Cybersecurity in Offshore Floating Units: Protecting the Digital Backbone of FPSO and FLNG Projects

Written By Andrea Pigozzo

Digitalization has transformed FPSO and FLNG projects into highly connected, data‑rich assets. Distributed Control Systems (DCS), PLCs, ESD/PSD, turbomachinery controls, electronic chart systems, and cloud‑linked Mechanical Completion (MC) databases now underpin construction, integration, commissioning, and operations. That connectivity boosts efficiency—and creates systemic cyber risk. A single compromise can affect process safety, freeze commissioning, distort navigation, or cascade across multi‑yard programs and offshore campaigns.

This article aligns technical architecture, project execution, and classification compliance into one blueprint—so FPSO/FLNG teams can design, build, certify, and operate cyber‑resilient units.

You can find an easy glossary at the end of the article.

Why Cybersecurity Is Now a Critical Risk Factor

Modern OT adopts commercial off‑the‑shelf (COTS) technologies and interfaces increasingly tightly with IT. This IT–OT convergence expands the attack surface and requires controls that respect process safety, uptime, and deterministic behaviour.

Key Vulnerabilities Across the FPSO/FLNG Lifecycle:

  • Flat integration networks during FAT/SAT enable lateral movement from office IT to module cabinets.

  • Vendor remote access & portable media remain common initial footholds for malware introduction and credential compromise.

  • Identity & Access weaknesses (shared accounts, admin sprawl) amplify blast radius.

  • Legal & reputational risk: Post‑incident liabilities, regulatory penalties, and long‑term trust erosion.

  • Operational impacts: fleet blackout, business disruption, extended restoration times, cargo/data loss, ship safety impacts—all applicable to yards and offshore units.

The Regulatory & Classification Landscape You Must Build Into the Program

Regulatory requirements for compliance and certification:

  • IMO MSC.428(98) Mandates cyber risk management in the Safety Management System (SMS)

  • IACS UR E26 & UR E27 are the unified Requirements for cyber resilience of ships and onboard systems (mandatory for new builds from July 2024).

  • Technical standards that provide technical implementation details:

  • ISA/IEC 62443 Detailed OT cybersecurity framework (zones/conduits, secure development, component hardening)

  • NIST SP 800‑82 ICS/OT security guidance (architecture, controls, mitigations)

While IMO MSC.428(98) and IACS Unified Requirements (UR E26/E27) set the regulatory baseline for maritime cyber resilience, only Bureau Veritas (BV), ABS, and DNV currently provide dedicated cybersecurity guidelines and frameworks for classification and lifecycle integration. Other major societies—such as Lloyd’s Register, RINA, ClassNK, and CCS—primarily rely on IMO and IACS standards without publishing standalone cyber rule notes.

 

A Practical Compliance Strategy for FPSO & FLNG Projects

Achieving cyber resilience is not just about meeting regulatory requirements—it’s about embedding security into every phase of the asset lifecycle. Here’s a combined approach leveraging IMO MSC 428, IACS UR E26/E27, and best practices from class societies.

Governance & Risk Assessment

  • Build a digital asset inventory (IT + OT) and perform gap analysis against IMO, IACS, and class requirements.

  • Define a risk-based roadmap prioritizing safety-critical systems and high-consequence scenarios.

Design & Engineering

  • Apply ISA/IEC 62443 zone-and-conduit segmentation.

  • Implement defense-in-depth architecture: perimeter firewall, DMZ, OT zones, SIS isolation.

  • Flow cybersecurity requirements to OEMs for PLCs, HMIs, and network devices.

Procurement & Vendor Assurance

  • Require BV Type Approval or equivalent evidence for critical OT components.

  • Enforce ABS/DNV vendor hardening checklists and contractual obligations for patching and incident response.

Integration & Commissioning

  • Segment temporary FAT/SAT networks; enforce MFA on remote sessions.

  • Validate cybersecurity controls during commissioning tests.

  • Conduct vulnerability assessments and penetration testing pre-sailaway.

Operations & Continuous Monitoring

  • Deploy OT network monitoring and anomaly detection.

  • Maintain patch and vulnerability management aligned with 62443 and NIST SP 800-82.

  • Drill incident response scenarios and maintain offline backups for rapid recovery.

 

Threats, Impacts & How to Measure Resilience

How do you prove resilience—not just claim it? By tracking measurable indicators that align with IMO, IACS UR E26/E27, and class rules expectations:

  • Segmentation Score: Percentage of OT conduits with enforced ACLs and monitored gateways; reduction of “flat” networks (USCG benchmark).

  • Credential Hygiene: Ratio of individual vs. shared accounts; percentage of privileged accounts with MFA; mean time to revoke vendor access.

  • Backup Integrity: Frequency of offline backup tests and rebuild drills; ability to restore clean configurations within defined recovery windows.

  • Patch Velocity (OT-aware): Median days to deploy vendor-validated patches across HMIs/PLCs within maintenance windows, per 62443/NIST guidance.

  • Incident Readiness: Drill cadence aligned to IMO guidelines; mean time to isolate affected zones and restore safe state after a cyber event.

Why KPIs matter: They provide objective evidence for class notations (CYBER RESILIENT, CYBER SECURE) and client assurance, turning cybersecurity from a compliance checkbox into a performance metric.

 

Future Outlook: AI in OT & Evolving Standards

AI/ML for OT anomaly detection and predictive maintenance adds new surfaces (data poisoning, model integrity). Anchor in zero‑trust, require signed models, monitored data pipelines, and segmented inference hosts.

Onboard Ethernet keeps expanding: IEC 61162‑460 Edition 3.0 (2024) strengthens monitoring/interconnection functions and will increasingly align with class rules and IACS unified requirements. ISA/IEC 62443 continues to evolve (e.g., updated parts in 2024), with ISAGCA providing practical guidance for educating yard teams and contractors.

Conclusion—Make Cyber Non‑Negotiable

For FPSO/FLNG, cybersecurity is integral to process safety, schedule fidelity, and OPEX control. The path is clear:

  • Architect for segmentation, least privilege, and monitored conduits (62443/NIST).

  • Embed controls into procurement, FAT/SAT, commissioning, and MC transfer.

  • Use Type Approval to prove compliance (IMO, UR E26/E27).

  • Drill for resilience: backups, rebuilds, manual fallbacks

Done right, cyber becomes a competitive advantage—safer startups, fewer unplanned shutdowns, and stronger confidence from class, insurers, partners, and host nations.

 

Acronyms

  • ABS – American Bureau of Shipping

  • ACL – Access Control List

  • BV – Bureau Veritas

  • COTS – Commercial Off-The-Shelf

  • DMZ – Demilitarized Zone (network segmentation layer)

  • DCS – Distributed Control System

  • ECDIS – Electronic Chart Display and Information System

  • ESD/PSD – Emergency Shutdown / Process Shutdown

  • FAT/SAT – Factory Acceptance Test / Site Acceptance Test

  • FLNG – Floating Liquefied Natural Gas

  • FPSO – Floating Production Storage and Offloading

  • IAM – Identity and Access Management

  • IACS – International Association of Classification Societies

  • ICS – Industrial Control System

  • IEC – International Electrotechnical Commission

  • IMO – International Maritime Organization

  • ISA – International Society of Automation

  • KPIs – Key Performance Indicators

  • MC – Mechanical Completion

  • MFA – Multi-Factor Authentication

  • NIST – National Institute of Standards and Technology

  • OT – Operational Technology

  • PLC – Programmable Logic Controller

  • SIS – Safety Instrumented System

  • UR – Unified Requirement (IACS standard)

  • USCG – United States Coast Guard

References (APA Style)

American Bureau of Shipping. (2024). Cybersecurity requirements for offshore facilities: Guidance for compliance and resilience. ABS Group. Retrieved from https://www.abs-group.com/Knowledge-Center/Insights/Cybersecurity-Requirements-for-Offshore-Facilities-Guidance/

Bureau Veritas. (2024, July). NR 659 DT R04: Rules on cyber security for the classification of marine units. Bureau Veritas Marine & Offshore. Retrieved from https://marine-offshore.bureauveritas.com/nr659-rules-cyber-security-classification-marine-units

DNV. (2024). OT cybersecurity for offshore wind: Joint industry project overview. DNV Group. Retrieved from https://www.dnv.com/group/joint-industry-projects/ot-cyber-security-for-offshore-wind/

International Maritime Organization. (2025, April 4). MSCFAL.1/Circ.3/Rev.3: Guidelines on maritime cyber risk management. Retrieved from https://wwwcdn.imo.org/localresources/en/OurWork/Facilitation/FAL%20related%20nonmandatory%20documents/MSC-FAL.1-Circ.3-Rev.3.pdf

International Association of Classification Societies. (2023). UR E26: Cyber resilience of ships (Rev. 1). Retrieved from https://iacs.org.uk/resolutions/unified-requirements/ur-e

International Association of Classification Societies. (2023). UR E27: Cyber resilience of onboard systems and equipment (Rev. 1). Retrieved from https://iacs.org.uk/resolutions/unified-requirements/ur-e

International Society of Automation. (2024). ISA/IEC 62443 series of standards. Retrieved from https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

National Institute of Standards and Technology. (2023). Guide to operational technology (OT) security (NIST SP 800-82 Rev. 3). U.S. Department of Commerce. https://doi.org/10.6028/NIST.SP.800-82r3

Bureau Veritas. (2024, July). NR 659 DT R04: Rules on cyber security for the classification of marine units. Retrieved from https://marine-offshore.bureauveritas.com/nr659-rules-cyber-security-classification-marine-units

International Electrotechnical Commission. (2024). IEC 61162-460: Maritime navigation and radiocommunication equipment and systems – Digital interfaces. Retrieved from https://webstore.iec.ch/en/publication/72732

United States Coast Guard. (2019, July 8). Marine safety alert 0619: Cyber incident exposes potential vulnerabilities onboard commercial vessels. Retrieved from https://www.dco.uscg.mil/portals/9/dco%20documents/5p/cg-5pc/inv/alerts/0619.pdf

Tripwire. (2021). A look at the legal consequence of a cyber attack. Retrieved from https://www.tripwire.com/state-of-security/legal-consequence-cyber-attack

LRQA. (2024). NotPetya ransomware attack on Maersk – Key learnings. Retrieved from https://www.lrqa.com/en/insights/articles/notpetya-ransomware-attack-on-maersk-key-learnings/

Andrea Pigozzo
Previous

Living Quarters: The Heart of Safety and Comfort on FPSO & FLNG Units
Next

Mooring System Evolution in FPSO and FLNG Units (2015–2025)