Regulations impacting the cyber security of FSRUs are many and complex, but it could also be time for a heightened focus on cyber risk associated with another link in gas value chains – LNG carriers.
As liquefied natural gas (LNG) plays an increasing role in global gas trading to secure energy supply, there is growing awareness of the need to understand and protect the value chains of which it is a part.
LNG value chain has many critical maritime stakeholders
In the maritime context, the chain includes Floating Storage Regasification Units (FSRUs), LNG carriers, related onshore infrastructure at ports and terminals, and suppliers of IT and operational technology (OT). Ultimately, cyber security that protects the uninterrupted supply of gas to transmission and distribution networks is an energy security issue.
Balancing energy transition and cyber security
“Gas transported ashore from FSRUs has been supporting the energy transition in Europe in recent years and DNV services have been supporting cyber–security initiatives for these regas units as critical infrastructure,” says Martin Cartwright, Global Business Director, Gas Carriers & FSRUs at DNV. “However, our experience leads us to question whether maritime is giving as much focus as it should to cyber risks that may come through LNG carriers uploading LNG to FSRUs,” he adds. “Where this connectivity includes IT and OT, what cyber-risk interface does it create, and how can we stop malicious hackers exploiting that?”
Cyber-security regulations: FSRUs vs LNG carriers
Newbuild and existing FSRUs are impacted by regulations, not only as vessels but also as elements of critical infrastructure underpinning energy supply. Yet comparing cyber-security regulations for FSRUs (usually modified LNG carrier designs) and LNG carriers reveals a gap.
Recently implemented new regulations affecting FSRUs have come from the International Association of Classification Societies (IACS, of which DNV is a member); the IMO; the EU Network and Information Security directives (NIS1, NIS2); the Oil Companies International Marine Forum (OCIMF) programme SIRE 2.0; the US Securities and Exchange Commission (SEC); DNV Cyber secure class notation (July 2024); and country-specific laws and requirements.