occurred. In 2017, roughly twenty dollar bill ships at ocean reported that their navigational equipment placed them on land at an airport. Some have evening questioned whether such attacks on a less dramatic scale have contributed to late transport collisions and other marine casualties. In that deference, it is far less dangerous if the navigational systems are obviously wrong—indicating that the ship is on land—then if it seems that they may be right ( showing that the transport is in the water system ), but are providing inaccurate placement. The 2019 spoof of the navigational systems of the Stena Impero, for exercise, led to it being unintentionally in iranian waters, resulting in its check by iranian authorities. It was detained in Iran for more than two months before ultimately being released. testify suggests the Stena Impero is by no means the only vessel that has experienced such spoof .
Energy-sector significance
If one of the ships in the Black Sea was not fix for manual navigation, the spoof GNSS could have led to a collision or allision that, in go, could have created environmental damage, a hazard to navigation, or even loss of human animation. Given the potential implications of a alienated vessel carrying more than a million barrels of petroleum, or filled with highly flammable gas, the energy sector must establish protocols to quickly identify such spoof and ensure adequate navigational train to switch from the newer technologies to analog or traditional techniques. Furthermore, given the injury that could come from a confused vessel in close proximity to offshore or submarine infrastructure—for example, dropping and dragging anchor to stop the ship, pending reorientation, or crashing into a windfarm—there necessitate to be predetermined mechanisms for alerting mariners and averting catastrophe .

5. Operational attacks

As noted, there is frequently a failure to distinguish between IT and OT. While respective IT attacks could have operational impact, the cyber vulnerability of OT is broadly underappreciated in the maritime domain. While some consider IT the horizon of cybersecurity and OT the horizon of cyber safety, both have huge condom and security implications in the maritime distance. Industrial manipulate systems ( ICS ) —devices that aid operate or automate industrial processes—have changed how ship function. Newer ships may be larger than always, but the engineering onboard has actually reduced the count of gang needed to operate them. This engineering, however, comes with vulnerability, because even without an IT-based cyberattack, a nefarious actor could remotely interfere with the OT to produce dramatic effect. For case, when the Ever Given became wedged into the Suez Canal, creating ball-shaped economic shock waves, cyber experts began to speculate as to whether it was the victim of a cyberattack. specifically, there remain concerns about whether the erratic propulsion of the ship may have been due to intentional intervention with the ICS. An effective attack in this quad will normally appear to be an accident, and given that any act of reasons could account for the erratic propulsion, including a change in responsiveness to the new low-sulfur fuel required under the “ IMO 2020 ” marine fuel regulations, it may never be potential to determine precisely what happened. functional attacks, however, are probable to increase in parallel with the reliance of ships on engineering. furthermore, fair as IT back doors have been created through malicious natural process like the malware fire on the software firm SolarWinds, back doors built into OT on ships could create any number of operational challenges .
Besides propulsion, any numeral of functionalities on a vessel could fall victim to an operational attack. Ballasting controls, rudder movements, and fuel meter are some of the more obvious areas where damage can occur. On most ships, there is no detectable difference and no means of checking whether a instruction to do something ( for example, spill ballast, change steering ) comes from the bridge of the ship, the headquarters of a ship’s company, or a nefarious actor. alleged air out gaps —or not connecting engineering to a network, in this context—are often mentioned as a solution. As a practical matter, however, this is unrealistic and should not be entertained, as most OT can be networked, even unintentionally .
Energy-sector significance
A cyberattack on OT within the ICS on a ship in overhaul of the department of energy sector, or on the operation of an offshore facility, could create huge issues. Everything from causing a transport to burn extra fuel to shutting down the power on a vessel or rig to pressurizing a pipeline to the target of tear is within the kingdom of possibility for an operational attack. Ports besides have become a major area of refer. While many of the systems at a port may be susceptible to IT attacks—and there are enough of examples of both ransomware and malware incidents—the OT at ports is besides increasingly the prey of hackers. For example, the OT systems of Shahid Rajaee Port in Iran were attacked in June 2020, resulting in shipping chaos and a cessation of tanker traffic. A offprint sketch by Lloyds of London indicated that insurance companies would not be able to cover the costs associated with a compromise of OT systems in fifteen ports in Asia, the wrong of which could be upward of $ 110 billion .

6. Indiscriminate attacks

While many forms of cyberattack and cyber-related injury are designed, and evening targeted, the maritime space can be the victim of cyberattacks by accident. Given the network nature of global business and international department of commerce, an attack on one place, entity, or server can have an shock on and cause damage to the nautical knowledge domain. On June 27, 2017, the NotPetya attack on a server in Ukraine led to $ 300 million in wound to A. P. Moller-Maersk, the global ’ sulfur largest shipping line, better known as Maersk. simultaneously, all the calculator screens across the company ’ s 547 offices went space and a message demanded payment in cryptocurrency to regain access to the computers. Maersk was not the target, but global maritime commerce felt the impact. Or, as Andy Greenberg, engineering journalist for Wired, excellently said : “ The weapon ’ s target was Ukraine. But its savage radius was the entire populace. ”
Energy-sector significance
The energy sector needs to be conscious that such indiscriminate cyberattacks may impact its nautical interests at any time. A ransomware or malware attack, for model, could shut down an offshore carriage or an stallion offshore wind farm. Protocols and reply mechanisms are needed to mitigate and respond to attacks. Lessons should be learned from the companies that have experienced such situations. While both the department of energy and maritime sectors are notoriously competitive, security is not an area of competition that benefits any legalize actor .

7. Infrastructure attacks

assorted forms of nautical infrastructure, from ports to offshore installations to submarine pipelines, could be the discipline of a cyberattack, and they need to be protected in a kind of ways. The Colonial Pipeline attack should draw corollary concerns for subsea pipelines, but equal uncertainty around whether a 2008 plosion in the Baku-Tbilisi-Ceyhan grapevine points to worrying possibilities for subsea infrastructure. While that incident was ultimately determined to be a physical attack rather than a cyberattack, the hypothesis exists to remotely pressurize a subsea grapevine to the point of explosion. While most attacks are probable to be less spectacular, interfering with infrastructure can cause damage to both global supply chains and the ball-shaped economy if the attacks are sufficiently disruptive .
One form of maritime infrastructure, however, is uniquely critical to cyber matters. A network of approximately 420 privately owned bomber cables, no wide than a garden hose and lying on the ocean floor, is the physical backbone of the Internet. Between 97 percentage and 99 percentage of all telephonic and Internet data move through submarine cables. approximately $ 10 trillion in transactions traverse that submarine network each day. While early forms of nautical infrastructure may be national to cyberattacks, submarine cables are a part of maritime infrastructure that, if attacked, can actually stop all cyber activeness and cause huge damage from the absence of it. In January 2019, for exercise, the island nation of Tonga experienced a total call and Internet blackout because a submarine cable was cut. While damage to submarine cables is not quite the same as a cyberattack, it is effectively a physical attack on a cyber system .
Energy-sector significance
Given the vulnerability of submarine cables and the importance of them to both the global economy and to life on land, maritime operators need to be mindful of threats to them, both designed and unintentional. As offshore installations turn to submarine cables for connectivity, the energy sector needs to plan for resilience in the event of a cable demerit .

8. Compound attacks

Most forms of nautical cyberattacks are focused on the ship or infrastructure of interest. Yet with the growing presence of engineering in the nautical world, the energy sector has raw areas of refer. remotely operated unman forward pass vehicles ( UAV ) and subaqueous vessels open the door to cyber hindrance that could create significant physical damage. In early words, a cyberattack on one spot of engineering could then be used to perpetrate a secondary, or compound, attack on something else. Take, for example, the increase in long-range, payload-carrying add drones that are adequate to of moving goods respective miles from transport to shore or shore to ship. If hacked and remotely controlled by a nefarious actor, they could be used to cause damage to a ship. In Singapore, for example, the port has recently started piloting the manipulation of autonomous drones to deliver parcels from land to ships. Just as the USS Cole was attacked in 2001, when terrorists committed suicide by ramming a small gravy boat into the hull of the warship, an unmanned organization could be commandeered through a cyberattack to perpetrate similar damage .
Energy-sector significance
Since 2019 in the Middle East alone, there have been numerous incidents with respective actors using either marine mines to attack tankers at ocean or drones to attack both oil infrastructure and ships at sea. compound attacks involving a cyberattack to perpetrate a physical attack are eminently foreseeable. The consequences for the energy sector could be catastrophic, depending on the target and the extent of damage produced .

9. Future concerns

The motion toward autonomous ship is no longer a theoretical hypothesis but an exigent reality. It is being introduced in a issue of context, tested in others, and projected to be valued at $ 165 billion by 2030. This development and increased engineering in the nautical domain create a universe of new opportunities for cyber attackers and a set of new challenges for those who operate legally in the nautical domain. autonomous vessels—when controlled or override either through IT or, possibly more probable, through OT interference—could become weapons. Given the addition in nautical attacks in late years, such an eventuality is not far-fetched. The fanciful kingdom of literary fiction, like that of P. W. Singer and August Cole ’ s Ghost Fleet, are quickly entering the region of actual possibility .
In security, however, it is frequently a error to equate the most outstanding with the most significant. Something american samoa simple as a back door in an OT device that allows a fifth columnist to remotely create frequent but explainable maintenance needs may be an effective way to bleed a rival. furthermore, as watchkeeping and seafaring skills erode amid the reliance on engineering, minor incidents caused by cyberattacks may become, by design, even harder to detect. Blanketing the maritime quad in doubt and doubt about what is or is not a cyberattack will only complicate matters further .
Energy-sector significance
The energy sector is a major actor in the maritime knowledge domain, and can drive trends and invention. As its leaders push button for greater technological capacity and capability, they must besides be mindful of greater vulnerability. A wise approach is red team, which is having a break group play devil ’ south advocate with newly ideas and test minor variations in the crop of sleep together issues, to recognize how nefarious actors might view a modern growth. For exercise, working out how hackers might manipulate the controls on a submarine pipeline to obscure the fact that they were tapping it to steal the oil, or thinking through how an autonomous vessel could be taken over and used to disrupt offshore drill, or how a hack issue drone could damage an offshore wind turbine, can all help spark modern thinking about how to foreclose criminal opportunities. This is particularly important with new installations, technologies, and personnel. Thinking like a condemnable organization—a nice, well-resourced one—will help identify areas that need greater defenses and more extensive resilience plan. The energy sector ’ randomness pastime in technology is frequently to increase efficiency and reduce monetary value ; however, with the pervading trouble of sea blindness and the general lack of sympathy of potential harm emanating from cyber action, maritime cybersecurity could become the energy sector ’ s Achilles ’ heel .

10. Hybrid aggression

Each type of attack mentioned therefore far could either be perpetrated by state actors or nonstate criminals. The cyber sphere is simultaneously accessible to all and a forum of anonymity. As such, cyberattacks are frequently a separate of hybrid aggression, a relatively new typology of state aggression that seeks to disrupt the think action of an foe or rival, send a specific message, or obtain some kind of strategic advantage. While military definitions of hybridity deviate, there are broadly four winder elements and frequently a fifth :

1. Activity by a state that has a conventional force, but that chooses to use unconventional tactics (hence the use of the term “hybrid”).
2. Implausible deniability, whereby it is not immediately possible to accuse the perpetrating state even though there is a strong sense of who is responsible.
3. An illegal act.
4. Scalability, whereby the perpetrator can dial up or down the activity depending on the response to it.
5. Strategic communications are a frequent fifth  element, whereby there is a corresponding effort to “control the narrative”.

While states could use cyberattacks to overtly or directly attack other states—for example, hacking another state ’ second governmental or military systems—hybridized aggression can play out in any forum, including on civilian interests .
Energy-sector significance
On account of both anonymity and scalability, adenine well as the likelihood of disrupting a rival or enemy ’ second think process, sending a message, or gaining strategic advantage, a cyberattack on maritime energy interests would be an ideal form of hybrid aggression. As this field of dispute continues to develop, the energy sector will have to be mindful that criminals and even terrorist organizations are not the extent of their concern. State actors may use cyberattacks against the department of energy sector to achieve military or strategic ends against other states. The complexity of the array of actors with the capability to perpetrate attacks does not, however, change the impact of the attacks on the energy sector itself. What matters is working to prevent such attacks. To do thus, the energy sector needs to better assess the spectrum of risks by first considering the range of actors capable of causing cyber-based dislocation to maritime operations. only with full appreciation and awareness of the possibility of these kinds of state actions can energy-sector stakeholders become more effective in their approaches to cyber threats .

A deeper dive: Cyber risks to offshore wind-energy systems

This section drills down on the cyber challenges facing one of the many types of maritime fare system ( MTS ) energy assets : offshore wind-energy systems. other than micro reactors and thermal storehouse under consideration for shipping, offshore wind-turbine farms, and particularly floating offshore wind turbines ( FOWTs ), which are sited far from the coast to capture more systematically high-speed winds and represent the latest field of maritime power production. As such, they take advantage of the latest digital march and communication technologies, and, in fact, could not exist without them .
Some of this section ’ second content and suggestions are specific to offshore wreathe, but the majority of issues described are park to every manner of modernized and modernizing MTS energy arrangement. At the highest horizontal surface, the topic is the presence of—and near-total dependence on—software, supply chains, and communications. Software, most frequently an amalgamation of code from multiple sources with strange birthplace, including open source, is about guaranteed to have exploitable vulnerabilities introduce by accident, or inserted intentionally by adversaries. Supply-chain security is now lead of mind in Washington as a rush of holocene executive orders have made clear. Communications technologies are what make monitoring and restraint at a distance possible, which means determined adversaries, upon achieving access, may misuse these capabilities for purposes not intended by designers, owners, or operators. Every MTS energy organization now in the field depends on constant or intermittent access to calculator networks reached by a assortment of communications technologies and protocols : long globe-encircling satellite communications ; ICS-specific ones ( for example, Modbus, Distributed Network Protocol 3 ) ; the hyper local ( for example, Bluetooth, Zigbee, Wi-Fi ), placed under the head of the Internet of Things ( IoT ) ; and the grandaddy of them all, the bane of all cybersecurity practitioners, the Internet itself .
Markets largely determine the composition of future electricity-generation portfolios, while physics sets the bounds for what can and can not become an low-cost, reliable energy informant. In 2021, liquid fuels look likely to continue their domination in the marine-surface and air-transport markets, so far all signs point to the continuing decline in the function of dodo fuels in global electricity production .
While wind and solar generation on bring, increasingly backed by energy storage, continue their ascent in terms of output share, offshore wind—soon to include a big number of floating turbines adequate to of operate in deep water—may be the category most probably to very take off .

Wind-turbine generation 101

US Department of Energy ’ s conventional representation of digital wind-plant infrastructure .
While modern turbines on land or at ocean appear sleek and dim-witted at first glance, under their smooth exteriors they are wholly dependant on local and outside sensors, software, and communications to operate safely and efficiently. As the figure above shows from left to right, owner/operators interact with these assets from afar, passing through security protections like firewalls, to reach OT systems that monitor, logarithm, and give instructions to local digital devices like programmable logic controllers ( PLCs ) that send precise master signals to impression physical/mechanical changes .
When this gearing is working by rights and under the control of its intended operators, it is a modern wonder of sophisticate technology. however, this paper is concerned with other-than-optimal circumstances. The pathways for bad actors to access systems and potentially interrupt operations are many, and most stem from the critical role communications technologies play in this knowledge domain. A few representative examples include pathways to :

1. Enable the asset owner to monitor, operate, and control assets.
2. Maintain connectivity to the regional transmission operator (RTO) to ensure safe transfer of offshore power to the land-based grid.
3. Support direct communication connections to the turbine manufacturer for remote diagnostics.

Designers and integrators of these complex systems of systems must do so with the adversary in beware. long past are the days when one could assume that the people with access to controls would be fully vetted, trusted, and coach individuals. Design, growth, and construction must nowadays adhere to “ secure by design ” or “ cyber-informed engineer ” principles, which begin with the premise that bad actors will seek to gain access by a variety show of means, and then use that access to operate the equipment in ways that were never intended .

All eyes on the supply chain

offshore wind instrument helps illustrate these core security concerns and the need for improved risk management by nautical energy sectors, as discussed in this paper and in further contingent in Raising the Colors : Signaling for Cooperation on Maritime Cybersecurity. emphasis by a security analyst is one thing. Strategic hazard realized and acted upon by business executives in the companies that own and operate these assets, in the credit-rating firms that determine the interest rates they will pay, and by the insurance companies that determine premiums based on their appraisal of hazard, is quite another. With cyber risk, there ’ south constantly been a meaning imprison between what experts are calling out and what decision makers are doing, and that includes government oversight bodies .
Every communications pathway presents an opportunity for entree by cyber attackers. ideally, best practices call for by rights configured and fully patched firewalls to allow only authorized traffic and block all others—and virtual secret networks ( VPNs ), which besides require patch, to encrypt both inbound and outbound network traffic. Both of these types of cybersecurity tools are made from software, and have been found to contain about american samoa many exploitable vulnerabilities as other categories of enterprise software. The intersection bought and deployed for protective covering can itself become the pathway for attackers .
Consider the SolarWinds episode, a clear-cut lawsuit of nation-state on nation-state cyber espionage. This demonstrably utilitarian network-management and security-tool suite was recently in use at hundreds of thousands of clients, including the huge majority of Fortune 500 companies and many US government agencies, including the Department of Energy and its home lab. Like about all other products, it contained security system flaws that provided skilled cyber attackers the means of entrance, american samoa well as lateral pass movement within their targets, facilitating the vacuuming up of huge amounts of medium information and solicitation of access-control authentication and access control that demonstrate a exploiter ’ sulfur identity or authority. ” ] that may be employed in later attempts at disruptive or destructive cyber-enabled sabotage .
When a software or software-enabled intersection is american samoa popular as SolarWinds ( and many are ), it is called horizontal cyber risk. Though not quite this elementary, basically, manque adversaries need to study fair one product in depth to acquire cognition enabling them to breach many target organizations. It is by virtue of these products ’ success in the market and far-flung use that they represent inordinately attractive targets to attackers who can, so to speak, learn once and use many times their cognition of electric potential weaknesses in these products. In the MTS there are many such things, frequently segmented by function. Examples include : larboard operations systems such as highly automated cranes ; propulsion and navigation systems for commercial transportation, tugs, and military ships ; power generation for offshore scent turbines ; and dynamic put and blowout-prevention systems for deep-water bore rigs. This is not an exhaustive number, but it demonstrates the likely for horizontal risk within the MTS .

Conclusion

The intersection of cybersecurity and the energy sector in the maritime knowledge domain provides one of the most prolific areas for criminal attack or nefarious state action. The cosmopolitan sea blindness and lack of attention to maritime matters have opened the doorway to an increase in criminalism at sea in holocene years. With the energy sector relying heavily and increasingly on both nautical transmit and maritime infrastructure, it remains one of the most critical targets for illegitimate activity in the maritime domain. While security professionals and law-enforcement officials are perpetually working to improve the physical security of energy-sector interests at sea, there remains a bang-up academic degree of cyber ignorance that is being exploited in a diverseness of ways with equally varied affect. This analysis has shed unaccented on ten key areas of business, raising issues and examples along the manner. The deep dive into offshore wind considerations helps demonstrate some of the analysis that is needed to in truth understand both the cyber vulnerabilities of the energy sector in the maritime sphere and what their implications might be. Resolving them, however, requires a variety show of approaches .
Based on this psychoanalysis, the come recommendations are made to those concerned with maritime cybersecurity for the energy sector .

• Develop a better understanding of the maritime domain. With a range of oddities that make it a world unto its own, the maritime domain is often a source of confusion. The law functions and applies differently at sea, and the location and type of either a vessel or offshore infrastructure can determine the extent to which law-enforcement officials can do anything to protect it. Therefore, at least a basic sensitization to the law of the sea and to general maritime dynamics is important for understanding what needs to be protected and why.
• Understand at least the basics of the cyber domain. A confusing mystery to many, cybersecurity comes with terminology even more esoteric than that of the maritime world, and an operating space that is invisible to most. Knowing even basic cyber principles—including cyber hygiene—can help engender sufficient comfort to at least tackle some of the critical areas where cyber concerns arise.
• Take stock of technology in use. To know what they must protect, defenders need to know what systems they manage and how they are interconnected. This seems a simple recommendation, but a rigorous accounting of all the technology—both IT and OT—across the maritime infrastructure and transportation system is a difficult task. That said, it is a crucial step for defenders to identify those vulnerabilities that could have the most serious impact.
• Think like the adversary. Defenders thinking like a criminal or state actor is important for discerning their own weaknesses and more effective means to address them.
• Prioritize defenses according to impact. Vulnerabilities will always exist. The question is: how much can they affect owners and operators? Discerning potential impact allows for prioritization according to what is most detrimental.
• Invest in meaningful cyber defenses. The impacts of cyberattacks are increasingly obvious. While the complexity and diversity of the maritime domain complicates matters, the Federal Energy Regulatory Commission’s Notice of Proposed Rulemaking incentives for cybersecurity investments provides a useful guide to help policy makers do everything in their power to incentivize investments in defensive cyber tools and services whenever and wherever possible.
• Build resiliency through analog redundancy. While there are always going to be sophisticated cyber defenses to sophisticated cyberattacks, true resiliency may require shifting the mode of operation to an analog alternative. At the heart of the Securing Energy Infrastructure Act (SEIA) is putting trusted humans back in the decision loop; and the selective reintroduction of analog systems, stopgaps, and fail-safes, ready for when control and/or trust is lost in cyber-enabled systems, should be examined for the highest-consequence functions, missions, and systems.
• Establish response protocols. Rapidly identifying a potential cyber incident is critical, but so is ensuring that information gets to key decision makers in a timely fashion. There need to be protocols for detecting incidents and standard operating procedures for how information gets shared, initial investigations are conducted, and response mechanisms are activated.
• Prepare for the worst. The best way to be effective and efficient in responding to a cyberattack is to practice. Scenario-based tabletop exercises can simultaneously make all actors more comfortable and confident in abiding by response protocols, and more sensitized to potential cybersecurity concerns. This latter aspect may be critical to ensuring that a cyber incident is noticed and addressed in a timely manner.
• Be vigilant. The maritime domain is constantly changing with new challenges, regulations, and threats. The cyber world is exceedingly dynamic, with new developments and dangers almost daily. The energy sector also is undergoing perpetual change. There is no place, therefore, for either arrogance or complacency when it comes to cybersecurity in the maritime domain for the energy sector. Vigilance and agility are key to even maintaining a level of consistency, much less achieving the objective of continual improvement in the face of multivariable threats.

possibly a little fabrication ( and a think tank article about it ) might prove instructive, illuminating how reintroduction of some of the past might help in proceeding more securely and confidently into the future .
In the late 1970s television show Battlestar Galactica, humans, having migrated to outer distance, find their ships devastated by a hostile series of cyberattacks, with alone one starship survive. The outdated destroyer, Battlestar Galactica, last in note for the fleet-wide upgrade to digital controls, proves to be immune to cyberattacks and lives to fight another day. Like the celebrated Battlestar, industrial manipulate systems were entirely analog in their original incarnations. In most u nuclear power plants today, analogue condom systems are still the average. however, a apparently adamant fleet-wide digital upgrade is afoot, and despite knowing in our bones that we ’ rhenium adding complexity, doubt, and cyber risk to our nuclear plants, absent a better way of think, most seem resigned to this destine. When considering the risks and rewards of going amply digital in the most critical of critical infrastructure systems, the optimum solution will frequently be a loanblend architecture where the benefits of digital are realized while the determinism of analogue is drawn upon as an impermeable breakwater of cyber defensive structure .
It ’ s a cliché now, but hope can nobelium long have a place in policy or practice in either of the ways it has, until immediately, confounded better judgment : hope that individual organizations will not catch the attention of cybercriminals and warriors ; and/or hope that if they do become targets, that cyber defenses will be up to the challenge. Because the consequences of dislocation are so high in the maritime knowledge domain, ports, ships, and offshore rigs are targets. As accumulating and accelerating accounts of successful cyberattacks make clear, the current approaches to cyber administration and hygiene in this and relate domains are inadequate. To the greatest extent potential, it is time to return to first-principles thinking in this universe. Think like the adversary—but act like an engineer, is how Marty Edwards, the former director of DHS ’ s Industrial Control Systems Cyber Emergency Response Team, put it to owners, operators, and defenders of critical infrastructure. In effect, a prioritize and more proactive approach to cybersecurity is urgently needed for MTS energy systems and there couldn ’ metric ton be a better time to dig into this ferment than right now, in the wake of the many high-visibility cyber incidents of 2020 and 2021 .

Related content

The Atlantic Council ’ second Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the behave of statesmanship and to better inform and secure users of engineering .
learn more