Maritime Cyber Risk Management

The secure approach

The IMO guidelines provide highlevel recommendations on maritime cyber risk management to safeguard vessels from current and emerging cyberthreats and vulnerabilities. But, in reality how does a yacht and their crew manage this without interrupting ‘normal life’?
Words: Gary Bird

Maritime Cyber Risk Management

Not another article on maritime cyber security…?!? There are an abundance of guides and ‘top 10 tips’ to which we can refer as we try to make some sense of this complex and opaque topic. Let us, instead, take an alternative look at an issue that deserves a wider perspective.

When the great Jon Bannenberg proclaimed “No-one needs a yacht” it was a prescient recognition that, for ownership to be a worthwhile endeavour, the designer’s creation must facilitate a seamless flow of life around their client; one that enhances the joys such ownership should confer. Yet, all too often, those of us responsible for security forget that this human experience is the whole point of yachting. The many layers of protection we provide, to shield the vessel and her occupants from myriad threats, both real and perceived, sometimes obscure, or act in opposition to, this fundamental premise. Simply put, it’s not all about us. If security: physical, human – or indeed cyber – constrains freedom of action, it erodes the very peace of mind we are supposed to engender.

An industry has arisen around compliance with the new IMO cyber security regulations, with enthralling demonstrations of offensive capabilities and their consequences for yachts. Whilst it is entirely feasible for malicious actors to effect hugely significant outcomes, a narrative has arisen, in which ‘spectacular’ threats are emphasised to encourage compliance. Yes, critical systems can be hacked, GPS can be spoofed, Internet-enabled devices (and the humans who operate them) do present deliciously exploitable vulnerabilities. The problem, however, with an approach that leverages fear, uncertainty, and doubt, is that it is no less exploitative than the threats it purports to mitigate.

In a previous life, I spent considerable time engaging with, influencing and yes – exploiting – insurgent and terrorist commanders. The same subtle, yet elegant, methodologies proved equally effective in interactions with Generals and Ministers, as we sought to guide them towards effective, ethical strategic decisions. Essentially, we were using our expertise to both penetrate our adversaries’ defences, and to ‘sell’ the means to do so to our superiors. We never lost sight, however, that the role of expert is to provide clear, unambiguous counsel, framed by a moral code and subject to external checks and balances. Yet, just as a market once developed around PFSO audits, following maritime tragedies in the mid 2000s, the same sense of ‘never letting a good crisis go to waste’ appears to have resurfaced.

Of course, one must not denigrate the extraordinary capabilities of the many excellent providers in the cyber security arena, nor should one deny that the maritime cyber risk environment is very real (it is), with significant consequences for its victims. The danger, however, is that seafarers are increasingly caught in the middle of an arms race between malicious actors and enterprising countermeasures providers. 

If security: physical, human – or indeed cyber – constrains freedom of action, it erodes the very peace of mind we are supposed to engender

One either risks non-compliance or places one’s trust exclusively in experts to create resilience against complex and evolving threats that few really understand. Two contrasting trends have emerged as a result: We either delegate responsibility because we buy-in to the narrative that one needs to be a cyber security expert to understand and address all threats, or we allow ourselves to be convinced that compliance is king. The danger of the first trend, is that it infantilises seafarers; absolving us of responsibility for basic good practice. The second sees compliance as the goal, rather than a component of genuine resilience, which is a continual process, not an end-state.

The way experts seek to bridge the understanding gap with seafarers is, rightly, to draw attention the human dimension. Yet this, too, is problematic, in that it errs towards emphasising human vulnerabilities, rather than strengths. Acknowledging that family, associates, and crew are a conduit, however unwittingly, for malicious actors to breach one’s defences, there is a danger that cyber assurance is compelled through suffocating measures. The price of resilience must never be a toxic culture, in which private individuals and those in their orbit, adopt an ‘us-and them’ mentality, fostered on mutual suspicion.

Far better to educate and empower associates; incentivising them to act as bulwarks for one’s protection against often intangible threats. Yes, your greatest vulnerability is the pink squidgy thing that forms the nexus between the vessel’s IT, OT an IoT systems and devices, but they are also your first line of defence. Education must therefore move away from tick-box compliance (top tip: hackers really, really do not care if your crew have a certificate…) and towards investment in a positive culture, in which security – every aspect of security – is the responsibility of all and the success of each voyage a shared endeavour.

Treating cyber threats as somehow unique, risks taking your eye off the myriad other security challenges that haven’t gone away, and are routinely employed synergistically, to find and exploit gaps in your defences. The best suppliers equip you to understand risk holistically, plan for mitigation and, critically, develop a set of procedures to follow when your defences are breached.

I firmly advocate inculcating a culture in which your people exemplify, promote, and enforce best practice. Hackers need our help. Seafarers are becoming familiar with the idea of social engineering, or human hacking – the employment of sophisticated psychological manipulation to trick people into disclosing confidential information. It predates computers and is remarkably effective because it exploits human nature – people are far easier to fool than machines. The paradox is that the emotional intelligence required to teach resilience to human exploitation, is often mutually exclusive with the forensic expertise necessary to counter purely technical cyber challenges.

Cyber-facilitated threats pose a clear and present danger to people and assets in the maritime domain. Superyachts are attractive for direct exploitation and vulnerable to the collateral effects of attacks directed elsewhere. Glorious isolation within an interconnected society is simply not an option, nor is it desirable. The possibilities afforded by this brave new world of maritime digitisation should be embraced and leveraged for good. To do that, seek support from providers who listen, empathise, and promote holistic resilience. Beneficial outcomes will surpass, and endure beyond, the tempting, yet uncertain, reassurance afforded by ‘compliance’.

For more details Tel: +44 (0)7930977825
or visit