Over the past year, various institutions and organizations—both domestic and international—have shown an interest in moving the increasingly prevalent cybersecurity conversation offshore. Domestically, both Congress and federal agencies have pushed to mandate cybersecurity measures for ships, ports, terminals, and offshore facilities. Internationally, a United Nations agency has issued new guidelines designed to enhance cybersecurity in worldwide shipping operations.
Critical energy infrastructure has long been at the forefront of cybersecurity, both because it is a frequent target of cyberattacks and because the potentially debilitating effects of a successful attack. However, maritime cybersecurity regulations will not necessarily target just the energy industry and are likely to come from a variety of sources, some of which may be unfamiliar to industry players.
Despite a strong national interest in regulating the cybersecurity of critical energy infrastructure, the industry’s maritime operations have largely gone under the radar. To date, approaches to cybersecurity in the energy industry’s maritime operations have largely been voluntary and, thus, company- or even vessel-specific. At the same time, global economic growth and the corresponding increase in energy demand have led many energy companies to explore offshore options for replenishing reserves and meeting production needs. Oil and gas producers, in particular, have shown a steadily rising interest in maritime technologies, such as floating production, storage, and offloading vessels and floating liquefied natural gas operations, that can both meet energy demand and align companies with global efforts to reduce emissions. But the rapid adoption of new operational technologies and an increased dependence on networked cyber structures opens the possibility of cyberattacks that could threaten the economy, worker safety, the environment, or national security.
As a new year begins, the energy industry is now facing the prospect of new regulatory oversight of its cybersecurity efforts in maritime operations. The past year revealed a series of indicators that maritime cybersecurity regulation is imminent. Six months ago, the United Nations International Maritime Organization published Interim Guidelines on Maritime Cyber Risk Management, which were drafted with input from representatives of 44 member states, including the United States Coast Guard (USCG). Six months before that, the US House of Representatives sent a bill to the Senate that would require USCG to enforce cybersecurity standards at US ports and in maritime operations. Meanwhile, the two federal agencies with primary jurisdiction over industrial maritime operations—USCG and the Bureau of Safety and Environmental Enforcement—have been speaking out publicly about the need for regulatory involvement in maritime cybersecurity. In 2017, maritime operations are expected to emerge as the next frontier of cybersecurity regulation affecting in the energy industry.