What can the superyacht industry do to protect against cyber attacks?

Peter Sponer, Cyber Security Sales Manager for North Europe, discusses the cyber security risks facing superyachts today and how the industry can best mitigate these risks.

In recent years, the maritime industry has seen a significant evolution in the types of cyber threats it faces, with increasingly more targeted attacks, as opposed to ‘accidental’ attacks, and this inevitably means more risk for superyachts.

“The most well-known maritime cyber attack is probably the Maersk attack in 2017 as a result of the NotPetya malware, which was actually never meant to target the company or the industry,” explains Sponer. “However, we are seeing a rise of malware created specifically to target the maritime industry, for example incidents of attackers sending phishing emails with what appears to be an ECDIS update.”

With the high profile of many superyacht owners, this makes the industry more appealing from an attacker’s point of view. The other factor that makes superyachts particularly susceptible to cyber attacks is the complexity of the IT and OT systems onboard in comparison to other vessels.

“Superyachts have various systems onboard, such as entertainment systems, that are connected to the network of the vessel and also the Internet,” adds Sponer. “If security controls are not properly implemented, this can create vulnerabilities and opportunities for an attacker to gain access not only to these systems, but potentially other critical systems onboard. An attack of this kind could not only result in a loss of data but, in a worst-case scenario, it could affect navigation or communication systems and compromise the safety of the vessel.”

LR sees many superyachts making this already-precarious situation worse. Often, there is no clear division of roles and responsibilities when it comes to cyber security onboard and yachts usually lack the proper documentation required. As Sponer advises, it is important to have network diagrams and lists of the IT and OT equipment onboard in order to conduct cyber-security risk assessments.

“When it comes to cyber security, you need to know what there is to protect,” he continues. “If you don’t know what your critical assets are, it is very hard to define any kind of cyber security strategy. Secondly, network diagrams are important for implementing any changes to the architecture of the networks or systems onboard so that you can properly implement technical controls. This is especially relevant when the yacht changes hands.”

Sponer notes that many superyachts also lack sufficient cyber security awareness training for the crewmembers, which would help the crew to incorporate best practices when operating the equipment. Many yachts often focus on implementing technical security controls, but disregard other aspects of cyber security, such as having the right policies and procedures in place for example on third party access to systems, use of personal devices onboard, or how to respond to an incident. “Most breaches happen because of people rather than problems with technology,” cautions Sponer.

Recent regulations and guidelines relating to maritime cyber risk management, including from the IMO, US Coast Guard and IACS, as well as specific flag state requirements, have forced many superyacht owners and captains to consider cyber security onboard for the first time. While this is a positive step for the industry, Sponer believes that there is much more to be done.

“It is good that the industry now has a requirement to embrace some basic cyber security principles, however, yacht owners should never look at cyber security from a regulatory point of view,” advises Sponer. “Attackers can target any yacht, no matter its size. And the yacht doesn’t even have to be a target – a crewmember could connect their own device to the crew network, download malware and, if the network is not properly segregated, it could infect other systems onboard, even critical systems.”

Sponer recommends that owners and operators should always look at cyber security from a prevention point of view, rather than implementing the minimum measures dictated by the requirements. “While 100 per cent security doesn’t exist, you should always look at the vessel’s cyber security posture and ensure it has an up-to-date strategy,” he adds. “And that strategy needs to be continuously readjusted based on the evolution of the threats and the sophistication on the part of the attackers.”

This risk mitigation is a journey that LR can guide superyacht owners and operators through, as it does with all other risks present in the maritime industry. As well as helping superyachts to comply with regulatory cyber risk management requirements, the classification society can create cyber-security strategies for each vessel.

Sponer particularly recommends that superyachts utilise LR’s penetration test, which identifies any vulnerabilities in the existing infrastructure that could potentially be exploited. “This is not only to understand where an attacker can gain access to the to the vessel, but whether the networks onboard have been properly segregated,” he says. “Many yachts tell us that they have segregated networks onboard, but when we conduct the penetration test, we often find out that it is not the case. And if the network is not properly segregated, malware could potentially transfer to other parts of the network and impact the critical systems.”

And in the unfortunate event of a cyber attack onboard, LR also provides an incident response service to investigate how the breach has happened, help recover any lost data and make sure that the systems impacted are operational, as well as recommending measures to ensure the same thing doesn’t happen again.

LR can also work with the owners and operators on assigning a Descriptive Note on cyber security to a vessel, either a new built or an in-class yacht. Similarly, LR can work with component makers on delivering Factual Statements as the outcome of a component-specific assessment.

As a classification society, LR is well versed in protecting the safety of vessels and managing physical risks. While cyber security is a relatively new and near invisible risk, it is as serious a threat as any other. As such, LR enables its clients to fully understand the potential consequences of a cyber attack onboard, and what needs to be done to prevent one.

Source: Lloyds Register