Enhancing Cyber Security Resilience For LNG Carriers

68

Regulations impacting the cyber security of FSRUs are many and complex, but it could also be time for a heightened focus on cyber risk associated with another link in gas value chains – LNG carriers, reports DNV. 

Critical Stakeholders

In the maritime context, the chain includes Floating Storage Regasification Units (FSRUs), LNG carriers, related onshore infrastructure at ports and terminals, and suppliers of IT and operational technology (OT). Ultimately, cyber security that protects the uninterrupted supply of gas to transmission and distribution networks is an energy security issue.

Balancing Energy Transition And Cyber Security

“Gas transported ashore from FSRUs has been supporting the energy transition in Europe in recent years and DNV services have been supporting cyber-security initiatives for these regas units as critical infrastructure,” says Martin Cartwright, Global Business Director, Gas Carriers & FSRUs at DNV. “However, our experience leads us to question whether maritime is giving as much focus as it should to cyber risks that may come through LNG carriers uploading LNG to FSRUs,” he adds. “Where this connectivity includes IT and OT, what cyber-risk interface does it create, and how can we stop malicious hackers from exploiting that?”

Cyber-security Regulations

Newbuild and existing FSRUs are impacted by regulations, not only as vessels but also as elements of critical infrastructure underpinning energy supply. Yet comparing cyber-security regulations for FSRUs (usually modified LNG carrier designs) and LNG carriers reveals a gap. 

Recently implemented new regulations affecting FSRUs have come from the International Association of Classification Societies (IACS, of which DNV is a member); the IMO; the EU Network and Information Security directives (NIS1, NIS2); the Oil Companies International Marine Forum (OCIMF) program SIRE 2.0; the US Securities and Exchange Commission (SEC); DNV Cyber secure class notation (July 2024); and country-specific laws and requirements.

The LNG Value Chain

The chain from liquefaction through transportation on LNG carriers, reception at FSRUs, regasification, and onward transport involves complex IT, OT, and communications networks that are interconnected. Hence, a cyber attack on one part could potentially jeopardize seafarers, individual vessels, and larger fleets, terminals, ports, and the containment of the deep-cooled LNG itself. 

Tougher Regulation Loom

President Biden issued an Executive Order in February 2024 proposing to expand US Coast Guard (USCG) powers to require vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of a vessel, facility, or harbor.  

Einarsson adds: “The IMO’s Maritime Safety Committee accepted the EU’s proposals for enhanced ship and operation cyber security in May 2024, with the IMO Facilitation Committee set to follow in 2025. So there is momentum in the industry towards greater regulation of the cyber security of newbuild and existing ships in general, and of operations.”

Supporting Cyber Risk Mitigation 

DNV assists the LNG industry by combining deep knowledge and expertise, not only in maritime cyber security but also in vessel operations, equipment, control systems, and connectivity.  

Our services and solutions for managing cyber risk in maritime IT and OT include risk assessment and testing; preparation for compliance; enhancing cyber security; validation of systems and procedures; training; third-party verification of cyber-security requirements throughout a vessel’s life cycle; and certification against international standards.

Managing Cyber Security

“We also explain the complexities and what mitigation solutions we can provide given today’s regulatory environment,” says Guillaume Leleu, Senior Maritime Cyber Security Consultant at DNV. “Part of today’s complexity comes from connecting existing ships that are not designed to meet higher cyber-security requirements to critical infrastructure that must meet such requirements. This is why complex projects need expertise that understands the specifics of each system, its cyber vulnerabilities and what it’s capable of.” 

Did you subscribe to our daily Newsletter?

It’s Free! Click here to Subscribe

Source: DNV