The 21st century, has pushed the maritime world, just like all other industries, further and further online. Safety management systems are now online; internal and external communication is now 24/7 via smart technology; the sextant has been replaced with GPS and online charts. We continue to benefit from rapidly improving and innovative technology.
Yet the cyber security Industry, often opaquely and with varying levels of drama and hyperbole appears to be warning of huge “cyber” risks against maritime assets, as they try to sell their services and products.
But what should Cyber Risk Management genuinely look like in the wider maritime Industry, but specifically in the superyacht Industry?
The IMO published MSC 428 in July 2017 regarding cyber risk management. Following this, BIMCO published the second version of their guidelines regarding cyber risk management for the commercial shipping market. The ISM Code 2018 Edition includes “Guidelines for Cyber Risk Management”.
Insurance companies, the route to underpinning most risk management issues, laments the lack of transparency and figures the actuaries can use to quantify the cyber risk, whilst the insurance cover will include CL 380 which excludes cyber risk from the policy. Furthermore, flag states look at the IMO wording; see the word “encourage” and try to work out how those ships flying their flag can be regulated and to what extent. Classification societies head in divergent directions driven by a feeling that “something” should be done about cyber security to ensure “seaworthiness”. And against all this noisy, drama-filled backdrop, yacht managers, captains, chief engineers and ETOs are left trying to simply find the best, safest most efficient solution for their yachts in a 21st century environment.
The treacle thickens considering that the solution must work for yachts sailing now, and for those yachts still not built, but which will be sailing after the 2021 ISM compliance deadline. The only sure thing is that the cyber risk environment in 2021 will be very different to the way it looks today.
We, as the superyacht Industry, understand that there is a clear requirement to manage cyber risk. But the tech-security fog created by an avaricious IT and cyber security Industry, create fear over what are very disparate threats and vulnerabilities and perpetuate our fear of making the wrong choice. Therefore, it seems almost impossible for anyone to make a decision or produce a sensible long-term plan. It seems far easier to wait and hope that a solution will present itself.
So, within this maelstrom of opinion, assistance, threat, risk and fear, CAN we find a sensible solution to the issue of cyber risk management? Without an agreed single industry voice and an agreed industry outcome – is this possible?
The answer is “Yes” – but – unfortunately there is not a single technical magic bullet to solve all problems in a stroke. The solution is appropriately balanced, proportionate, considered and, when approached properly, pretty easy.
Managing cyber risk is no different to managing other risks faced by any company or yacht around the world. It adopts a set of sound principles tailored to the yacht or yacht management company and also enshrines the supply chain management process. It identifies the threats and vulnerabilities, balances the identified risks and puts in place proportionate solutions in line with the risk appetite. So, a threat to a yacht is measured against a different balance of risk criteria to, say a cargo vessel. And the comparable threats to one yacht maybe the same in some respects and different in another. Not necessarily because the technologies are different, but because the intent of those who wish to cause damage is different.
Understand the Threat. (From Whom and Why?)
Generic: In some cases, primarily for bulk, widespread criminal operations, or more malicious actors’ research and development purposes, attempted attacks do not have one particular target – but are more en masse and opportunistic. The weaker the defences to this generic approach the greater the likelihood of penetration and subsequent damage. This bulk approach invariably exploits “human factors” or simple technical configuration errors. If we could remove untrained crew and supply chain (yachting’s “human factor”) – we would reduce the risk from malicious cyber activity by 80% at a stroke.
Specific: However, there are other more idiosyncratic threats that are peculiar to the owner, the yacht management company and/or the specific geography relating to the yacht and its owner. These are targeted and are governed by more thought-out criminal, or individually malicious or in some cases geo-political factors.
Some adoptive protective measures are common across the two categories (reflected in the ISM Code), others need to be as tailored as the threat they face. Understanding them and measuring them is straightforward, but without doing so solutions are poorly focussed, ineffective and often unnecessarily expensive.
Identify Vulnerabilities (Threat Vectors)
The “cyber threat free days” when yachts used paper charts, downloaded anodyne emails twice a day and were largely self-contained are now long gone. The inter-connectivity to the outside world required by yachts, management companies, owners and guests demands that the risk assessment considers and manages all the potential vulnerabilities in an end-to-end sense; including all interfaces with the shore – such as the management company, engine manufacturers, the owner and service providers and the behaviours and understanding of those people within the whole operational environment.
Assess Risk Exposure (Likelihood and Effect)
Having understood the vulnerabilities from the capabilities and techniques of those malicious threat actors, it is therefore straightforward to assess the level of risk that the yacht in question actually (not theoretically) faces. This should not be generic and must be considered for each and every yacht; be specific to the operational and safety management processes carried on board; and include internal and external risks to the yacht, including supply chain. This clearly directs where and to what extent investment should be made to provide sensible, proportionate protection for the yacht in question.
Develop Protection and Detection Measures
Assuming the threat, vulnerabilities and risk measurement has been done, the development of preventative, protective and detection measures falls into two categories; those measures which are technical in nature and measures which are process and procedural in nature (with this latter category also mitigating the risk inherent in human behaviour). Part of the procedure should also include education. It is now essential that accredited cyber security awareness should be included as part of the STCW course. With human vulnerability being the route in for most malicious threat actors, crew and support staff Cyber Security Awareness (which need not be technical in nature) must be given parity with Fire Fighting Techniques, Personal Survival Techniques, First Aid, Personal and Social Responsibility and Proficiency in Security Awareness if a modern yacht is to stay safe.
The procedural measures should also clearly define the roles, responsibilities and policies for all those on board the yacht and in the management company. With whom does accountability for the digital security sit? With everyone on board clear in their roles and responsibilities and equipped to meet them, there should not be any gaps in the chain of command which cyber risk can slip through.
Establish Contingency plans
Section 8 of the ISM Code – “Emergency Preparedness”. In other words, even in the best prepared vessels, things go wrong. Since the safety management system demands that any emergency situation relating to a vessel can be responded to at any time, contingency planning and exercising for a cyber incident needs to be equally governed. This of course also needs to incorporate Sections 9 and 10 of the ISM Code as part of the auditing and ongoing maintenance process for the Cyber Security Posture of the yacht.
As with all risk management, the answer is to provide a flexible security framework following the steps outlined above. The cyber risk, perhaps more than any other, evolves at a breath-taking speed; Moore’s law applies to the risk just as much as it does to the environment in which it exists. Systems can be audited, and the yacht’s preventative, protective and detection measures re-evaluated, and adjusted to the contemporary threats and risks.
How should the superyacht Industry move forward?
It is in the superyacht industry’s interest to control their own destiny. Cyber Risk is inherent in the 21st century. The banking industry have been, and continue to be, hit with quite draconian legislation by the FCA and PRA because they were slow to move. NISD followed suit for Critical National Infrastructure providers for the same reason. Likewise, GDPR was more universally introduced across all industry sectors for the same reason. Regulation is an evolutionary necessity and the more pro-active the industry is in addressing it, the more balanced and informed the regulation will be. Imposed regulation carries a whole different type of risk to co-created regulation.
All the relevant elements of the industry – from flag state, insurance companies, cyber security professionals, yacht managers, yacht brokers and the yacht crew community – must develop a collegiate vehicle to discuss how this should look and feel, specifically for the Superyacht Industry.
By taking the headings above as a framework, we can move forward as one and ensure that the superyacht industry successfully manages the cyber risk into the 21st century and beyond.
In the meantime, it is in the best interests of all superyacht owners, builders and managers to move forward along the lines above. From a compliance level, this will equip for the inevitable regulation and insurance criteria, but from a practical level, will reduce the threat surface from those with hostile intent who can and will cause damage to the operation, reputation and safety of the industry’s clients and their most valuable asset.
Halcyon Superyacht Security