Technology

IMO’s New Cyber Risk Management Requirement Explained

2 May 2021By Louisa Beckett
iStock/Andy

Written by

Louisa Beckett

Louisa Beckett is the former editor of Motor Boating, ShowBoats International, and Southern Boating magazines, and a longtime contributor to Dockwalk. Over her career, she has written about a wide variety of vessels ranging from Sea-Doos to superyachts, and has had many adventures on the water, including riding in a U.S. Coast Guard “rollover” boat in heavy surf off Cape Disappointment, Washington.

Starting on January 1, 2021, the IMO requires the yacht's safety management system take cyber risk management into account. Here's everything you need to know to be code compliant...

While the highly confidential nature of the yachting industry and the “invisible” nature of the crime makes it difficult for superyacht captains to discover if other yachts in the global fleet have been the subject of a cyberattack — even if they are berthed in the next slip — maritime authorities around the world, including the International Maritime Organization (IMO), now consider cybercrime a clear and present danger.

Starting this year, the IMO wants superyacht owners, captains, and managers to take it seriously, too. IMO Resolution MSC.428(98) — Maritime Cyber Risk Management in Safety Management Systems took effect on January 1:

  1. “Affirms that an approved safety management system should take into account cyber risk management in accordance with the objectives and functional requirements of the ISM Code;
  2. “Encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems [SMS] no later than the first annual verification of the company’s Document of Compliance after 1  January 2021.”

“[The] IMO wants a risk management plan in place,” says Keith Chappell, technical director for maritime cybersecurity solutions firm Cyberprism, adding that the goal is not just to get vessels to comply with another maritime regulation. “It drives cyber maturity rather than cyber compliance,” he says.

“What we are trying to do is not take a ‘compliance approach,’ [but] to assess what is the real risk for the captain, for the owner, for the ship builder,’” says Dr. Will Perez, director of cybersecurity solutions, Moran Cyber.

“People will be thinking about it because it’s an international regulation. But what they should be doing is focusing on the safety of the owners and the people on board,” says Mike Wills, co-founder and chief data officer of cybersecurity solutions provider CSS Platinum. “This is not going to go away…. This is going to affect you.”

“As a superyacht captain recently wisely pointed out when he compared the risk of cyberattack to COVID-19, ‘We never thought about a biological virus until its arrival. The risk of cyberattack is very similar…it doesn’t matter much until it happens to you,” says E.J.W. (Engel) de Boer, yacht segment manager, Marine & Offshore Division, Lloyd’s Register EMEA. “Twenty years ago, we were talking about physical attack. Now it’s cyberattack.”

Adobe Stock

What’s the worst that can happen?

In a “worst-case scenario,” cybercriminals theoretically could take remote control of a yacht’s unprotected navigation system, lock the captain and crew out, and either render the vessel dead in the water or keep it underway on an unknown course until the owners accede to their ransom demands. In fact, there was an alleged incident of this happening back in February 2017 when pirates reportedly “took full control” of the navigation systems of a German-owned 8,250 TEU container vessel en route from Cyprus to Djibouti for about 10 hours.

While nightmare scenarios like this one are more likely to occur in a Hollywood thriller, there are plenty of other garden-variety cybercrimes threatening superyachts today. These include malware (software specifically designed to disrupt, damage, or gain unauthorized access to a computer system), phishing (sending emails that purport to be from legitimate companies in order to gather compromising information like passwords), and “spoofing” (disguising a communication as being from a known, trusted source).

These crimes run the gamut from nuisance-makers to scams to extorting thousands of dollars from a vessel’s owner or operator. In one notorious spoofing case, for example, a captain reportedly received — and paid — a fraudulent fuel invoice for more than $100,000. “We see a lot of invoice fraud in yachts,” Chappell says.

Adobe Stock

Does it affect me?

While only superyachts subject to IMO Code are affected by the IMO resolution, the industry experts we spoke to feel that the owners, managers, and captains of smaller and private yachts also should have an SMS that includes cybersecurity in place. “Cybercriminals are agnostic to the gross tonnage of the boat,” says Wills.

“Superyachts are not immune to cybercrime and an attacker will not differentiate a 500 gross tonnage limit nor care if the vessel is privately or commercially operated,” says de Boer. “In addition, one should not forget that it is not only the flag states under which the yachts are registered [that] will require [them] to demonstrate that appropriate measures have been taken to have a robust cybersecurity system in place; so do port states, including the U.S. Coast Guard and underwriters/insurance companies. Taking cybersecurity seriously demonstrates a professionalism regardless of size and mandatory requirements.”

Many of the experts we spoke to feel the superyacht industry is playing catch-up on the cyber front. “The industry is naïve about the scope of the problem,” says Wills. “They will cherry-pick…but you need to have a comprehensive approach. Otherwise, you are locking one door but leaving another door open.”

“I think in general they are not well-prepared; however, there are some yachts…that have a great level of cybersecurity hygiene to start with,” says Chappell. “For some yachts, it will be going in from the ground up.”

In a white paper titled “Cybersecurity Requirements for IMO 2021” aimed at the superyacht sector, global satellite communications company Inmarsat stated, “Despite an increase in cyberattacks on both OT (Operational Technology) and IT (Information Technology) systems on board superyachts in line with the growth in digitalization in the sector, there is still a lack of awareness amongst superyacht professionals about cyber resilience and the most effective cybersecurity measures.”

Inmarsat’s white paper continued: “The 2020 Inmarsat Connectivity Report confirms that despite a lack of knowledge about cybersecurity requirements, 47 percent [of superyachts surveyed] indicate that the ETO or captain manages the cybersecurity, while only 20 percent use a third-party organization and 26 percent use a company IT manager. Many superyacht professionals believe that a standard anti-virus program will keep them safe, with only 31 percent indicating that endpoint security is used and 36 percent confirming UTM [Unified Threat Management] was in place.”

Adobe Stock

So, how do I comply?

IMO code-compliant yachts must develop a robust cybersecurity response plan that can be incorporated into the vessel’s SMS along with physical security. If you don’t already have a cyber plan in place, however, don’t panic — January 1 was only the start of the rollout period for the resolution. Chances are your yacht’s DOC is not up for verification yet, so you have time to get your cybersecurity ducks in a row.

“I think for a lot of captains, the requirements are not onerous…. It’s risk management [and] mariners are brilliant risk managers,” Chappell says. “The most difficult thing is putting time aside and starting the process…. A lot of captains are putting it off.”

Before getting underway on the project, however, it’s important first to determine the level of risk that you, the yacht owner, and manager are willing to tolerate. “Nobody should be spending money on cybersecurity unless it addresses a risk in their risk register that goes higher than their risk appetite,” Chappell says.

What’s involved?

When the IMO adopted its Cybersecurity Resolution in 2017, the organization also published its recommended steps to take in order to develop a robust cybersecurity plan for your vessel in its Guidelines on Maritime Risk Management. They include:

  • Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data, and capabilities that, if disrupted, pose risks to ship operations.
  • Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
  • Detect: Develop and implement processes and defenses necessary to detect a cyber incident in a timely manner.
  • Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for shipping operations or services which have been halted due to a cyber incident.
  • Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident.

In its White Paper, Inmarsat boiled this down to three steps.

  • Know what you have
  • Defend what you have
  • Be able to recover

“What captains want most is to feel confident that appropriate risk management systems are in place across vessel operations and communications, guest connectivity, use of devices, and entertainment,” de Boer says. “An IMO assessment is a good start.”

Adobe Stock

What are my vulnerabilities?

The first step in making a cyber risk assessment is to identify which crewmembers are responsible for cybersecurity on board and then work with them to make a register of the assets throughout the yacht that could potentially be vulnerable to cyberattack.

Today’s yachts are equipped with an increasingly inter-linked network of systems and equipment, much of which seems to be getting smarter every day. Add to that the seemingly insatiable demand by owners, guests, and crew for connectivity even when your vessel is far offshore — which, according to Inmarsat, has grown even more voracious during the pandemic, since telemedicine is now a priority and many owners moved their businesses to their boats.

“The GPS navigation system, the entertainment system…anything that has an IP address — and even a fish tank can have an IP address — is vulnerable,” says Charlotte Riley, chief technology officer and co-founder, CSS Platinum, adding, “New yachts may be more vulnerable because they have more technology.”

Conversely, older yachts also may have unique vulnerabilities, such as firewalls in need of renovation and chart systems that have to be updated via a portable thumb drive rather than a secure, hard-wired system. Perez cited the case of a yacht that had its ECDIS system compromised by a thumb drive that had previously been used for something else and was corrupted with ransomware. “The ransomware was not active but was causing problems,” he says.

Should I hire a cybersecurity firm?

There are a number of cybersecurity solutions firms that offer comprehensive audits for superyachts to help them comply with the IMO resolution. Their services not only include surveying the vessel for vulnerabilities, but also conducting a “penetration test” of its systems and equipment. “Penetration testing ensures your digital portals are locked,” Wills says. Depending on the outcome of the audit and the “pen” test, the cybersecurity firm can help to propose cyber threat mitigation and draft the SMS plan.

“There are technically competent officers and chiefs [who] can do everything that the IMO requires…but a cybersecurity firm is in a better position to assess the threat,” says Chappell.

While acknowledging these companies’ expertise, some yacht captains, owners, and managers are still weighing the costs involved with conducting an outside assessment. Michael Reardon, owner of superyacht management company Reardon Yacht Consulting, comments, “Vendors have to show us how to keep it practical.”

Adobe Stock

How’s my hygiene?

Whether you’re working to comply with the IMO Cybersecurity Resolution or just want to ensure your yacht is protected against cyber threats, don’t forget the human element during your assessment. It’s not the thumb drive itself that’s the problem — it’s the first officer who was using it to share files with someone off the yacht before inserting it into the ECDIS.

“I’m told the most downloaded thing on any boat is porn,” says one anonymous source we spoke with for this article. “Within the video download, the bad guys can hide all sorts of things.”

Anyone who comes onto your yacht, and anyone who uses email and other digital communications to communicate with it, including service technicians, vendors, suppliers, attorneys, shipyards, charter clients, crew, guests, and even owners, could potentially — and completely unwittingly — bring a corrupted device with them and plug it into the yacht’s internal network.

“Pilots bring their laptops on board…vendors bring their own laptops. If they are not very disciplined, they are probably using that laptop for personal use,” says Perez. “Anyone who has a touchpoint with the owner and the vessel is a vulnerability,” agrees Wills.

Happily, most yachts already have segmented communications networks in place that keep owner, guest, and crew Internet access and entertainment systems separate from the yacht’s navigation and other operational systems. “Most of the equipment on the bridge is not connected to a network,” Reardon affirms.

Beyond that, the best way to keep your yacht free from cyber threats is to practice good “cybersecurity hygiene” on board. According to U.S. Coast Guard recommendations, this includes, “checking external hardware such as USB memory devices for viruses before connection to sensitive systems; and ensuring that each user on a network is properly defined, with individual passwords and permissions.”

A superyacht’s cybersecurity plan does not have to be overly complex to be effective. Reardon recommends applying Occam’s Razor to assessing your vessel’s vulnerabilities and hardening its defenses. “Don’t panic, but don’t let this become overwhelmingly complicated,” he says.

This feature is taken from the March 2021 issue of Dockwalk.

More from Dockwalk