Full Title: Cybersecurity Concerns for the Energy Sector in the Maritime Domain
Author(s): Andy Bochman, Ian Ralby
Publisher(s): Atlantic Council
Publication Date: December 6, 2021
Full Text: Download Resource
Description (excerpt):
The world has seen a number of high-profile maritime disasters in recent months and years, and has felt the impact of them. Over that same period, the world has seen a number of high-profile cyberattacks and felt their impact, as well. Combined, the maritime and cyber incidents have likely affected the energy sector more than any other: fuel prices often spike or plummet, and access to energy resources can become an instant source of concern, tension, or even conflict. As a wide spectrum of energy companies continue to rely on the maritime domain or even increase that reliance, they must be mindful that traditional maritime threats—like piracy, theft, and weather events—are not the only threats they face today. Maritime cybersecurity concerns are among the most potentially disruptive to energy-sector interests, and yet are among the least understood and addressed.
This paper identifies ten areas in which the energy-sector faces harmful cyber vulnerabilities in the maritime domain, and seeks to provide enough insight and examples to allow for actions to reduce the risk of harm from these various vulnerabilities. The paper develops the example of offshore wind energy to model how to assess cyber considerations more fully. Ultimately, it concludes with a series of ten recommendations that offer steps for policy makers, energy-sector actors, and security and law-enforcement professionals to minimize the exposure of the maritime energy sector to harmful cyberattacks.
This analysis looks at a wide spectrum of maritime cyber concerns and how they could compromise the energy sector. These concerns include human error or human ignorance; fraud; attacks to facilitate crime; navigational attacks; operational attacks; indiscriminate attacks; compound attacks; infrastructure attacks; future concerns; and hybrid aggression. For this final concern of hybridity, the blurry line between state and criminal action is addressed, noting that unlike other forms of attack or warfare, the cyber domain is equally accessible to state and nonstate actors. While states are charged with the legal and practical responsibility for general national defense, this feature of the cyber domain means that state and private actors must share the burden of establishing adequate cyber defenses.