The value of class: cyber security
Part of an interview series with its experts, Lloyd's Register reveals how to mitigate cyber-security risks on board…
In recent years, the maritime industry has seen a significant evolution in the types of cyber threats it faces, with increasingly more targeted attacks, as opposed to ‘accidental’ attacks, and this inevitably means more risk for superyachts. In the second instalment of a series of interviews with Lloyd’s Register experts, Peter Sponer, cyber security sales manager for North Europe, discusses the cyber-security risks facing superyachts today, and how the industry can best mitigate these risks.
“The most well-known maritime cyber attack is probably the Maersk attack in 2017 as a result of the NotPetya malware, which was actually never meant to target the company or the industry,” explains Sponer. “However, we are seeing a rise of malware created specifically to target the maritime industry. For example, incidents of attackers sending phishing emails with what appears to be an ECDIS update.”
The high profile nature of many superyacht owners makes the industry more appealing from an attacker’s point of view. The other factor that makes superyachts particularly susceptible to cyber attacks is the complexity of the IT and OT systems on board in comparison to other vessels.
“Superyachts have various systems on board, such as entertainment systems, that are connected to the network of the vessel and also the Internet,” adds Sponer. “If security controls are not properly implemented, this can create vulnerabilities and opportunities for an attacker to gain access not only to these systems, but potentially other critical systems on board. An attack of this kind could not only result in a loss of data but, in a worst-case scenario, it could affect navigation or communication systems and compromise the safety of the vessel.”
Lloyd’s Register sees many superyachts making this already-precarious situation worse. Often, there is no clear division of roles and responsibilities when it comes to cyber security on board and yachts usually lack the proper documentation required. As Sponer advises, it is important to have network diagrams and lists of the IT and OT equipment on board in order to conduct cyber-security risk assessments.
“If you don’t know what your critical assets are, it is very hard to define any kind of cyber security strategy.”
“When it comes to cyber security, you need to know what there is to protect,” he continues. “If you don’t know what your critical assets are, it is very hard to define any kind of cyber security strategy. Secondly, network diagrams are important for implementing any changes to the architecture of the networks or systems on board so that you can properly implement technical controls. This is especially relevant when the yacht changes hands.”
Sponer notes that many superyachts also lack sufficient cyber security awareness training for the crewmembers, which would help the crew to incorporate best practices when operating the equipment. Many yachts often focus on implementing technical security controls, but disregard other aspects of cyber security, such as having the right policies and procedures in place, for example on third party access to systems, use of personal devices on board, or how to respond to an incident. “Most breaches happen because of people rather than problems with technology,” cautions Sponer.
Recent regulations and guidelines relating to maritime cyber risk management, including from the IMO, US Coast Guard and IACS, as well as specific flag state requirements, have forced many superyacht owners and captains to consider cyber security on board for the first time. While this is a positive step for the industry, Sponer believes that there is much more to be done.
“It is good that the industry now has a requirement to embrace some basic cyber security principles, however, yacht owners should never look at cyber security from a regulatory point of view,” advises Sponer. “Attackers can target any yacht, no matter its size. And the yacht doesn’t even have to be a target – a crewmember could connect their own device to the crew network, download malware and, if the network is not properly segregated, it could infect other systems on board, even critical systems.”
Sponer recommends that owners and operators should always look at cyber security from a prevention point of view, rather than implementing the minimum measures dictated by the requirements. “While 100 per cent security doesn’t exist, you should always look at the vessel’s cyber security posture and ensure it has an up-to-date strategy,” he adds. “And that strategy needs to be continuously readjusted based on the evolution of the threats and the sophistication on the part of the attackers.”
Sponer particularly recommends that superyachts utilise Lloyd’s Register’s penetration test, which identifies any vulnerabilities in the existing infrastructure that could potentially be exploited.
This risk mitigation is a journey that Lloyd’s Register can guide superyacht owners and operators through, as it does with all other risks present in the maritime industry. As well as helping superyachts to comply with regulatory cyber risk management requirements, the classification society can create cyber-security strategies for each vessel.
Sponer particularly recommends that superyachts utilise Lloyd’s Register’s penetration test, which identifies any vulnerabilities in the existing infrastructure that could potentially be exploited. “This is not only to understand where an attacker can gain access to the to the vessel, but whether the networks on board have been properly segregated,” he says. “Many yachts tell us that they have segregated networks on board, but when we conduct the penetration test, we often find out that it is not the case. And if the network is not properly segregated, malware could potentially transfer to other parts of the network and impact the critical systems.”
And in the unfortunate event of a cyber attack on board, Lloyd’s Register also provides an incident response service to investigate how the breach has happened, help recover any lost data and make sure that the systems impacted are operational, as well as recommending measures to ensure the same thing doesn’t happen again.
Lloyd’s Register can also work with the owners and operators on assigning a Descriptive Note on cyber security to a vessel, either a new built or an in-class yacht. Similarly, Lloyd’s Register can work with component makers on delivering Factual Statements as the outcome of a component-specific assessment.
As a classification society, Lloyd’s Register is well versed in protecting the safety of vessels and managing physical risks. While cyber security is a relatively new and near-invisible risk, it is as serious a threat as any other. As such, Lloyd’s Register enables its clients to fully understand the potential consequences of a cyber attack on board, and what needs to be done to prevent one.
Click here to become part of The Superyacht Group community, and join us in our mission to make this industry accessible to all, and prosperous for the long-term. We are offering access to the superyacht industry’s most comprehensive and longstanding archive of business-critical information, as well as a comprehensive, real-time superyacht fleet database, for just £10 per month, because we are One Industry with One Mission. Sign up here.