The cyber threat: are we still not doing enough?
More than a year since the introduction of the IMO’s cyber-risk management regulations, we speak to experts about how the market has adapted to the new requirements.
In recent years, the level of connectivity on board superyachts has grown exponentially as the number of internet-connected devices has increased, whether that be guest and crew devices or on-board technology. As a result, the cyber threat to superyachts has grown in tandem.
In order to counter this growing cyber threat to superyachts and the wider maritime community, since 1 January 2021 every Safety Management System (SMS), for both private and commercial superyachts, has been required to include cyber-risk management. However, has this had the desired effect?
“On 1 January 2021, the IMO regulations came into effect, but it is actually the flag states that have been charged with interpreting the regulations and applying them to the vessels in their fleets,” says Ben Dynkin, co-founder and CEO of Atlas Cybersecurity. “As such, we have seen flag states come out with a wide array of guidance for their fleets with varying degrees of rigour.”
The cyber-security requirements, as laid out by the IMO and implemented by the flag states, are not a set of draconian requirements that dictate what types of technologies and preventative processes should be implemented on board any given superyacht; rather it’s the requirement to have a cyberrisk programme and the need for selfassessment.
“It is clear that there’s a lot of leeway in the interpretation of the IMO’s requirements, especially in light of the fact that it is, in essence, for the vessel to decide how they want to implement the requirements based on their ‘operational environment’,” explains Kurt Schrauwen, director of Riela Cyber.
“Personally, I have concerns that the IMO hasn’t necessarily addressed how they need to implement the requirements, part of the problem being that ETOs aren’t always experienced in IT functions.
“They have the basic knowledge to manage the environment, but cyber security is actually a specialist skill. Even in the event that ETOs are experienced and they are doing some things well, it doesn’t mean that they are not vulnerable if a crucial element has been overlooked or compromised.”
That said, the IMO’s requirements are, in a way, more trying than any regulation that is simply related to the addition of technology on board in so far as owners and their crews must now be able to demonstrate their approaches to a variety of cyber threats to an auditor.
They have to envision threats, show an understanding of the lifecycle of cyber threats and explain how they can be avoided and mitigated through their onboard processes. Had the requirements required only technological solutions, they would quickly have become a oneoff tick-box exercise that would do very little for the market’s growth or indeed its security.
“Fortunately, superyachts can’t just put a box on the boat and call it a day. Rather, they are being asked to do a far harder job of understanding the threats and how to address them systematically,” says Dynkin.
“It is based on a problem that is found within industries the world over. People want to find a magic-box solution rather than doing the hard work to develop the necessary processes, implement the relevant technologies and train the right people continuously.
“This is the landscape of the new requirements and it represents a starting point for the industry rather than the finish line, but this is dependent on each individual vessel taking the guidance and customising any programme to suit its needs.”
However, the pervading concern relating to the implementation of the IMO’s cyber-security requirements is, unfortunately, a story that has been heard all too often in the world of superyachts.
There’s a fear that at least certain factions of the industry will see the IMO’s requirements as minimum standards and, therefore, aspire to meet only the basest of the conditions rather than seeing this as an opportunity to significantly improve cyber security on superyachts. All too often it’s those superyachts that have already experienced a significant cyber incident that take cyber security seriously.
“As a general statement, I would say that the adoption of these requirements has largely bent towards minimum standards, but there are also a number of superyachts that we have worked with that have advanced and creative ways of dealing with cyber threats,” says Dynkin. “But as a whole, the industry has not viewed cyber security as a categorical imperative.
“However, what has made me incredibly hopeful is that we have had really productive conversations with clients. As we have helped them develop and implement their security programmes, it is clear that stakeholders’ eyes are being opened. The minimum standards are just base level that the industry’s growth is coalescing around.”
Dynkin is quick to point out that while general adherence to the IMO requirements has leant toward minimum standards, the base level of knowledge and understanding on the part of the superyacht industry is increasing as a result of the requirements – a view that is supported by the team from Riela.
“There is certainly no black-andwhite answer, you’ll always see certain vessels go above and beyond and take a great deal of professional pride in their cyber process. Equally, you will find those that just see them as another tickbox exercise,” says Schrauwen.
“Thankfully, by and large, the boats we deal with are trying to aim far above
“You’ll always see certain vessels go above and beyond and take a great deal of professional pride in their cyber process. Equally, you will find those that just see them as another tick-box exercise.”
minimum standards. The yachting community is beginning to appreciate the sheer amount of resource required to effectively protect a vessel from cyber crime, especially in light of how stretched the crew are already with their work.”
There are, at times, global events that create necessary step changes. The Covid pandemic, for example, led to a rapid uptick in the use of digital communications software, leading some companies to re-evaluate their business models and dependency on international travel.
More recently, the war in Ukraine and the subsequent exposure of the superyacht market to the general public have caused some owners and stakeholders to think more carefully about their cyber situation.
While the market’s exposure to the war in Ukraine has centred around those individuals who have been sanctioned and those closest to them, it has nevertheless increased the general global awareness of the industry, and this may have a negative impact on the market’s cyber security.
“I think the cyber threat level is quite high globally at the moment,” adds Schrauwen. “There’s a lot of noise within the cyber community about the need for businesses, yachts and everyone to protect themselves. Every 12 seconds a company is being ransom-wared successfully at the moment, and from a fishing and spearfishing perspective, superyachts are excellent targets.
“As it stands, there haven’t been too many targeted attacks on superyachts. They have mostly been impacted through chance and the vulnerabilities they have, but that does not mean they won’t be targeted moving forward.”
Dynkin adds, “To date, most of the attacks have been incidental. For the most part, superyachts have been caught in the crossfire and the problem with this is that certain captains and stakeholders think this is proof that superyachts will not be targeted moving forward.
“However, because of the war in Ukraine, owners have become much more concerned about the insider cyber threat, not because there have been clear examples of insiders inciting cyber incidents on board superyachts but because the war has made them more aware of the potential threat.”
The war in Ukraine has made certain groups of people think about potential cyber threats and while in an ideal world owners, captains, third parties and crew would be thinking about cyber issues
Every 12 seconds a company is being ransom-wared successfully at the moment, and from a fishing and spearfishing perspective, superyachts are excellent targets.
regularly, this just hasn’t been the case. The liberal approach taken by most superyachts to user roles has looked increasingly flimsy as the world’s media has continued to shine a light on the superyacht market.
According to both Atlas and Riela, owners are starting to take a much keener interest in who has access to what on board, leading to a significant revamp of on-board processes.
In the year since the IMO’s requirements were implemented, the threats to superyachts have remained the same. However, while some have seen cyber requirements as being just another minimum standard to adhere to, it certainly seems owners and captains are starting to take the threat more seriously.
While it’s a shame that experiencing a cyber incident on board is still a major contributor to improving vessel security, the new requirements have served as a base point for starting the cyber conver-sation with superyachts the world over. As the threat becomes more advanced, the technologies and processes on board must be kept up to date to counter them. RJ
DO YOU WANT TO KNOW MORE?
VISIT SUPERYACHTNEWS.COM AND SEARCH ‘CYBER SECURITY’