The IMO2021 regulations regarding cyber risk management required compliance by 1 January 2021, or no later than the first annual vessel verification and audit. While some vendors were acutely aware of the impending deadline, the overall uptake across the yachting industry has been slow.
The new IMO regulations apply to private and charter yachts, as well as other commercial vessels, and state the measures required to mitigate risks to cyber security on board. From January next year, a yacht captain may therefore be asked questions about their yacht’s cyber risk management and will need to provide evidence that IMO2021 regulations are being adhered to.
Is this anything new?
The IMO first announced cyber risk as part of their mandate in 2017 when they released basic guidelines by way of Resolution MSC.428(98), outlining recommendations to safeguard shipping and yachting from current and emerging cyber security threats and vulnerabilities.
Further publications, sponsored by various shipping and industry bodies, have provided advice aligned with the IMO Resolution and expanded upon those requirements and recommendations to explain the process for securing maritime IT and OT controls.
The risks to cyber security are clear
Still, with just over two months to go before we reach 2021, inadequate cyber security practices continue to plague the shipping and yachting industries. The growing number of connected devices being installed on board for remote monitoring and support, unknown devices connecting to key networks and a general lack of crew awareness, all present potential risks to safety and privacy.
All vessels are of possible interest to a hacker
Along with a general lack of awareness, there is also complacency around cyber security among those in charge of safety aboard. When we ask yacht captains, engineers and ETOs about the measures currently in place for cyber security, we get a range of responses:
It’s ok, this is a private yacht
There is nothing on board that a hacker would want
Our guests are not important enough to be hacked
Regulations are voluntary
Our IT guy looks after this, so we should be ok
I trust the crew not to do anything untoward
So, what are hackers looking for?
Generally hackers are motivated by financial gain, via corporate espionage or by acquiring personal data such as credit card details or health data, which can be sold on the black market or the dark web – hence the big data breaches of Equifax, Yahoo, My Fitness Pal, etc. During the summer, even Garmin fell victim to ransomware and ended up paying the price.
However, groups such as the infamous “Anonymous” may be looking for something else. Some groups and hacktivists see it as their personal duty to tell the world your owner’s secrets, especially if they sit in a position of power, perhaps they’re an executive of a major corporation, a political figure or a celebrity.
When it comes to the control systems or critical infrastructure around ships/yachts there is likely to be a more sinister reason for wanting access. Typically, the aim is to cause major disruption, take control or send a message to those managing the vessel or plant.
Threat intelligence provides valuable insight towards mitigating the risks on board your yacht, especially from a network security perspective. But don’t assume that you know what hackers want or don’t want. Assume the worst; assume they want anything they can get their hands on, especially when it concerns a multi-million-dollar yacht with a high-profile owner or guests. A superyacht is the ideal target for hackers, especially those with adequate resources and determination – think nation-state or terrorists.
But it’ll never happen to me…
Hackers, cyber security and privacy protection are nothing new and a number of yacht owners have already put measures in place, especially when it comes to business and personal affairs. However, many yachts continue to operate with a false sense of security that it’ll never happen to them.
In this persistently connected world, wherever you are, no matter how remote, your communications systems are still linked to the rest of the world. Indeed, owners pay considerable amounts of money to ensure this, so they can continue to communicate, browse the Internet, watch TV and use social media.
Furthermore, stabilisation, engine management and navigation systems such as ECDIS, also require some form of remote connection to download updates or for troubleshooting and remote support from vendors.
The threat to cyber security exists whether you’re anchored in a remote bay or alongside in a marina, an ever-present danger unless you have a clear understanding of the risks and have put in place appropriate measures, all of which should be continually reviewed.
Still little is being done to mitigate the risks
In the wider maritime sector, as in many others, there is a lack of motivation to get things done until they become compulsory, but the clock is ticking. The IMO’s new cyber security regulations will come into effect on 1 January 2021, and superyachts which fail to comply may face heavy fines. At this rate, there’s likely to be a rush of demand in the new year, something akin to servicing the air-conditioning in June or buying presents on Christmas day.
Although it seems like a giant task to take into account all the elements of a functioning yacht, the value of a cyber security risk assessment far outweighs the time or cost.
The processes and methodologies chosen by the IMO are not new thinking and they closely mirror other established risk management frameworks such as NIST, which has been used within the world of IT for many years.
Once the initial steps are completed, the situation should be re-evaluated periodically to ensure the yacht remains as secure as possible and that all cyber threats – internal, external, human or technological - are known and adequate measures are in place.
Why wait? Book your cyber security risk assessment today!
The team at Pelion Consulting provides independent, impartial advice to help yachts achieve compliance with IMO2021 cyber risk management regulations.
We will guide you through the entire process and maintain an ongoing partnership to ensure you stay ahead of the latest threats and any changes in legislation. Crew training is also part of the process, so you can rest safely in the knowledge that your yacht has been audited to the highest standards, protecting the safety and privacy of all aboard.
For further information or to book an appointment, please contact Pelion Consulting:
Tel: +34 647 613 570