Clarifying CyberSecurity for Yachts

Currently the IMO requires all Yachts over 500 gross tons to have a cybersecurity plan in their ISM, but the guidelines aren’t very clear.  We asked Alex Bayeux, founder of YachtCyberSafe to shed some light on the subject.

Cybersecurity for Yachts and Crews Regulation in 2022
Digital security needs to be addressed and managed as the IMO has made it mandatory[1]. It starts with an assessment of the yacht's digital perimeter as the IMO requires a holistic assessment, i.e., not just technology-centered but also on organization and human factors.

IMO Requirements
1. Have clear and operational documentation about the yacht’s digital perimeter, systems’ accesses, sensitive applications, emergency situations, and back-ups.
2. An awareness training session for the crew and management-oriented training for captains and first officers are mandatory under the IMO regulation. You do not need IT security training or IT skills.

 Guidelines for Captains
If you are starting the season within less than 1 month, do the essentials: a 1-day digital review mission and awareness training will be very profitable.

 

Do you feel far from those basic practices for digital hygiene? Do not panic! The best defense against cybercrime is common sense. Just be very careful with phishing, attached files… and never hesitate to call someone you know to confirm bank details before ordering significant money transfers (fraudulent money transfer is a very profitable activity for cybercriminals).

If you are finishing the season or in the maintenance period, it is time to act.  Below is a “holistic” overview to assess and protect your digital security.
YachtCyberSafre

Examples of easy and critical actions to implement onboard:

  1. Technology: Isolate your virtual networks, including Wi-Fi access. If a criminal gains access to a network (like “guests” or “crew”), he cannot reach sensitive networks (like “audio-video”, “CCTV”, “work”, “owner” …).
  2. Organization: Use a password manager to manage and share passwords onboard (Bitwarden,  LastPass, 1password…). With a password manager, you will never need to reuse the same password. Moreover, you will not write any more passwords to share access with a crewmate: your password manager allows password sharing and keeps audit tracking of access and changes. For many groups, an experienced consultant is useful to create the appropriate setting, security and change practices within the crew.
  3. Human: Consider your smartphone as the most exposed cyber equipment of the yacht. Indeed, if corrupted, criminals can read your WhatsApp, listen to discussions in cabins, control your email box, spoof your identity, and get codes you are receiving by text… Basic good practice is to install only apps with an excellent reputation and from official stores and to regularly review access granted to apps(from the settings of the smartphone). If you really like playing, downloading, watching videos, etc., use a second device for leisure. This enables you to control your digital life, including who is allowed to access your data.
  4. Procedures: Update your essential procedures. Be aware, if you are using a standardized procedure, that you check they really apply to your real situation: yacht, crewmates, external contractors, and suppliers. It would be unfortunate to implement procedures you do not comply with.
  5. Security: Add digital security to your management practices: briefing with crewmates and suppliers, use a simple appropriated dashboard that also shows the owner you are protecting his interests.
  6. Training: Train your crew on best practices. Training Awareness sessions are available from several providers and offer the required crew awareness (2hr) and management-orientated training for captains and first officers (2-3hr) required by the IMO. Training centres offer training on site, on board or even remotely, i.e., at La Belle Classe Academy – Yacht Club de Monaco you can join courses from anywhere online and interact as if you were in the classroom.
  7. Awareness: Spend time with your crewmates to discuss digital security situations. Sharing experiences, debriefing criminal attempts or incidents are excellent easy practices to start a culture of cyber risk awareness at all levels: crew, suppliers, and yacht managers. The next step is to bring appropriate solutions, that’s where you will probably need a specialized consultant.

A cybersecurity assessment on yachts is not like a Penetration Test IT technicians use on IT servers for companies. Experts in cybersecurity for yachts must analyse the whole attack surface of the yacht. Of course, the crew and external contractors are part of the attack surface. YachtCyberSafe (based in Monaco and Nice) has developed an approach that fully complies with IMO’s requirements and provides results easy to implement and essential: good practices, procedures, awareness, a toolkit for crewmates, and a captain’s dashboard.

Most common mistakes to avoid
Be careful, the first common mistake is to focus on the usual computer equipment (navigation, PC, servers,  CCTV ...), but the entry points for criminals are generally on everyday applications or common objects:  smartphones, audio-video on board, Wi-Fi, emails, connected objects ...

So, spending money to strongly secure your servers or systems will be useless if criminals can easily access critical information on crewmates’ smartphones (countless ways for criminals to access information thanks to smartphones; the most popular and cheapest way is phishing) or if crewmates or suppliers are using weak passwords (don’t smile, in 2022, most popular passwords remain “qwerty”, “password”, “0000”, “12345”, “11111”).

How to act - Be pragmatic
You have many powerful quick actions on board to digitally secure the yacht and crew without buying new IT services and devices. In other words, before adding a new lock on the armored front door, start checking if there are windows open, and close them.

You’ll probably need support or consulting to guide you, but not IT technicians. When you are selecting your advisor, pay attention to choose someone who is independent of your systems or technology managers on board. For IMO, personnel conducting internal audits of the security activities shall be independent of the activities being audited (Source ISPS Code, Part A / 9. Ship Security Plan).

Digital security is first and foremost a management issue
As masters of the yacht and crew, captains need to have a global and precise understanding of the digital perimeter of their yachts and to have a simple dashboard to monitor the situation. Captains will probably delegate the implementation of solutions to other officers or external contractors. Yet, it is critical for them to monitor and challenge people dealing with digital systems.

Digital management does not require IT skills, but a culture of digital security and good practices. This is essential to meet IMO’s requirements. For IMO : “Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of an organization and ensure a holistic and flexible cyber risk management regime that is in continuous operation”[2]

Strength of the IMO approach
If you decide to implement the holistic approach that IMO requests, you will have full coverage of the cyber threats, be compliant with the IMO 2021 regulation, and will optimise your budget and resources for the best result for the owner and guests’ cyber protection. You will realize that Holistic Digital Management is based on common sense, much more efficient and less expensive than buying IT Security devices or services.

If you have any questions or are interested in an assessment, please contact Alex Bayeux on https://yachtcybersafe.com | +33 616 99 21 00 | contact@yachtcybersafe.com.

[1] no later than the first annual verification of the company's Document of Compliance after 1 January 2021 (source IMO / RESOLUTION MSC.428(98) / MARITIME CYBER RISK MANAGEMENT IN SAFETY MANAGEMENT SYSTEMS

[2] source IMO Guidelines / MSC-FAL.1/Circ.3, 5 July 2017, § 3.3