Cyber security for yachts
As hull plating is designed and classified for strength, so as to avoid the loss of a vessel, so too must digital technology be secure, as failure can potentially also lead to the loss of a yacht.
There is a significant increase in cyber-security threats today, as more integrated and connected vessels become an increasingly attractive target for cyber criminals. Yachts may generate special interest due to the high profile of yacht owners and charterers, usually for financial motives.
Cyber attacks are increasing
Jarle Coll Blomhoff, Head of Cyber Security in DNV Ship Classification, points out: “DNV’s ship classification treats cyber security as an important safety topic as ships get more complex and connected – a natural step in our role to safeguard the maritime industry, building on an evolvement of the responsibility that we have had for almost two centuries.”
Svante Einarsson, Head of Maritime Cyber Security Advisory at DNV, adds: “We see an increased interest among owners, yards and suppliers to employ assistance in building cyber-security resilience. Independently from our class services, our advisory units therefore support the industry with documentation, risk assessment, penetration (‘pen’) testing, training, design development and emergency response as a trusted second party.”
Increasing connectivity leads to potential dangers
Today’s yachts have much more digital infrastructure and software-based systems compared to those of a decade ago. Owners and guests, as well as crew, are exposed, both in terms of the frustration of on-board entertainment not working effectively and compromising personal data being stolen. Arguably even more importantly, a yacht’s operational technology may be hacked and the vessel taken over, with potentially disastrous consequences. For example, a cruise ship had to be towed into port after a hacking meant that its stability control systems were compromised. Imagine the humiliation of that on a superyacht!
DNV is a leading partner to help mitigate cyber risks
DNV has been supporting the maritime industry in myriad cyber-security projects in general and the superyacht industry in particular, striving to raise awareness and finding customized solutions that fit regulatory and operational needs. The threats can be mitigated but often yacht operators do not have the 360-degree view on all potential risks of IT and control systems on board. Here DNV supports with risk assessments and mitigation actions.
Ways to reduce cyber-security risks for yachts
Einarsson says: “To have perfect security is not realistic but, comparing myself to my neighbour, it’s more likely my neighbour will be ‘attacked’ if he keeps his door unlocked and I keep mine locked!”
One of the most important measures to reduce risk is to treat the segregation of digital systems, with firewalls, rather like watertight bulkheads, so that if one zone is penetrated the whole yacht is not compromised. Einarsson points out that it is all very well having network drawings but the hardware itself does need to be properly plugged in too.
When asked whether human error is the main factor in a breach, he notes that it might be human error by the service engineer doing the installation (remote access to the wrong vessel, for example) as much as somebody on board clicking a bad link or plugging in a USB flash drive that has been infected.
Blomhoff emphasizes the importance of “defence in depth” procedures, which can be explained with training or during a vessel’s full review by DNV, showing how you can stop an intruder going from hacking to accessing private emails and finding financial data, to identity theft. Also, barriers can stop a hacker potentially moving on from the IT system into the commercial areas of the private network, finally connecting to navigation equipment and control systems. Multiple barriers make access to the latter hard, especially if the engine control system has encrypted information.
Class approval and verification services reduce risks and damage
Einarsson states that “everyone can be hit” and building an emergency response service is essential. With voluntary rules presently in place for existing yachts and newbuilds, it is a priority to get as many type-approved systems set up at DNV that make it easier to implement them when building. From 1 January 2024 it will be mandatory to implement the IACS (International Association of Classification Societies) requirements for yachts of over 500 GT.
DNV’s class notation for cyber security is offered for all new yachts, with different levels of security. The notation addresses the cyber security of a yacht’s main functions and the owner’s operational needs. It supports lowering the risk of cyber-security threats and preventing related financial or other damage.
Getting implementation of cyber-secure measures right
DNV has committed to becoming a “power house” on cyber security, not just in maritime but also energy, oil, gas and other industries which have been pushed by critical infrastructure regulations and EU directives. The pace has been accelerating, with the number of staff doubling to over 100 in the past year. This initiative is driven by the increasing demand from DNV clients to get support in implementing and verifying actual cyber-security capabilities on board ships.
As Einarsson says: “It is one thing to have an IT expert write procedures for shore IT, another for crew members to handle it aboard... but a positive for yachts is that they usually have AV IT engineers with a high level of competency. The downside is that yachts have a lot more connectivity than commercial vessels.” Sometimes a decision is made not to allow remote connectivity. “A service engineer remotely monitoring can obtain data from, say, a piece of machinery but if it is two-way connectivity the engineer can go in and update something. If he has that capacity, he has already accessed the vessel itself and potentially a threat could spread in the system.”
Complex service offering covers all areas of cyber security
DNV’s penetration testing of systems, vessels and offices is just one example of its class-independent cyber-security advisory services. Whether looking for cyber-security type approval, cyber-secure class notation or other support, DNV’s Technical Experts are ready to act for existing yachts or newbuild projects, no matter what classification society they are built to.
The broad range of services provides operators with support to make the right protective measures, offering standards and certification services to enable construction and give confidence in effective cyber-secure infrastructure and connected equipment on board yachts.
Image copyright information
- Shutterstock / Aerial-motion
- todd - stock.adobe.com
- SPIX PRODUCTION - stock.adobe.com