Corey, Peter and Mike to the rescue!
With all the talk on the new IMO2021 Cyber Security regulations for yachts, we gathered the industry experts together to grill them on what this means for us, understand how it will be enforced and what the authorities are looking for.
What needs to be in a cyber risk management plan to be compliant and obtain the correct certificate?
All shall be revealed!
John Wyborn our Director of Training, welcomes:
Corey Ranslem: CEO of International Maritime Security Associates, an expert witness in cyber security cases and formerly from the US Coast Guard.
Michael Hawthorne: founder of Cobweb Security and former UK Defence Cyber Operations Chief.
Peter Aylott: Director of Policy at the UK Chamber of Shipping and a former Royal Navy Commanding Officer.
It’s an impressive line-up, and they joined Bluewater at our Cyber Security webinar to answer your questions.
Q: For what tonnage will this new regulation be applied to?
COREY: Commercial vessels above 500GT need to comply and should look at specific flag state guidance on how to apply the regulation. Ask yourself: are there specific nuances within my flag state that I need to follow? Most flag states are following the IMO regulations very closely, so what do you need to do from the flag perspective? Look at your existing vulnerabilities as well, see where they are from low to critical and then put a plan together to assess those vulnerabilities.
One of the most important parts is the crew training and it comes up in a lot of panel discussions. You must keep the crew updated and well trained, so they understand the vulnerabilities.
Yachts must demonstrate they are following these rules by having their cyber security plan incorporated in their ISM. This needs to be in place by the date of the first compliance inspection to demonstrate you have a cyber security plan as part of your overall ISM plan. The flag state will look at this and if they agree they will issue your certificate of compliance. So, you have until your ISM audit to have your certificate in place. Once you have this, it is what the law enforcement agencies and port state controls will be looking for.
However, even if you don’t need to be compliant, remember that hackers don’t care what your tonnage is, they’re just looking for an open door to go through and get the most gain as quickly as possible.
Q: What do the experts consider might be the top 2 risks that will apply to the majority of yachts?
COREY: A common concern we’re seeing is vessels using default passwords for their systems, so change all your default passwords, and systems onboard are not updated with the latest security leaving their firewalls vulnerable. Thirdly, ask does this OT system need to be connected to the vessel’s network? Is there a purpose for why this OT system is connected to the outside or is there a way for us to just pull data from the system and not have it connected to the network leaving it exposed?
MIKE: We see a lot of crew not using multi-factor authentication for their credentials, including social media and emails, which will provide a good layer of protection for you. There is also the insider threat, in the maritime industry there is a high turnover of staff, which can cause trouble. A disgruntled crew member could leave behind software which shouldn’t be there when departing, so keep this in mind and have a procedure in place.
PETER: There are many different types of risks, but what we’ve seen in the large shipping industry is people being responsible for allowing a virus through. There was one incident with an incredibly sophisticated pipe layer with 300 people onboard in Europe, which suffered a cyber attack because a crew member put a memory stick in to one of the operating systems which generated a virus. Luckily, they had a full contingency plan in place to ensure they could keep running.
JOHN: The captain of the White Rose of Drachs, Andrew Scofield, invited a team onboard the yacht from the University of Texas at Austin. They were investigating how easy it could be to spoof the GPS signal. In fact, they were able to transmit a fake signal which caused the ship to reverse course 180 degrees before the selected (and unsuspecting) watchkeeper noticed.
Q: What actually needs to be in a cyber risk management plan?
MIKE: Port state control don’t have a check list. We’ve been given a rough guideline from the IMO which talks about how to identify, protect, respond and recover; those are the main principles we need to apply. Going through the ISM code itself will help clarify what you need to be looking at, but also look at what data you need to protect.
Q: Very few yachts have been subject to a cyber attack, why should we bother?
COREY: It is a very real threat; it has been going on for a while it has just taken a long time for the regulation to come to fruition. Attacks against the maritime industry in general have gone up over 900% in the last few years, affecting the large yacht industry as well as shore-based companies. 2 or 3 years ago I had a case where the crew didn’t know the login to access their routers, so we looked up the default credentials and were able to access their system. You must change your passwords!
Q: What in your view are practical changes on board or if any?
MIKE: We should be using compliance to check behaviour. If you are connected to the internet then there is every chance you can have a cyber attack. Understand what assets and data you’ve got, which routers, which devices, how they are connected, whether you have any remote monitoring, anything connected to the internet.
When you have understood this list, look at what vulnerabilities you could have. Ensure your system is patched and up to date, as the easiest way for an attack to get in is through an unpatched system. If your staff and crew don’t understand cyber security, they may be allowing viruses in. Ensure they’re properly trained. Look at your processes and note down auditable documented processes for how you manage your systems, so if you do have an incident you can review these and see where the shortfall was. Don’t just comply with the minimal needs, make sure you really consider the potential hazards you have onboard.
Q: If you did have a port state control inspection, will they know what they’re talking about and have they been trained in this area?
COREY: The ports are trying to get up to speed on this. The USCG published a report detailing what they want their port control inspectors to do, but these people aren’t cyber security experts, so they’re also being trained on how to assess a vessel’s networks and ensure they’re in compliance, but how do they know there are no vulnerabilities before a vessel comes in to port?
At IMSA we have developed a device for port state control to use to go onboard and do an assessment of a vessel’s vulnerabilities, so we’re monitoring those results at the moment. They’re also looking for simple things like usernames and passwords taped to your servers and machines, are there noticeable signs of vulnerabilities and do they have the certificate from your flag state. Right now, these are the preliminary checks being undertaken.
Q: How can you determine that the 3rd-party risk assessment carried out professionally is actually effective? What should we look for when choosing someone to carry out the check on our vessel?
MIKE: Look at which professional bodies they belong to, as there are well established bodies they should be a part of who assess them. Secondly, look at the qualifications of the individuals, as there are some well recognised cyber qualifications they should have and specialized certificates. Also ask what other work have they done, can they share recommendations?
COREY: Try to avoid land-based organisations who don’t usually work in the maritime environment as they don’t necessarily have a good understanding of the shipboard set up and IT systems onboard a vessel, which can differ a lot from shore side. Check their certifications.
Q: Flag states feel better if a professional competent company has addressed cyber security, do you all agree? As opposed to trying to do it in house?
MIKE: If you understand cyber security you can do it yourself, but the best approach is to write it and come up with the plan, and then have an independent come in and assure that what you have put together is fit for purpose.
COREY: On a recent panel with a representative from one of the major flag states, they said one of the things they’re really looking at is if there was an outside assessment done by a competent company.
Q: Do you need to outsource a cyber risk assessment every year before an audit?
MIKE: Depending on how often you update your processes, training and technology you use, an annual process and review is needed, but you must also remain aware of what’s going on around you, how have hackers evolved? If you’re going to an area of the world where there are more threats, review your vulnerabilities. When you change your infrastructure, you need to review your risk assessment plan and ensure it remains secure.
Q: What future penalties could be imposed upon vessels that are required to adhere to IMO, and do not?
COREY: It depends on the flag state and port state control. You could be refused entry into that region if you can’t show that you are compliant with IMO2021 and don’t have your certificate, or there could be a fine. If the flag doesn’t feel you’re compliant they could withhold your certificate which may cause problems when accessing some ports.
Q: What is the future of training for crew in cyber security?
PETER: Cyber security courses aren’t currently mandatory but the STCW is being reviewed for an update in a few years and maybe it will be included. For the time being there isn’t a requirement, but training should be encouraged, make the crew aware of how to keep the yacht secure. Understand about passwords and PINs. There are training courses out there depending on your crew needs.
COREY: At IMSA we look at the basic training you should go through to understand cyber security threats, but each vessel is different; once we do a vulnerability assessment for a yacht, we suggest specific training for their setup, looking at the firewalls, critical systems, and guest access.
JOHN: We’re currently creating a training standard following a meeting for AV / IT / ETO officers, and it was discussed what career pathway is needed at basic and more advanced levels. There does seem to be a demand and a need for this.
Q: For those yachts that hold personal data on EU citizens on their IT systems, how do we demonstrate compliance with GDPR?
MIKE: GDPR is a law without a descriptive checklist on how to comply, but you need to understand what data you keep on your crew, owner and guests who come onboard, where do you store this data and how long do you keep it for? Ensure it isn’t accessible by people who don’t need to see it. If you do have a breach, can you show the ICO that you did everything possible to protect this information, that you knew where the data was, that you had it well safeguarded with restricted access?
To summarise
PETER: Have a chat with your flag state who will be able to help, and organisations like the UK Chamber of Shipping can help with guidance and best practices to adhere to.
COREY: Do things to be compliant but to also protect your vessel. I’ve reviewed every cyber security guide out there and the best one I have come across was written for shipping, but you’ll find it very useful for large yachts. It’s the
guide published by BIMCO, it starts at the basic and goes through the advanced issues and I highly recommend it as an excellent resource.
MIKE: Cyber security is not just for the IT departments to worry about, it’s for every single crew member onboard, who need to take responsibility and be aware of the threats.