Superyacht cyber security: IMO regulations & cyber risk management
The co-founders of Atlas Cybersecurity give their guidance on the latest cyber security technologies…
Benjamin Dynkin & Barry Dynkin are co-founders of Atlas Cybersecurity, a Managed Security Service Provider tailoring advanced cyber-security solutions for the superyacht community.
For years technologists, futurists, and innovators alike focused their efforts on incorporating as much new and cutting-edge technology as possible into every nook and cranny of modern life. Superyachts, certainly, have not been immune from this trend. From AV and lighting to control systems and security, everything on a yacht is interconnected and networked. Adding to that complexity is a new level of connectivity, which means that a modern superyacht more closely resembles an enterprise-grade network, featuring a robust set of networking and IT technologies. These technologies ensure that a yacht is not only more immersive, bespoke, and effectively tailored to the needs and preferences of their owners and passengers, but safer, more reliable, more efficient, and less expensive to maintain. While the inner workings of a yacht regularly feature cutting edge technologies in a wide variety of implementations, cybersecurity has fallen by the wayside as the pace of adoption and innovation accelerate.
It is not a news that connected devices, control systems, and the Internet of Things devices (IoT) are being developed at such a breakneck pace that security for these systems is sorely lacking. In a report from Gemalto, it was that found that 48% of companies that use IoT devices in the workplace don’t have mechanisms in place to detect if any of their devices are hacked or not. This systemic failure, while troubling in the business environment, is far more serious in a maritime environment where the consequences of a breach can be far more severe. A successful breach of a vessel’s control systems can potential grant the assailant the ability to take control of bridge systems and control the vessel’s operational functions from anywhere in the world, in real time. In fact, this peril was clearly demonstrated in 2017, at the Superyacht Investor Conference, where cybersecurity professionals demonstrated that, in a handful of minutes, they could gain control over all of a Superyacht’s systems.
IMO Cyber regulation
While the threat is very real, it has not gone unnoticed. The International Maritime Organization (IMO) has paid careful attention to this ever-rising threat, and has passed guidelines on cyber risk management, as codified in MSC-FAL.1/Circ.3. The regulation requires covered vessels to include cyber risk management in their Ship Security Plans no later than January 1, 2021. Understanding the complexities and idiosyncrasies of large vessels, and the range of covered entities (from tankers to superyachts), the IMO chose to enforce a mechanism for engaging with risk rather than listing controls that should be implemented. Rather than charting a new course, the IMO chose to build off established international frameworks for cyber risk management, picking five functions that represent a holistic approach to cyber risk management: Identify, Protect, Detect, Respond, Recover. While there are controls that must be implemented to properly carry out each of the these functions, by taking a functional, rather than controls based approach, the IMO leaves captains and security officials with enough discretion and flexibility to tailor a program that effectively meets the requirements of their vessel without becoming excessively onerous. While the IMO specifically calls out regulations such as BIMCO’s guidance and the ISO 27000 series of cyber controls, our focus will remain on the NIST Cybersecurity Framework, which the IMO specifically calls out for meeting its requirements.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (“CSF”) was created pursuant to an Executive Order issued in February 2014 by President Obama, which called for the “the development of a framework to reduce cyber risks to critical infrastructure.” The goal of the CSF was to create “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The CSF is neither industry nor size specific and the general principles and processes it promulgates for identifying, understanding, and safeguarding against cyber risks are just as applicable to a local or regional company as they are to an international financial institution or technology company. It is for this very reason that the CSF is such a useful benchmark which the maritime industry can refer to when developing internal regulations and standards. The CSF effectively accounts for the vast differences in the size and scope of vessels on the sea and the idiosyncratic systems deployed, particularly among superyachts. The CSF features five core functions that mirror the requirements of the IMO regulation. While the NIST CSF features a detailed set of questions and controls detailing each of the five functions, we will provide context to understand the five functions, and how they, together, provide a holistic approach to cyber risk management.
The Five Functions of the NIST CSF
• Identify: The identify function asks whether or not the organization, or in this case the vessel, can identify the assets, risks, and threats present in its environment. This is arguably the most important and underrecognized element to developing a security program. As more and more technology is introduced into the environment, and the complexity of the supply chain becomes more apparent, it is virtually impossible to keep track of the operating environment. This function is critical because, simply put, you cannot protect what you don’t know is there from threats that you don’t know exist.
• Protect: The Protect function reflects what most people think of when considering cybersecurity – implementing technologies, controls, and processes to prevent a criminal from compromising systems.
• Detect: The Detect function reflects a fundamental change in the cybersecurity landscape. While preventing a compromise is an important step, we can no longer rely on those controls to keep criminals out, we must ensure that there are tools, policies, and procedures in place to detect malicious conduct rapidly and effectively and minimize the impact of any incident that may occur.
• Respond: Much like the Detect function, the Respond function forces one to consider what happens if and when a potential attack succeeds. Building out an effective response program, ensures that any incident is resolved, quickly, efficiently, and with limited collateral damage. This is critical when dealing with a superyacht, to ensure that any incident is contained before it affects the individuals availing themselves of the comforts of their vessel.
• Recover: The Recover function rounds out the five functions, and serves the purpose of engaging in the often unpleasant after action analysis - learning how and why the compromise occurred and how to prevent future compromises.
In sum, the IMO is no longer allowing covered vessels to stick their heads in the sand and ignore the increasingly severe cyber risks they face on today’s seas. Cyber risk is an increasingly omnipresent, pervasive risk facing every aspect of human endeavor and modern life. While the IMO deadline for implementation is January 1, 2021, those responsible for security on superyachts should be proactive and begin the process of engaging with cyber risk and developing a cybersecurity program.
Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.