OT not IT (both)
Cyber discourse has been dominated by fears over IT hacks to the detriment of operational systems security…
Cyberthreats and cybersecurity have been an ongoing discussion within the superyacht industry for a number of years now. However, it could be argued that the discourse has been dominated by fears over information technology hacks. SuperyachtNews speaks to Ince and Mission Secure about the need to protect operational technology systems and why the two businesses have created a partnership to provide superyacht and commercial vessel owners with an operational cybersecurity product that combines legal advice and technology, InceMaritime.
“There seems to be a feeling within the wider shipping community, not just the superyacht industry, that where cybersecurity is concerned, if you have your information technology (IT) security, then you are safe,” starts William Chetwood, partner at Ince. “In the meantime, operational technology (OT), which is in some ways can be more dangerous if hacked than IT, has become a bit of a blind spot. Furthermore, a lot of the risks that superyachts are exposed to are not covered by insurance policies. This is why we have partnered with Mission Secure, to create InceMaritime, the industry’s first integrated suite of legal advisory, business consultancy and technology services – accessible through one, consolidated service.”
Typically, when cybersecurity is discussed within superyachting circles the discourse tends to focus on the threats posed by the types of cybercrime that would see owners lose private information, be it business-sensitive financial data, private images or some other form of potentially damaging information, with a mind to extorting cash from the ultimate beneficial owner. Other cases have included phishing exercises that have seen crews pay funds to businesses pretending to be bunkering companies or other third parties that are supposedly owed money.
The risks posed by such IT threats are undeniably present and pressing, but the protection of IT has potentially taken an unevenly large proportion of the superyacht market’s attention.
“The superyacht industry has been conditioned to think about IT cyber threats, and there is no doubt that they are a huge issue. However, if somebody locks up your payroll system or your accounts payable system, you feasibly have some time to make your decision in regards to how you approach the issue. Do we pay the ransom? Are we going to fight it? What is our approach with the press? These considerations, while pressing, do not necessarily require immediate action and, in these instances, we aren’t really talking about many insurance issues,” explains Rick Tiene, vice president of Mission Secure. “By contrast, if somebody locks up the navigation or takes control of another operational system, you don’t have days, you have hours, minutes or in some cases seconds to try and avert a serious incident and there is also an immediate risk to life in many of these situations.”
The primary concerns relating to IT cyberthreats, more often than not, include a loss of personal brand equity, embarrassment or a financial loss. Threats relating to OT cyberattacks, however, have a far more physical leaning. Navigational spoofing with a mind to hijack and ransom is a very real possibility and cyberattacks conducted purely out of malice out of a desire to cause damage and do harm are also real. Unfortunately, however, the industry remains opaque when it comes to cyber reportage, yet cases from analogous industries showcase how real the threats are. Indeed, even certain instances from within the superyacht world raise serious questions about OT cyberthreats.
“There are a number of ways that OT systems can be used in cyberattacks. There is piracy, hijacking and ransom, but there is also the possibility of drone attacks, the act of using the craft itself as a weapon and various other methods,” adds Andy Powell, partner at Ince.
Perhaps the standout recent example of what can occur in the event of an OT system cyberattack is the collision of MY Go at the Ile de Sol Marina in St Maarten on 24 February 2021. According to a report provided by the yachts’ captain, the vessels’ operational software failed, leading to him opting to engage in a deliberate impact with the dock in order to avoid an even more catastrophic scenario. It should be noted at this point that there has been no evidence made public to suggest that the impact was caused by a cyberattack.
“There is no suggestion that the MY Go collision was caused by a cyberattack, but it very clearly shows what can happen when you lose control of your OT systems,” continues Tiene. “Only a momentary loss of control can cause significant damage and, in the case of cyberattacks, the motivation is not always financial depending on who the cyber actor is. Mission Secure works across the military, petroleum and commercial sectors within maritime, but also with traffic systems, smart cities and a number of other sectors. Attacks are happening across all these sectors and, while they may not be reported on, it is safe to assume it is happening to superyachts, too.”
As a means of counteracting the balance between OT and IT, as well as generally ensuring that superyachts are protected from all manner of cyberthreats, Ince and Mission Secure have partnered up to create InceMaritime. The aim is to combine the advisory and action elements of cybersecurity. InceMaritime includes the following:
- A full audit of a company’s existing policies to ensure compliance in line with the new ISM Code for Cyber Security Guidelines (IMO 2021).
- The implementation of the patented Mission Secure Platform, the first integrated platform built for OT cyber protection, which is designed to harden vessels’ control systems networks against cyber threats.
- The deployment of Mission Secure Managed Services, providing 24/7 cyber security monitoring, threat hunting, and incident response support to ensure continual vessel resilience for ship owners and managers.
- Legal and crisis management services in the event of a cyberattack.
In recent years, much has been discussed about the need for more defined advisory channels within the superyacht market. Too much pressure has been put on stakeholders, who do not necessarily have detailed understandings of particular sectors, to make key decisions where they relate to all manner of things including, but not limited to, ownership structures, taxation and cybersecurity. Ince, recognising the difficulties faced by the superyacht industry, is putting its hand up and making itself available as an advisory body, not just a legal firm. The InceMaritime product is just the first step in Ince’s development plan to partner with various businesses to make sure superyacht owners and their vessels are protected in a proactive, not a reactive manner.
Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.