Why Maritime Cybersecurity Became a System Engineering Issue (2/9)
Chapter 2. Increasing OT System Interdependency
Blue Horizonist Series · Why Maritime Cybersecurity Became a System Engineering Challenge
This is Chapter 2 of the series exploring why Maritime Cybersecurity is evolving into a System Engineering challenge.
In Chapter 1, we explored how modern ships are evolving from standalone equipment-based architectures into digital OT environments where numerous CBS (Computer-Based Systems) are interconnected. However, from a Maritime Cybersecurity perspective, the more significant change is not simply that systems are connected.
What has become increasingly important is the impact of system interdependency on operational continuity and safety. In the past, failures were often confined to the affected equipment itself. Today, however, a failure or cybersecurity issue within a single CBS can affect other CBSs in unexpected ways and, in some cases, may even influence vessel-wide operations.
For this reason, understanding individual systems alone is no longer sufficient. It is equally important to understand what data each CBS depends on, which systems it interacts with, and how failures or disruptions can propagate across the operational environment.
I. Why Good Systems Can Still Create Bad Outcomes
Shipyards and equipment suppliers frequently encounter situations like the following during cybersecurity projects. Each CBS has been properly designed. Each supplier has fulfilled the requirements associated with its own system. Individual functional tests have been completed successfully. Yet unexpected issues can still arise once these systems are integrated into the vessel environment.
For example:
- ECDIS operates normally.
- GNSS operates normally.
- The Data Gateway operates normally.
Nevertheless, navigation functions may still be affected due to data synchronization issues or interface-related problems. The quality of individual systems does not necessarily guarantee the quality of the integrated system.
In modern vessels, the relationships between systems are becoming just as important as the systems themselves.
II. The Hidden Dependency Problem
Many dependencies within shipboard OT environments are not immediately visible. Consider a typical Engine Monitoring System. While users may view it as a single application, its operation often depends on numerous supporting components and infrastructure elements.
- Sensor: Collects operational data (engine temperature, pressure, RPM) in real time. Sensor failures or poor data quality can directly affect monitoring accuracy.
- PLC: Collects sensor data, executes control logic, and forwards information to higher-level systems. Configuration errors or communication failures may disrupt normal monitoring and status reporting.
- Data Gateway: Transfers information between different protocols and network segments. If the Gateway fails, the Monitoring System may remain operational while being unable to receive critical data.
- Network Switch: Provides the communication infrastructure between CBSs. Switch failures or network configuration errors can simultaneously affect multiple systems and significantly complicate troubleshooting.
- Time Synchronization Source: Provides a common time reference for events and logs. Loss of time synchronization creates substantial difficulties during incident analysis, log correlation, and forensic investigations.
- Historian Server: Stores operational data and event records over extended periods. Loss of connectivity may not affect real-time monitoring, but can severely limit root-cause analysis and performance investigations.
III. Why Cyber Incidents Rarely Stay Local
In traditional environments, equipment failures generally had clearly defined boundaries. Interconnected OT environments are different. When a CBS is affected by a cyber attack or system malfunction:
- → Data flows may be interrupted.
- → Alarm delivery functions may be affected.
- → Operator situational awareness may be degraded.
- → Other CBSs may experience secondary impacts.
Even if a problem begins within a single system, its effects may extend far beyond that system. From a cybersecurity perspective, understanding how an attack or failure can propagate throughout the environment is often more important than understanding the initial event itself.
IV. The Challenge of Defining Responsibility
One of the recurring challenges encountered during IACS UR E26/E27 projects is the interpretation of responsibility boundaries. In practice, discussions often resemble the following:
"Our CBS operates correctly."
"However, issues occur within the integrated environment."
V. Why Recovery Becomes More Difficult
As system interdependency increases, recovery becomes significantly more complex. In the past, restoring service often involved restarting or replacing the affected equipment. Modern vessels introduce a different set of questions:
- Which system should be recovered first?
- Which data sources must be restored before others?
- Which CBS provides prerequisite conditions for the operation of other CBSs?
- What is the minimum operational configuration required to maintain essential vessel functions?
Recovery is therefore no longer a device-level issue. It becomes a system-level challenge.
This is one of the key reasons why modern cybersecurity frameworks continue to emphasize concepts such as Recovery, Degraded Operation, and Safe State.
VI. Why Interdependency Must Be Understood Before Security Can Be Designed
When discussing cybersecurity, many people immediately think about:
These capabilities are undoubtedly important. However, without first understanding how systems depend on one another, it becomes difficult to determine what actually needs to be protected and why. For example:
- Which data is operationally critical?
- Which CBS performs a mission-essential function?
- Which communication paths are indispensable to vessel operations?
- Which functions are affected when failures occur?
Effective cybersecurity design begins not with security technologies, but with System Understanding.
Good individual systems do not guarantee good integrated outcomes — interdependency introduces failure modes that no single CBS can prevent alone.
Hidden dependencies (Sensor → PLC → Gateway → Switch → Time Sync → Historian) are the real challenge. Most operators only see the top-level system.
Cyber incidents propagate. Understanding how a failure spreads through the environment is often more critical than understanding the initial event.
Recovery is now a system-level challenge. Knowing which CBS to restore first — and what the minimum operational configuration is — matters as much as the recovery tools themselves.
Security design must start with System Understanding — not with firewalls or access controls. You cannot protect what you have not mapped.
In the next chapter, we will explore why these changes are transforming Maritime Cybersecurity from a traditional IT issue into a broader System Engineering challenge.
For those who would like to read the Korean version of this material, please visit the link below.
https://blog.naver.com/jiholew/224308377161
Maritime cybersecurity professional specializing in IACS UR E26/E27 compliance, OT system security, and shipboard cyber risk management. Writing for engineers, consultants, and operators navigating Maritime 4.0.
LinkedIn ↗
Comments
Post a Comment