Raising the focus on cyber security for LNG carriers

As liquefied natural gas (LNG) plays an increasing role in global gas trading to secure energy supply, there is growing awareness of the need to understand and protect the value chains of which it is a part.

LNG value chain has many critical maritime stakeholders

In the maritime context, the chain includes Floating Storage Regasification Units (FSRUs), LNG carriers, related onshore infrastructure at ports and terminals, and suppliers of IT and operational technology (OT). Ultimately, cyber security that protects the uninterrupted supply of gas to transmission and distribution networks is an energy security issue.

Balancing energy transition and cyber security

“Gas transported ashore from FSRUs has been supporting the energy transition in Europe in recent years and DNV services have been supporting cyber-security initiatives for these regas units as critical infrastructure,” says Martin Cartwright, Global Business Director, Gas Carriers & FSRUs at DNV. “However, our experience leads us to question whether maritime is giving as much focus as it should to cyber risks that may come through LNG carriers uploading LNG to FSRUs,” he adds. “Where this connectivity includes IT and OT, what cyber-risk interface does it create, and how can we stop malicious hackers exploiting that?”

Cyber-security regulations: FSRUs vs LNG carriers

Newbuild and existing FSRUs are impacted by regulations, not only as vessels but also as elements of critical infrastructure underpinning energy supply. Yet comparing cyber-security regulations for FSRUs (usually modified LNG carrier designs) and LNG carriers reveals a gap. 

Recently implemented new regulations affecting FSRUs have come from the International Association of Classification Societies (IACS, of which DNV is a member); the IMO; the EU Network and Information Security directives (NIS1, NIS2); the Oil Companies International Marine Forum (OCIMF) programme SIRE 2.0; the US Securities and Exchange Commission (SEC); DNV Cyber secure class notation (July 2024); and country-specific laws and requirements.

However, whilst the IMO and IACS requirements apply equally to both FSRUs and LNG carriers, the NIS2 Directive applies to FSRUs as critical gas production and storage systems, but not to LNG carriers. 

“There’s a marked contrast here between the regulatory position impacting FSRUs and LNG carriers,” says Cartwright. 

The LNG value chain is digitally connected

The chain from liquefaction through transportation on LNG carriers, reception at FSRUs, regasification and onward transport involves complex IT, OT and communications networks that are themselves interconnected. 

Hence, a cyber attack on one part could potentially jeopardize seafarers, individual vessels and larger fleets, terminals, ports and the containment of the deep-cooled LNG itself. 

Do LNG carriers need higher cyber-security standards?

DNV’s report ‘Maritime Cyber Priority 2023’ reveals that the vast majority of maritime professionals think it is likely that cyber attacks will disrupt ship and/or fleet operations in 2024 or 2025.

“Whilst these findings from our Cyber Priority 2023 study are for all types of vessels, the key takeaway message is relevant to both FSRUs and LNG carriers,” comments Svante Einarsson, Head of Advisory Cyber Security Maritime, EMEA & APAC at DNV.

New regulations can appear rapidly

High-profile cyber incidents involving LNG carriers, especially those affecting gas supply, would also increase pressure for new or further regulations to prevent reoccurrence. 

International regulations through the IMO can take up to a decade to be agreed on and enforced. However, if a major flag state decides to regulate, other jurisdictions may follow suit quickly. 

“For example, when the US Coast Guard acts, other flag states may follow with similar cyber-security requirements,” Einarsson explains. 

Tougher regulation looms in the US and EU

President Biden issued an Executive Order in February 2024 proposing to expand US Coast Guard (USCG) powers to require vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of a vessel, facility or harbour.  

Einarsson adds: “The IMO’s Maritime Safety Committee accepted the EU’s proposals for enhanced ship and operation cyber security in May 2024, with the IMO Facilitation Committee set to follow in 2025. So there is momentum in the industry towards greater regulation of the cyber security of newbuild and existing ships in general, and of operations.”

Balancing cyber requirements and practicality in modern vessel design

Consideration of the gap between what is required regarding cyber security for FSRUs and LNG carriers also includes how to ensure that both newbuild and existing vessels can be compliant now and in the future. 

“Another question to reflect on is whether the highest cyber-security protection available is practical on board a ship in operation,” Cartwright points out. 

“In principle, if there’s no business purpose for a particular connectivity for which a customer has a specific digitalization capability, it’s best to disable it as it represents an additional surface of attack. However, this principle can be complicated by newer vessel designs featuring more IP-based connectivity as standard without an opt-out. Design’s are becoming more digitalized, not by option but by development,” Einarsson explains.

Supporting cyber risk mitigation for LNG value chains

DNV assists the LNG industry by combining deep knowledge and expertise, not only of maritime cyber security but also of vessel operations, equipment, control systems and connectivity.  

Our services and solutions for managing cyber risk in maritime IT and OT include risk assessment and testing; preparation for compliance; enhancing cyber security; validation of systems and procedures; training; third-party verification of cyber-security requirements throughout a vessel’s life cycle; and certification against international standards.

Managing cyber security amid complexity and uncertainty

“We also explain the complexities and what mitigation solutions we can provide given today’s regulatory environment,” says Guillaume Leleu, Senior Maritime Cyber Security Consultant at DNV. “Part of today’s complexity comes from connecting existing ships that are not designed to meet higher cyber-security requirements to critical infrastructure that must meet such requirements. This is why complex projects need expertise that understands the specifics of each system, its cyber vulnerabilities and what it’s capable of.” 

Leleu adds: “We’ve observed huge demand for our cyber-risk management services and solutions from shipowners and operators. Some of the most frequent issues of interest to them are assessing compliance to requirements, shaping cyber-security incident management process, supporting cyber-security management system development and training the teams on cyber security.”

Finding practical regulatory solutions

“Due to DNV’s expertise in cyber technology, comprehensive knowledge of marine assets and alignment with stakeholders’ business goals, regulators frequently ask our experts to review and comment on proposed new rules on maritime cyber security,” Einarsson relates.  

“This combination means we can advise regulators on what’s practical to do for a newbuild or existing vessel to comply on cyber security, and on the best way of achieving it within constraints that customers face.”  

View image copyright information