Secure@Sea: by Corey Ranslem
Cyber security is a hot topic. It’s become one of the most dominant and expanding threats to the maritime industry, and it’s increasing at rapid rates. A day doesn’t go by that there isn’t some news about a government or commercial entity being attacked and losing millions of data points, including critical client and personal information. The financial and health care industries have been dealing with cyber threats for years and are ahead of the maritime industry when it comes to protective measures. However, they aren’t that far ahead.
The protection of a large yacht from a cyber threat is operationally more difficult than a land-based facility or organization. OT (operational technology) and IT (integrated technology) on board large yachts continues to expand as new software is developed and launched with the goal of reducing onboard workloads. These technologies are playing a bigger role in a yacht’s day-to-day operations. OT is defined as a system we use in our normal day-to-day operations – such as navigation equipment, radar, GPS, etc. – and IT is the system that integrates those devices and eventually connects them to the internet.
Most large yachts fall outside the requirements of the ISPS (International Ship and Port Facility Security) Code because of size and operations, so they don’t have formalized security plans. The IMO, or International Maritime Organization, is the larger governing body when it comes to maritime-related issues, including the ISPS Codes and maritime security. The IMO has pushed forward some regulations when it comes to maritime cyber security, but it isn’t planning on making major changes to the ISPS Codes or other regulations. So cyber security remains the responsibility of the vessel owner, operator and crew.
BIMCO (Baltic and International Maritime Council) has put together and updated a guide titled “Cyber Security Onboard Ships”. This is a free guide and not a difficult read. BIMCO primarily deals with cargo vessels, but many of the practices they mention in this guide are pertinent to large yachts and don’t take a computer science degree to put into practice. It’s a great foundation to help captains, crew and shore-side personnel set up the basics of a cyber security plan.
The guide concentrates on three main areas: safety management systems, OT risks, and supply chain dangers. Supply chain dangers don’t potentially apply to large yachts, but there is some good information in that section regardless.
As with any plan you develop, it is a good idea to understand the potential threats. When it comes to devising a cyber plan, you also should understand how your internal network and external connections are set up. If you have an IT company working with your boat, you should ask them about some of the items discussed in the BIMCO report.
Here are some key areas BIMCO suggests looking at when setting up your cyber security plan:
- Cyber security should fit into your physical security plan– who has access to the physical equipment and how that access is controlled and secured.
- If you have multiple users within your onboard networks, you should consider segmenting the networks to prevent issues (different networks for guest, crew and operations).
- What type of physical and cyber intrusion detection do you have in place to detect issues within your network?
- Consider periodic scanning and testing for vulnerabilities.
- Look at using “whitelisted” software.
- Access and user controls – that is, who has access to different parts of the network?
Make sure you have a training program in place for crew to teach them about cyber risk. You can put any type of protection measures in place, but without good crew training and vigilance all of that work could be for nothing.
Corey Ranslem, CEO at International Maritime Security Associates (www.imsa.global), has more than 24 years of combined Coast Guard and maritime industry experience. Comments are welcome below.