It’s no secret that vessels and shore-side ISM managers are encouraged to include cyber risks, measures and controls within their Safety Management Systems (SMS) by the beginning of 2021.
What has yet to receive the spotlight is the recognition that service providers and all other maritime industry stakeholders should also be accounting for, and safeguarding against emerging cyber threats and vulnerabilities.
With the efforts of all stakeholders, the maritime industry can better defend against cyber risks, faster – this includes all suppliers.
Cyber events are on the rise, and this transcends across almost every industry, globally. Maritime, superyachts and their suppliers are no exception. The priority must be to limit these types of events and their impacts on the safety of superyachts and the companies who are responsible for the safety of crew and vessel operations.
It’s also essential that suppliers adequately assess and strengthen their cyber defences to protect themselves against reputational damage or financial loss that can arise from a cyber event or attack. A negative impact on a supplier can consequently harm the superyachts they serve.
Matthew Roberts, a superyacht cybersecurity professional has written this article to provide assistance. If you would like to receive his new articles directly to your inbox as soon as they are published, please subscribe here.
How could suppliers be the most significant cyber threat to superyachts?
1) Information
Whether shared via email or over a drink at a local bar, information that gets into the wrong hands can lead to unfavourable outcomes.
In particular, this could include sensitive documents and ID’s shared via email; or words exchanged over a cold beverage about the arrival of guests and their planned itinerary, including locations and timings.
The former is most likely where a phishing attack or sending email over an unencrypted connection could compromise the data (check your outbound email encryption connection with this FREE tool). The compromise of information over a drinking session in Le Blue Lady or at the Monaco Yacht Show may seem significantly less likely, but it is still a possibility. Does the unlikelihood permit you to discuss this information publicly?
2. Digital systems and connected devices
Suppliers that provide Superyachts with technology (IT and OT included) need to focus on these critical areas:
Configuration of systems, networks and devices – can range from ensuring the firewall has web filtering enabled to assuring IT and OT systems are ‘air-gapped’.
To focus on the subject of segregation. The creation of VLAN’s onboard has provided Owners and guests with a private network. It has also resulted in a ‘crew network’ that is accessible by the crew to complete their work. It’s worth drawing attention to the fact that many are also permitted to connect their personal mobiles and laptops to the same ‘crew network’. Personal devices can pose a threat if they have access to network locations they otherwise shouldn’t.
As a result of the pandemic, the working from home revolution has highlighted cybersecurity concerns around company data that is accessed on the same network as the rest of the family who may have devices that are or can be compromised. Hackers can jump from one device to another if a device is jeopardised. The solution to the problem is segregation. By setting up separate ‘personal’ and ‘work’ networks on the home broadband router, it provides enhanced protection to company assets and data.
(Suppliers can employ this tactic for employees who may still be working from home).
The same principles should therefore apply to yacht crew. There should be a VLAN for ‘crew-work’ and ‘crew-personal’. The ‘crew-work’ network provides access to servers, the SMS and maintenance systems needed to complete their working tasks. Devices allowed onto the network can include those owned by the yacht and identified via their MAC address. The ‘crew-personal’ network should only provide the crew’s personal devices access to the internet for their welfare needs. Doing so ensures a compromised device in their possession is separate to business-critical systems onboard. Isolating these potential cyber risks alleviates the potential threat to safety.
Software updates – is a task we are all accustomed to performing when they are available or taking the pain out altogether and enabling automatic updates.
Regular and timely updates increase the security level of hardware and software.
Just like your iPhone or Android will schedule an operating system update for when you’re sleeping, crew and their suppliers need to establish policies that dictate software updates are performed during similar periods of quiet. Regardless of whether it’s an IT or OT system, ensuring updates are not performed whilst the vessel is underway will limit the potential impact an update could have on other devices or systems that can put crew or the vessel in harm’s way.
Remote Access Management – is a common threat vector to Superyachts that suppliers pose. Often suppliers hold the keys to an open-door to systems onboard (provided they have internet). Although this provides an operational benefit to allow the supplier the ability to offer immediate remote support to the crew, it is still classed as a cyber risk to the yacht.
Fables in the industry around cybersecurity include hackers sitting on the dockside to hack a Superyacht. Why would they bother with the plane ticket? Hackers are just as conscious about their bottom line as you are, so why would they go to this extent or expense? It’s far easier for hackers to target a supplier who has remote access or ‘open-doors’ to a vessel or a fleet of hundreds of vessels to maximise their success. This is a huge risk many vessels currently have. It will take both the vessels and their suppliers to work together to establish procedures that provide the same high level of remote support whilst limiting the cyber risk constant remote access presents.
According to CyberArk’s Q3 Study on Third Party Vendors 72% of organisations rank risk from third party access as one of their Top 10 security risks.
3. Continued Support
Cybersecurity events can have impacts on businesses similar to a natural disaster. You know they can happen, but knowing when and how is hard to predict.
Even cyber-attacks on well established, corporate businesses can leave them inoperable. I’m sure there are many yachtie’s that endured pain when their Garmin fēnix or Forerunner was unable to sync with Connect when Garmin suffered a recent ransomware attack.
Another prime example is the fallout from Travelex’s cyberattack, which occurred in late December 2019. The company has recently entered administration citing the cyberattack as a critical factor. No doubt other determinants will have played their part, and this was perhaps the proverbial ‘straw’ on the camels back.
How does this apply to suppliers within the yachting industry? The coronavirus pandemic has led many businesses into unchartered waters. Many are struggling to cope as a result of reduced revenues or the cancellation/delay of projects, and now more than ever is the worst time to be subject to a cyber event. Whether an attack was to compromise systems that halted operations or managed to direct funds away from business accounts, it could be the downfall of several businesses Superyachts rely on to operate.
Are suppliers the most significant cyber threat to superyachts?
Without trying to deflect the answer to my question, the reality is it will very much depend on the setup and operation of each yacht.
However, based on my knowledge, the statistics and reports from other industries, and the varied number of impacts suppliers can have. I have confidence in stating that suppliers will feature in the Top 10 (or perhaps to be even bolder the Top 3) security risks for the majority of Superyachts.
Where can suppliers start with cybersecurity?
Next week I will publish a follow-up article summarising where suppliers can prioritise their cyber efforts with advice and guidance.
