THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN

  • View
    2

  • Download
    0

Embed Size (px)

Text of THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN

  • 1

    September 2017

    THE CHALLENGES FACING SUPERYACHT CYBERSECURITY

    IN 2017

  • INDEX THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN 2017 PAGE 3—4 RISKS AND THREATS PAGE 5—7

    TAKING PRECAUTIONS PAGE 8—9

    DON’T WAIT FOR IT TO HAPPEN PAGE 10

    CONTACT PAGE 11

  • 3

    Many of the cybersecurity issues that threaten the corporate world are same as those that affect the su- peryacht sector. Indeed, almost all superyachts these days have their own corpo- rate networks that are con- nected to the Internet and used to manage what is in effect a medium-sized busi- ness from onboard. Howev- er, as superyachts become better integrated with the global IT ecosystem via high- speed broadband internet,

    THE CHALLENGES FACING SUPERYACHT CYBERSECURITY IN 2017

    they become more exposed to the risk of cybersecurity issues. The big difference between the average commercial com- pany and vessels including superyachts is that a cyber- attack on a superyacht has the potential to compromise the safety of the yacht and everyone on board, as well as the marine environment. This means that superyacht cybersecurity has to cover a much wider range of factors and systems.

    By Koen Luttikhold

    SUPERYACHT CYBERSECURITY – SIMILARITIES AND DIFFERENCES TO CORPORATE CYBERSECURITY

  • 4

    CORPORATE SECURITY

    Corporate security is primary about managing information flows, with the goal of main- taining a balance between confidentiality, availability and integrity. In maritime cybersecurity, confidentiality and security are the over- riding priorities, with an em- phasis on checking incom- ing information to ensure its veracity and integrity. This is because, with vessels of all types, the IT infrastructure is integrated with the control processes for critical sys- tems; from water purification and energy supply to alarms and other emergency systems.

    LAGGING BEHIND

    In the business world it is common practise to update software regularly. How- ever in the maritime sector this is not always the case. There is a certain reluc- tance among some of those responsible for onboard IT business to ‘mess’ with the software because of the risk of errors leading to the mal- function of critical systems. While corporate IT depart- ments often apply standards such as ISO27001/2 to maintain and improve their cybersecurity and even make it better, this is less common in the superyacht sector.

  • 5

    RISKS AND

    THREATS

    1 GENERAL

    AND SPECIFIC INCURSIONS

    2 REMOTE

    MONITORING & CONTROL

    3 PIRACY

    4 PERSONAL DEVICES

    5 LACK OF

    AWARENESS

  • 6

    GENERAL AND SPECIFIC INCURSIONS Yachts are vulnerable to the same viruses and malware as everyone else. Some of these are ‘just’ annoying or destructive, others are designed to steal personal data and information, or interfere with mechanical systems. These need to be blocked.

    On a more specific level, superyachts tend to be owned and used by wealthy and often influential individuals. They represent high value targets to criminals, paparazzi and other unfriendly organisations. Owners and guests will expect the same levels of cybersecurity that they have at home and at work.

    REMOTE MONITORING & CONTROL Systems, whether they are electrical or mechanical, are becom- ing ever more autonomous. Many are now monitored and even controlled remotely from shore-based facilities to ensure efficien- cy, some use dedicated networks, others via the fast-growing Internet of Things.

    This is creating a new attack-vector for hackers and pirates to conduct cyber-attacks on vessels, targeted or otherwise, and giving them the potential to interfere with the control of a ship, cut off communications, disable or manipulate navigation sys- tems, or steal confidential data.

    Security vulnerabilities in software used by the maritime indus- try could be exploited to cause yachts to malfunction or run aground, especially as updates might not by installed as fre- quently as possible.

    RISKS AND THREATS

    2

    1

  • 7

    PIRACY Criminals are increasingly surfing the Internet for looking for ‘loose’ information that can help them with targeting vulnerable and valuable ves- sels.

    Some also have access to the necessary expertise needed for breaking into the ‘secure’ networks of yacht owners and operators that may in fact lack the procedures and software necessary for their protection.

    Useful information on sche- dules, security arrangements and even internal plans are then at risk of being accessed and used for selecting targets and planning attacks.

    PERSONAL DEVICES Personal connected devices onboard yachts offer another point of entry for viruses and hackers, particularly when they can be connected to both the internet and onboard ship networks with- out proper segmentation. Measures need to be taken to avoid infections spreading from tablets and smartphones to the yacht’s own systems.

    LACK OF AWARENESS There is no doubt that there is a general lack of awareness of the threat posed by hack- ers to both safety and security onboard yachts.

    This in turn means that train- ing crew members in how to manage cyberattacks is often inadequate or missing altogether. This may not seem to be an immediate issue but, given the potential risks posed by hacking, even ba- sic training on countermeas- ures is an investment worth making.

    RISKS AND THREATS

    3 4

    5

  • 8

    Cybercrime is constantly developing, making it impossible to create a 100 percent secure network. However sensible precautions can go a long way to minimise the risk of infiltration and infection.

    It is worth noting that in May 2018 a new regulation comes into effect in the EU; the General Data Protection Regulation (GDPR). While its enforceability on superyachts flagged outside the EU is yet to be clarified, it does provide a best practise framework that any yacht with open IT systems would do well to follow.

    These include the requirement to appoint a designated Security Officer who is responsible for implementing a se- curity management system which could be based on the ISO27001 or IEC62443. Such a management system will help address and maintain security within the applicable context using a PDCA (Plan-Do-Check-Act) cycle. Data breaches will also have to be reported within 72 hours.

    TAKING PRECAUTIONS

  • 9

    Make regular backups of important systems and files.

    Implement an awareness program regarding cyber security and threats. Make contingency, response and recovery plans.

    Careful user access management (ensure that departing guests and former crew members have their access revoked immediately).

    Ensure compliance with policies and guidelines governing the usage of the ship’s systems and services.

    Ensure the resiliency of onboard networks by making sure that all hardware and software is up to date.

    Install a firewall and antivirus/malware software.

    Change passwords frequently and require that they are alphanumeric.

    Segment networks and separate traffic (i.e. by crew, guests, owner and ship’s management).

    Monitor the onboard network so as to detect and identify targeted attacks.

    This may be too much for al l but the largest superyachts, however there are basic precautions that yachts of al l sizes can and should take.

    AT ADMAREL WE RECOMMEND THAT OUR CLIENTS DO THE FOLLOWING:

    It is also important to acknowledge that relying solely on technology to defend against cyber-threats is not enough.

    Policies and guidelines that take the human factor into account need to be established and enforced. A single user might (deliberately) undo all technical measures by plugging a wrong cable into the wrong equipment. The chain is only as strong as its weakest link!

    At Admarel we also recommend regular security audits. There are companies that undertake these, along with pene- tration testing to look for vulnerabilities and identify threats in advance. Preventative measures can then be implemented.

  • 10

    DON’T WAIT FOR IT TO HAPPEN Superyachts can easily be seen as just fun places for having a good time, but it’s when people relax and let their guard down that they are most vulnerable. Superyachts are highly sophisticated pieces of equipment to which people entrust their safety, security and privacy. Cybersecurity is part of that and, given the current covert cyber-wars that are already being waged, it is only a matter of time before someone, somewhere, wakes up to the fact that superyachts are among the richest prizes of all.

  • 11

    CONTACT

    ADMAREL ALBLASSERDAM

    Van Hennaertweg 17a 2952 CA Alblasserdam The Netherlands

    ADMAREL NIJMEGEN

    Energieweg 46c 6541 CX Nijmegen The Netherlands

    t +31 (0)78 692 19 00 f +31 (0)78 692 19 01

    info@admarel.nl

    ADMAREL

  • 12