With the IMO introducing a new cyber security regime for the industry, Inmarsat’s Peter Broadhurst outlines how superyacht professionals can protect their vessels and comply with the on-board cyber risk management rules.
Introduced on 1st January 2021, new International Maritime Organisation (IMO) obligations to protect superyacht cyber security placed increased urgency behind the need for professionals to address and strengthen cyber resilience on their yachts. With a fourfold increase in maritime cyber-attacks reported from February 2020 as Covid-19 forced a reliance on remote working, it is even more important that superyachts introduce measures to protect critical vessel systems to cyber breaches which could have financial, personal or operational consequences.
The IMO has introduced a new cyber security regime for the industry, requiring charter and private superyacht owners and managers to adopt a stricter approach to cyber security. By IMO resolution, superyacht Safety Management Systems must be documented as including cyber risk management under the International Safety Management Code no later than its first annual audit after 1 January 2021. Complementing existing IMO safety and security management practices, the regulations are relevant for all yachts over 500 GT and those with more than 12 passengers – or any superyachts subject to a Document of Compliance audit.
At Inmarsat, we have been working closely with superyacht industry professionals for the last few years to raise awareness about the risk of cyber-attacks and offer them robust and accessible options to help them maintain a secure system core onboard. Our new report published by the Inmarsat Research Programme, Cyber Security requirements for IMO 2021, offers unique insights into Inmarsat’s experience of real cyber-attacks on vessels and provides superyacht owners, managers, captains, engineers and technical officers with a guide to the criteria for compliance.
The report summarises industry exposure to date, identifies the vessel-specific vulnerabilities that have driven regulators to act, and explores the precedents from outside and inside the maritime sector for IMO rule development. The context provides a vital preamble to a clear and concise guide to IMO 2021 compliance and the steps required to identify, protect against, detect, respond to, recover from and report on cyberattacks aimed at superyachts.
Cyber security, or protection from harm to an asset in the electronic domain, is still in an immature position in the yachting world, despite the fact that we are seeing an increase in attacks on both OT (Operational Technology) and IT (Information Technology) systems onboard. For superyachts, which often have High Net Worth Individuals onboard, high complexity of systems and good internet connectivity, the risk of targeted and untargeted attacks is significant, typically focused on passengers (ransom and theft), industrial espionage and privacy. Once a system has been breached, malicious actors can do anything from stealing data to gaining and maintaining full access of the device. Furthermore, a breach may not just impact that person.
If a crew member, guest or engineer brings a device onboard which is compromised, that device could connect to the main network and infect other devices, PCs, servers, engine monitoring systems. To prevent these harmful and costly incidents, it is essential that superyachts owners protect their vessels and understand their assets. Arranging training for crew to recognise spam and complete regular drills and testing is relatively cost-effective to implement but helps create crucial awareness. Our message is that it does not necessarily cost a lot of money to go from a position of vulnerability to a stronger one.
Inmarsat’s recommendations centre around the introduction of a multi-layered cyber defence solution, establishing an ongoing training and awareness program, and creating a thorough understanding of the on-board assets, including both the IT and OT systems. Cyber Security requirements for IMO 2021 focuses on Fleet Secure Endpoint (FSE) as a critical component in Total IT Best Practice for compliance, rather than providing a compliance solution in its own right. It also highlights Inmarsat’s role as partner to Maritime Cyber Security Awareness training developed for Stapleton International by MLA College, which is also available to FSE users.
Our advice for superyacht professionals is to take a pragmatic approach, based around risk. It is important to create a plan for IMO compliance to cover: Action (roles, responsibilities, training and reporting; Review (evaluate and analysis); Improve and Verify (third party or internal team). Our recommended steps to meet compliance are:
Appoint the responsible person for cyber on board
Standard anti-virus is no longer adequate protection, so subscribe to Fleet Secure Endpoint (FSE), a powerful endpoint security solution to prevent attacks whilst removing infections and threats throughout the onboard endpoints. Inmarsat’s cyber security protection, monitoring and reporting tool can support superyacht owners and managers towards compliance. Without additional hardware, FSE’s multi-layered network protection (against phishing, spyware, botnets, etc.) updates system status using software on end-user machines. It should be implemented alongside cyber security training specifically targeted for seafarers, raising awareness to assist in preventing threats before they get on board.
Set up Fleet Secure Endpoint on the vessel and complete the risk assessment module
Update ISM (International Safety Management) with guidelines from BIMCO and others. Amend to reflect cyber security reporting and authority.
Begin a training and awareness program of the security features in the ISM to ensure all crew and other personnel know the risks, regarding their own devices and the vessel’s systems.
Employ remote, or third party, monitoring to detect cyber threats and improve the ability to respond in a timely manner to get the vessel back up and running
Check with the regulatory body who would audit you, ask for details of what they will want to see so you can ensure documentation is all in place
We are continuing to work with captains and engineers to meet the long-term challenge of protecting today’s superyachts from cyber risk. Our latest research confirms that there is still not enough awareness that an in-depth, multi-layer cyber defence is much more effective than a standard antivirus program. The 2020 Inmarsat Superyacht Connectivity Report reported that 40 per cent of superyacht professionals surveyed still do not know the difference.
As the superyacht fleet heads towards a new regime on cyber security, the Inmarsat report Cyber Security requirements for IMO 2021 is a significant publication for anyone investigating the fast-evolving threats facing yachts at sea. Anyone wanting to know what the new IMO rules mean and, in Fleet Secure Endpoint, the viable solutions already available to support towards compliance, can download the report now.
To download the Cyber Security requirements for IMO 2021, please click here.