Cyber security: Guide for yachts
Industry guidelines for cyber security were published in July 2017 by a confederation of commercial shipping organisations including the International Union of Marine Insurance.
Titled ‘The Guidelines on Cyber Security Onboard Ships version 2’, they are intended for commercial shipping but much of the content is very relevant to yachts.
The section on cyber security and safety management is an excellent introduction to the importance of managing the risks possessed by cyber security and safety. This includes the role of the management in support of the crew.
A yacht captain should expect to be asked questions relating to cyber risk management as part of an insurance risk management survey. These questions would be based on the following section from the guidelines.
Cyber risk management should:
- identify the roles and responsibilities of users, key personnel, and management both ashore and on board;
- identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the yacht’s operations and safety;
- implement technical measures to protect against a cyber incident and ensure continuity of operations. This may include configuration of networks, access control to networks and systems, communication and boundary defence and the use of protection and detection software;
- implement activities and plans (procedural protection measures) to provide resilience against cyber incidents. This may include training and awareness, software maintenance, remote and local access, access privileges, use of removable media and equipment disposal;
- implement activities to prepare for and respond to cyber incidents.
The most challenging aspect of cyber risk management is an assessment of the potential threats that may realistically be faced. Mention cyber attack and most people will be thinking of malicious interruption or corruption of the IT systems and sensitive personal data. Although this is an important aspect, it is more realistic that operation technology (OT) will cause greater harm. OT systems focus on the use of data to control or monitor physical processes. A modern yacht will have a significant amount of OT from engine management systems to security systems. It has been shown that many OT cyber incidents are accidentally initiated by personnel’s actions.
The guidelines provide a well structured introduction to OT and IT cyber security and highlights the importance of crew training and practical procedures. The value of a risk assessment approach is well covered and provides clear guidance to enable a yacht captain or manager to start this process. It is recommended these guidelines form the basis of a yacht’s cyber security management plan.
1. Identify threats: Understand the external cyber security threats to the ship. Understand the internal cyber security threat posed by inappropriate use and lack of awareness.
2. Identify velnerabilities: Develop inventories of onboard systems with direct and indirect communication links. Understand the consequences of a cyber security threat on these systems. Understand the capabilities and limitations of existing protection measures.
3. Assess risk exposure: Determine the likelihood of vulnerabilities being exploited by external threats. Determine the likelihood of vulnerabilities being exposed by inappropriate use. Determine the security and safety impact of any individual or combination of vulnerabilities being expolited.
4. Develop protection and detection measures: Reduce the likelihood of vulnerabilities being exploited through protection measures. Reduce the potential impact of a vulnerability being exploited.
5. Establish contingency plans: Develop a response plan to reduce the impact of threats that are realised on the safety and security of the ship.
6. Respond to and recover from cyber incidents: Respond to and recover from cyber security incidents that are realised using the response plan. Assess the impact of the effectiveness of the response plan and re-assess threats and vulnerabilities.
For further information on cyber security guidance please visit: