Is your yacht’s cyber security plan up to date? If you are the master or owner of a commercially registered (charter) yacht of 500 GT or more in or visiting a US Port, the United States Coast Guard (USCG) may want to see it. The USCG announced recently that it will start enforcing the universal requirement for a cyber security plan from January 1, 2021 for all commercial yachts and ships over 500GT visiting US ports, regardless of flag.
Although the International Maritime Organization (IMO), a division of the United Nations charged with global maritime regulations, enacted the requirement that a formal cyber security plan be included in a yacht’s International Safety Management (ISM) Code in July 2017 effective from January 1, 2021, enforcement responsibilities were a bit cloudy, being left to Flag States. The USCG’s recent announcement makes the United States the first to announce it will get serious about cyber security within its waters.
The IMO Resolution, MSC428(98), calls for documents and training regarding cyber security protection to be in place “no later than” the date of the first annual Document of Compliance (DOC) check after the beginning of 2021, wording that gave some in the industry the belief that enforcement would be slowly implemented. However, the USCG has said it, and a designated Captain of the Port, have the authority to “spot check” vessels and will begin to screen for cyber security protocols from January 1, 2021.
What does this mean in practice?
While this sounds alarming, in reality enforcement will only apply to yachts with a renewed DOC that are found to have an inadequate or no cyber security plan. Yachts with DOCs that expire later in the year are likely to be issued with a warning, according to Infosec Partners security director Mark Oakton. “For those yachts, we expect enforcement to say ‘make sure you have got the cyber security plan in place by the DOC expiry date’.”
Despite this, Oakton expects some yachts with inadequate plans to be made into “scapegoats”. “[The IMO] don’t want to get to the end of this year and for everyone to be saying there’s been no enforcement, let’s do the bare minimum and use it as a box ticking exercise.”
He also predicts that the majority of cyber security plans will fail to meet the IMO’s requirements. “I’m expecting most plans to be inadequate,” he explains. He defines an inadequate plan as one that will touch only on “basic” breaches, such as crew training, passwords and viruses. The majority of plans won’t account for “things that could be catastrophic”, such as the remote compromise of navigation systems. “That’s what the IMO want yachts to assess the risk of and I’m expecting most plans to ignore those big risks,” Oakton adds.
Chief executive of security firm Priavo, Peter Murphy, agrees that the yachting industry is unprepared for the new regulations. “We’re speaking to some management companies that are being quite proactive but there are still a lot of people who simply don’t know about this,” he says. Co-founder of CSS Platinum, Mike Wills, adds that the industry is “woefully prepared” and is keen to spell out the “severe ramifications” if a yacht is found without a sufficient cyber security plan. “They might not be able to carry out their commercial function and may incur reputational damage because clients can’t come on board due to the yacht not having a valid DOC”. The US Coast Guard will even have the power to detain US flagged vessels with inadequate cyber security plans.
Proof and Penalties
A yacht’s captain may be asked questions about the yacht’s cyber security risk management and will need to show evidence that IMO 2021 regulations are being followed as part of the yacht’s safety plan. They may question if there have been any unusual behaviours of bridge systems or communications and if so, what the crew did about it. If crew cannot produce a written plan as part of their ISM, the USCG can enforce penalties up to detainment of the yacht for non-compliance. Among the lesser penalties are not being able to return to that port until the deficiency is addressed and compliance assured or requiring that the problem be resolved before the vessel departs.
If it seems like the USCG is serious about cybersecurity, it is. In fact, it created its own cyber security strategy in 2015 in advance of the IMO requirement based on increasing issues with what INTERPOL calls the fastest growing area of crime. While much of the USCG effort is directed at keeping commercial shipping and ports operating smoothly, as part of the federal Department of Homeland security, the USCG also needs to make sure vessels don’t bring harm to the ports they visit through compromised informational technology or operational technology.
\What’s involved in a cyber risk management?
According to the IMO the steps in a management plan are as follows:
1 Identify: Define roles and responsibilities for crew and shoreside personnel regarding cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to operations.
2 Protect: Implement risk control processes for human and technological threats, and contingency planning to protect against a cyber event and ensure continuity of vessel operations.
3 Detect: Develop and implement activities necessary to detect a cyber event in a timely manner.
4 Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for operations or services impaired due to a cyber-event. These can be propulsion or navigation operations, onboard systems that rely on networked equipment systems or AV entertainment and coms.
5 Recover: Identify measures to back-up and restore systems necessary for shipping operations impacted by a cyber-event.
Who can help?
This is a time consuming and complex protocol and many yacht security firms are offering assessment and compliance packages that support a yacht’s existing security plan.
Oakton’s initial advice is for owners and captains to read the IMO’s resolution. “Choose who’s going to be responsible and who you’re going to trust to handle it,” Oakton says. Wills meanwhile recommends captains and owners approach “a reputable company to carry out an audit”.
This audit should be conducted against an international standard framework recognised as best practice, he adds. Like Infosec and Priavo, CSS Platinum is one of many security firms capable of drawing up such a report. “Our audit gives the yacht’s defences a red, amber or green status,” Wills adds. Consequently, the report indicates the problems that need to be fixed immediately, accompanied by secondary or “orange” recommendations and lastly the defences that are performing as they should. Speaking about Infosec’s own approach, Oakton explains: “We can just start working on the documentation very quickly and it doesn’t have to affect the operation of the boat.”