Cyber Security: 2021 in Review

Aside from the Covid news and restrictions, this year will be remembered as one of the most disruptive years when it comes to cyber attacks, with ransomware impacting critical infrastructure, with vulnerabilities in the Microsoft email servers many of us use allowing remote attackers to take control of those servers.

There have been multiple instances of emails being spoofed and hijacked with fraudulent bank details. We’ve also seen supply chain disruption and just this month one of the biggest threats to web applications to date – more details on this to follow and how it affects the yachting industry.

Attacks on the maritime industry have increased by 400% since the pandemic started and all the issues mentioned have the potential to seriously impact yachts, their owners and guests. We’ve already seen several yachts affected by ransomware having to pay up to release files from criminals.

For the past few years now we’ve been speaking about the impending IMO cyber risk management regulations which came into force in January 2021. Just to recap, those yachts over 500 GT and commercially operated are required to prove they’ve taken cyber risk management into consideration when having their annual survey.

IMO cyber risk management regulations one year on

After an initial rush by several yachts to meet compliance, the response has been varied, to say the least – not only in terms of uptake but also the types of yacht that have taken action.

While charter yachts tend to view the regulations as more bureaucracy and a burden to what is already a heavily regulated job, private yachts seem to be taking more of a pragmatic approach and are actively engaging in the process - not only to maintain compliance or certification but actually engaging in the process, learning how to secure the yacht’s systems and how to protect the owner and guests from cyber criminals.

Yacht owners and guests are the ultimate target for cyber criminals

Having worked on multiple yachts ranging from 35 metres to over 100 metres, it’s the basics that are still not being done. Each vessel and crew has a different perspective on the threats that could affect them, ranging from “it won’t happen to me” to “we know something should be done, but we don’t have time”. Equally, where yachts and crews are attempting to get up to speed, corners are being cut whereby ‘cyber plans’ are being implemented without any forethought or knowledge on the subject.

Developing a cyber aware culture on board your vessel

While we want to see the industry develop a cyber aware culture and actively engage in the process, there are still many yachts with a tick-box mentality and this is slipping through the net with surveyors and auditors. The question is, why?

Flag authorities say they don’t police cyber security guidelines and leave this to individual vessels to interpret. In practice, it’s the auditors and surveyors who ensure compliance across a whole range of issues, which are generally certified and signed off by a vendor.

Do auditors have the right tools and guidance to assess your cyber security management?

Cyber risk management process doesn’t end with a certificate, like many other things auditors are looking for. So, this lack of validation leaves auditors and surveyors asking questions or asking to see proof that the vessel has taken cyber risk management into account. But without the appropriate guidance, knowledge and tools, do the auditors and surveyors themselves know what to look for?

What we’re seeing is a cyber management plan being implemented by someone who knows nothing about cyber security, followed by an auditor who is simply looking for the words ‘Cyber Management Plan’ … tick.

Discrepancies in cyber security management

Currently there is a wide gap in knowledge and discrepancies in discipline across industry bodies and organisations. Where we are actively working with yachts and their crews to ensure their cyber security management meets and exceeds compliance, this is being undermined by a lack of knowledge and understanding.

While this remains a grey area, there are bodies working to ensure everyone is up to date and on the same page. In the meantime, corners cannot and must not be cut when it comes to cyber security management for your vessel. In lieu of a certificate, auditors could at least ask some basic questions to determine whether cyber security is taken seriously on board.

If the yacht is compromised, the owner is compromised

By setting up a robust cyber security management plan, the type of attacks mentioned at the beginning of this article can be avoided. Yacht systems will be as safe as they can be from a potential cyber attack and restoration will be easier after the event. You can then rest easy knowing that everything possible has been done to protect the vessel, owner and guests from cyber criminals.

Pelion Consulting are experts in cyber security management and we’re here to cut through the bureaucracy and take the headache out of the process. Let us guide you through and be your chosen cyber security partner.