This means it can be very difficult to know where to turn. Expert cyber surveyors are needed to assess the risk to yachts, but how are experts defined when there is next to no official superyacht best practice? In this article we look at the risk of being unprotected, the standards that are in place, and what an expert survey should look like.
As we approach the end of 2017, ETOs are under more pressure than ever to get their cybersecurity choices right. With threats to superyachts seemingly at their highest level, no one wants to be the ETO who ‘misplaces’ the owner’s sensitive information & data. Yet regulations and insurance policies to police cyber security on superyachts are few and far between. This lack of regulation can act as an easy disguise for companies trying to pedal inadequate products, with which the market is quickly becoming oversaturated.
What risk do cyber attackers pose to your yacht?
Everyone understands that a cyber-attack is something to be afraid of, but fearmongering within the industry can distract us from understanding exactly what the risks are. One of the few guides written on the subject of cyber security is the UK Department of Transport’s Code of Practice: Cyber Security for Ships, written by Roy Isbell (Prof.) FIET FBCS, Strategic Advisor at Cyber Prism Maritime. This code lists seven different outcomes are given that marine cyber attackers commonly try to achieve:
- Destroy – eg destruction of cargo, ship, or port such that they are no longer available for use.
- Degrade – eg impacting the speed or manoeuvrability of the ship, the ability to navigate accurately or monitor the local environment accurately to the point where the ability of the ship to operate is significantly impaired.
- Deny – eg denial of access to ship systems or information/data possibly for such reasons as extortion for financial gain or to mount a physical attack on the ship for kidnap and ransom purposes. Financial gain is the motivation behind most attacks on superyachts.
- Delay – eg delaying the timely operation of the ship or ship subsystems such that the knock-on effect may impact business operations or cause penalties to be incurred.
- Deter – eg influencing the business from operating in certain areas of the world oceans, operating in specific markets or accessing specific ports from a commercial perspective.
- Detect – eg detection of people, cargo or ship locations and to track such that planned physical theft or cargo manipulation might take place.
- Distract – eg altering the state of a sensor to provide a distraction whilst a data/information extraction takes place.
What regulations exist?
There is a wide range of security-related standards and best practice guidance available that apply to IT and industrial control systems. However, much of the material is written from an information systems security perspective, and so needs to be carefully interpreted when applying it to systems in the maritime environment. Applying standardised security techniques to safety critical systems on yachts could disastrously hinder their operation in an emergency, and so it is definitely not a case of one-size-fit-all.
The IMO discussed cybersecurity earlier this year, and has now given shipowners and managers until 2021 to incorporate cyber risk management into ship safety. Owners risk having ships detained if they have not included cyber security in the ISM Code safety management on ships by 1 January 2021. IMO guidelines on cybersecurity risk management have also been published, but only provide a brief overview as to what elements are involved in the management. Furthermore, guidance to best practice for managing risks is rarely specific to superyachts. So if you are worried, what can you do to identify the risk to your yacht?
Cyber Exposure Risk Survey
A survey carried out by technical professionals is the only way to correctly assess this. This should aim to provide nothing less than the highest possible level of safety and security for the owner, his guests, and their business and personal information, and to improve all personnel’s cyber security procedures.
However, it doesn’t have to cause much delay to your yachting schedule. For example, the Cyber Prism Cyber Exposure Risk Survey is a two to three-day visit carried out by a two-man team which reviews all IT and OT assets and systems from top down, identifying threats and vulnerabilities requiring protection. As people are often the weakest link, they are also considered as part of the review. The survey is carried out in accordance with the UK Department of Transport’s Code of Practice: Cyber Security for Ships as written by Isbell, who is of the UK’s leading Cyber Security experts with over 30 years’ experience and is Chairman of the Worshipful Company of Information Technologists’ Cyber Security Panel
What to expect?
What is found on-board dictates the full scope for review, but the following points are a guide:
Step One: Assets Identification
The team identify and document the critical IT and OT assets and systems supporting the operation of the yacht, and the safety and activities of the owner and his guests.
Step Two: Personnel & Training
They check the process, monitoring, records and training of all personnel with access to critical IT and OT assets and systems, and the level of access granted.
Step Three: Physical Security Controls
Cyber Prism reviews the yacht’s systems, and check perimeter monitoring and logging of crew, guests and outside parties including third party suppliers.
Step Four: Electronic Security Measures
They also review the protection of where critical IT and OT assets and systems are located, and any access monitoring.
Step Five: Cyber Systems Security Management
What protections (Firewalls, AV) are in place? Are the patch/upgrades software management effective? The team identify and review all hardware, software and control systems for vulnerabilities to the full range of threats – both IT and OT.
Step Six: Personnel Cyber Security Procedures
At this point, crew, owners and guests are trained in cyber security awareness and procedures for the use of social media and email.
Step Seven: Incidence Response & Reporting
The team then check that systems are in place to record and respond to cyber security incidents (including identification, classification, response, and reporting). Is the response in near real-time, or is a post event evaluation all that can currently be done?
Step Eight: Disaster Recovery Plan
Lastly, they establish whether an adequate Disaster Recovery Plan exists. Is it fit for purpose? Does it cover all aspects of recovery from a cyber-attack incident? This will include on-board recovery software and systems restoration, along with any associated data.
An Action Plan
After the Survey, a high-level Report is produced that collates the information gathered and provides a summary of the yacht’s overall exposure to cyber-attack and the attack vectors. Documents and drawings will be collated in a Cyber Security Document Pack. The Action Plan will make recommendations for the protection of the yacht’s critical IT and OT systems and assets, and its sensitive information & data.
From there, you will know exactly what to do to achieve cyber security. ETOs can rest easy, assured they have followed best practice advice from leading cyber experts. Owners can relax, happy in the knowledge their data is safe and that their schedule has not been interrupted. A win for everyone this refit season.