In recent years the shipping industry has evolved significantly in terms of the types of cyber threats it faces, with increasingly targeted attacks as opposed to “accidental” attacks, which inevitably means higher risk for superyachts. In the second part of a series of interviews with experts from Lloyd’s Register, Peter Sponer, Cyber Security Sales Director for Northern Europe, discusses the cybersecurity risks that superyachts are facing today and how the industry can best mitigate them.
“The best-known maritime cyber attack is probably the Maersk attack in 2017 by the NotPetya malware, which should never actually target the company or the industry,” explains Sponer. “However, we are seeing an increase in malware specifically designed for the maritime industry. For example incidents of attackers who send phishing e-mails with what appears to be an ECDIS update. “
The high level of awareness of many superyacht owners makes the industry more attractive from an attacker’s point of view. Another factor that makes superyachts particularly vulnerable to cyber attacks is the complexity of the IT and OT systems on board compared to other ships.
“Superyachts have various systems on board, such as entertainment systems that are connected to the ship’s network and also to the Internet,” adds Sponer. “If security controls are not properly implemented, this can create vulnerabilities and opportunities for an attacker to access not only these systems, but possibly other critical systems on board as well. Such an attack could not only lead to data loss, but in the worst case could also affect navigation or communication systems and endanger the safety of the ship. “
Lloyd’s Register sees many superyachts making this already precarious situation even worse. Often there is no clear allocation of roles and responsibilities when it comes to cyber security on board and yachts usually lack the necessary documents. As Sponer advises, it is important to have network diagrams and lists of IT and OT equipment on board in order to conduct cyber security risk assessments.
“If you don’t know your critical assets, it is very difficult to define a cyber security strategy.”
“When it comes to cybersecurity, you need to know what to protect,” he continues. “If you don’t know your critical resources, it is very difficult to define a cyber security strategy. Second, radar diagrams are important for implementing changes to the architecture of the networks or systems on board so that you can properly implement engineering controls. This is particularly relevant when the yacht changes hands. “
Sponer points out that many superyachts also lack adequate cybersecurity awareness training for crew members that would help the crew follow best practices when operating the equipment. Many yachts often focus on implementing technical security controls but neglect other aspects of cybersecurity, such as: B. the correct policies and procedures, e.g. B. Accessing third party systems, using personal devices on board or responding to an incident. “Most security breaches happen because of people rather than technology issues,” warns Sponer.
Recent regulations and guidelines on maritime cyber risk management, including the IMO, the US Coast Guard and the IACS, as well as specific requirements from flag states have forced many superyacht owners and captains to consider cyber security on board for the first time. While this is a positive step for the industry, Sponer believes there is still a lot to be done.
“It’s good that the industry now has to adhere to some basic cybersecurity principles, but yacht owners should never look at cybersecurity from a regulatory perspective,” advises Sponer. “Attackers can attack any yacht, regardless of its size. And the yacht doesn’t even have to be a target – a crew member could connect their own device to the crew network, download malware and, if the network is not properly separated, infect other systems on board, even critical systems. “
Sponer recommends that owners and operators always look at cybersecurity from the perspective of prevention instead of implementing the minimum measures prescribed by the requirements. “While there is no such thing as 100 percent security, you should always look at the ship’s cybersecurity and make sure it has an up-to-date strategy,” he adds. “And this strategy must be constantly adapted to the development of the threats and the sophistication of the attackers.”
In particular, Sponer recommends that superyachts use Lloyd’s Register’s penetration test, which identifies any weak points in the existing infrastructure that could potentially be exploited.
This mitigation is one way that Lloyd’s Register can guide superyacht owners and operators, as it does with all other risks in the shipping industry. The classification society not only helps superyachts meet the regulatory requirements for cyber risk management, but can also create cyber security strategies for every ship.
In particular, Sponer recommends that superyachts use Lloyd’s Register’s penetration test, which identifies any weak points in the existing infrastructure that could potentially be exploited. “This should not only clarify where an attacker can gain access to the ship, but also whether the networks on board have been properly separated,” he says. “A lot of yachts tell us that they have segregated networks on board, but when we do penetration tests we often find that this is not the case. And if the network is not properly separated, malware could potentially spread to other parts of the network and affect the critical systems. “
And in the unfortunate event of an on-board cyber attack, Lloyd’s Register also offers an Incident Response Service to investigate how the breach occurred, to recover lost data and to ensure that the affected systems are operational, and to recommend actions to ensure that the same thing doesn’t happen anymore.
Lloyd’s Register can also work with the owners and operators to assign a cybersecurity description to a ship, either a newly built or in-class yacht. Similarly, Lloyd’s Register can work with component manufacturers to provide facts as a result of a component-specific assessment.
As a classification society, Lloyd’s Register is very familiar with protecting ship safety and dealing with physical risks. While cybersecurity is a relatively new and almost invisible risk, it is just as serious a threat as any other. As such, Lloyd’s Register enables its customers to fully understand the potential consequences of an onboard cyber attack and what needs to be done to prevent it.
Lloyd’s Register EMEA
If you want to read the quality journalism of our editors at SuperyachtNews.com, you will love their amazing and insightful opinions and comments on the Superyacht Report. If you’ve never read it before, click here to request a sample – it’s “A Review Well Read”. If you know how good it is, click here to subscribe – it’s ‘A Report Worth Paying For’.