Superyacht Owners are frequently delegating the financial and legal requirements of their yachts operation to the yacht owning company and their appointed Directors and Corporate Service Providers (CSP’s).
The Directors run the yacht owning company and manage the risk and potential liabilities of running expensive assets in a complex and sometimes dangerous environment. The Directors then delegate further to specialist service providers such as crewing agents, safety and compliance managers, technology providers and maritime lawyers. Managing your cyber risks, by delegating to experts, should be approached in the same manner as you would try to mitigate any risk, be that safety of a life at sea, pollution prevention, financial, undue taxation or disrupted operations and enjoyment of the yacht.
What are the likely cyber risks?
No doubt there will always be the threat of bad actors wishing to expose or extract data from a vulnerable IT system whether on land or at sea. The most likely vector of attack will be motivated by the successful interception and re-direction of funds to offshore bank accounts where very little can be done after the fact. Everyday cybercrime events can include ransomware and phishing that only takes one click to run malicious code and provide remote access to a nefarious individual or group. Necessary precautions should be swiftly enabled to first identify, before then adequately defending these IT systems against likely threat vectors.
The integrity and confidentiality of the data onboard are at risk via the Information Technology (IT) systems. However, cyber risks that impact the safety of the crew and vessel operations are just as likely. This malicious activity focuses attention on the Operation Technology (OT), such as power management and steering, which if successful, can lead to financial, reputational and legal implications, and most important of all – a risk to life and the environment.
The Superyacht industry is undoubtedly home to world-leading innovation and design. Unfortunately, the security of all systems has been drastically overlooked for many years. Cyber events are regularly occurring in our industry effecting Owner’s, crew and suppliers alike as the basics of cybersecurity are often absent or ignored in preference of high-performance internet and remote connectivity for instant shore-side support.
Many stories about these cyber incidents float around the industry. Due to the private nature of the industry, most cyber events go unreported wherein the financial sector, for example, companies are obligated to report the details to create awareness, help others avoid the same and ensure the right lessons are learned.
More money will always be spent on cybersecurity if you take the reactive approach to wait for an incident when you can significantly reduce the risk now by investing proactively.
Much of the pro-active security measures that could have been standard practise over the past decade has left, in particular, OT systems vulnerable to attack. These systems control the physical world in real-time, therefore highlighting the risk to life and the environment if an OT system were to be compromised.
There is an emphasis led by the maritime regulation authorities to improve cyber safety when it comes to Operation Technology (OT). Attacks via SCADA systems have been proved, and attacks of this nature are on the rise. It is therefore essential to catalogue these systems and their interconnectivity with IT systems, identify the risks and then implement measures to lower or mitigate the threat posed by the current configuration.
Three essential steps to lowering cyber risks
The first step is easy; it is imperative to acknowledge that there are cyber risks.
The next step is to verify their existence. Cyber risk assessments are the most pragmatic solution. The most appropriate risk assessments that can be conducted by Superyachts are:
- Self-assessment using the existing risk assessment method
- A remote risk assessment (likely to not include OT systems)
- In-depth and in-breadth risk assessment with an on-site visit (to assess IT and OT as well as policies and procedures)
When reviewing the results of the assessment/s, risks associated with crew safety and OT require prioritisation before then deciding whether risks related to IT are worth the time and money to address.
Trust but verify
For the same reasons you use CSP’s, crew agents and maritime safety experts, it is recommended to engage with cybersecurity experts to provide an objective report. It may be tempting to use the technical crew onboard (e.g. ETO) or current AV/IT provider, however, due to their vested interest in the performance of the systems the most accurate results will benefit from the skills of cyber experts who can remain impartial and purely focus on the security aspects of all systems.
The third and final step to lower cyber risks is to commission cybersecurity awareness training for the crew. Your crew are the first line of defence and if subject to a cyber event, is it the crew’s fault if sufficient training hasn’t been made available? Phishing scams and online threats are continually evolving and becoming more targeted and efficient with the use of social engineering. Strengthen your crew’s cyber defences by providing access to cybersecurity awareness training that provides regular learning. Frequent tests and phishing simulations verify that the training is absorbed, and the cyber threat they pose lowered.
Cyber compliance for those that need to comply
The Maritime Safety Committee in 2017, adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that from next year cyber risks are appropriately addressed in existing Safety Management Systems (as defined in the ISM Code). Commercially registered yachts larger than 500GT are required to comply. Does this mean a yacht that does not have to comply with the ISM code is less at risk to cyber events?
Superyachts of all sizes have a track record of neglecting their cyber risks. The priority has been placed on the latest tech upgrades during refits or the best performing internet services during the season. The critical issue is that all this connectivity undergoes very little, to no scrutiny and whether you need to comply or not, it is imperative to verify the systems are safe and secure regardless.
The sooner you delegate the action of reviewing the cyber risks and addressing the most likely threats, the better.
Why entrust Riela Cyber?
Riela Cyber is a highly skilled team of cybersecurity engineers capable of completing a varied number of cyber risk assessments compliant with the Maritime Cyber Risk Management guidelines to satisfy individual yachts’ cyber needs and budget. Our sister company, Riela Yachts, are superyacht compliance experts and ensure our cyber policies, procedures, and risk management plans conform with the ISM and ISPS code (where applicable). Our partnership with CybSafe also provides our clients with access to the leading cybersecurity awareness training platform focused on behaviour change and improving the cyber risk profile of users. This partnership offers practical training and testing via CybSafe that allows Riela Cyber to concentrate on their core expertise, conducting risk assessments and pro-active cyber risk management through cyber protection facilities, monitoring services and hosting solutions.
Our holistic service offering ensures one of your most valuable assets is in safe and secure hands.