Secure at Sea: Cybersecurity Laws Lacking when it comes to Yachts
By Corey D. Ranslem
**This article originally appear in The Triton Nautical newspaper in August of 2018 (Secure at Sea: Cybersecurity laws lacking when it comes to yachts).
It is hard to realistically determine the number of cyberattacks that take place within a given time period. Many cyber experts believe the maritime industry has suffered eight to 10 major cyberattacks since the start of 2018. If you look at all cyber-related issues, that number moves into the thousands.
What are the International Maritime Organization and the respective world governments planning to push forward when it comes to cybersecurity laws and regulations for the maritime industry? Very little. Industry organizations seem to be taking the lead when it comes to guidance and industry-specific best practices. Unfortunately, regulatory compliance does not always align with industry-best practices. Those best practices sometimes vary by industry and location. What is good for a large cruise ship might not always work well within the large yacht industry and vice versa.
Currently the IMO has issued Guidelines on Cyber Risk Management (MSC-FAL.1/Circ.3), and the Maritime Safety Committee, in their 98th session last year (June 2017), adopted Maritime Cyber Risk Management in Safety Management Systems (Resolution MSC.428(98)). This resolution encourages flag administrations to ensure that cyber risks are “appropriately addressed” as part of existing safety management systems (ISM code). This is set to take place by the first annual verification of the company’s Document of Compliance after Jan. 1, 2021, according to the IMO website. A lot can happen between now and then.
I attended a recent conference with IMO officials. Several participants asked about changes to the ISPS codes to incorporate cybersecurity. The IMO said there are no such plans. They felt the existing code, in broad terms, provides the framework to address a number of threats, including cybersecurity.
Flag states and some class societies have put forward some guidance documents regarding cybersecurity. The U.S. Coast Guard published cybersecurity guidelines in 2017 for MTSA-regulated facilities as part of an overall critical infrastructure cybersecurity plan. Nothing within this strategy mentions vessels. The MCA published “Cyber Security for Ships, Code of Practice,” a 73-page document with some good guidelines. However, there are no major regulations proposed regarding cybersecurity specifically for the maritime industry.
Governments have put forward laws and regulations regarding cybersecurity, but they are more specific to handling data, not cybersecurity in general. I believe maritime industry regulations are not being proposed because of potential problems with enforcement of those regulations, along with several potential jurisdictional issues.
There are several maritime industry-related organizations (within the cargo and cruise industry) that have provided guidance to their respective industries on cybersecurity. These documents mirror a document on cybersecurity put together in the U.S. by the National Institute of Standards and Technology. Published initially in February 2014 and revised in April, this 55-page document is not specific to any industry or organization, but critical infrastructure in general. Many of the principles, in theory, can be adapted to the maritime industry.
Insurance companies aren’t moving at lighting speed in producing cybersecurity coverage for the maritime industry and, specifically, vessel operations. There are several cyber-related products for companies and critical infrastructure, but at this point, most large insurers haven’t worked through the risk model for cyberattacks against large yachts, cargo vessels or cruise lines. Cyber-risk insurance for ships will start in the cargo industry, then move to cruise lines and large yachts. Insurance companies still need to collect data to determine how to best price that risk.
I recommend one simple principle: If you have a company managing your cybersecurity infrastructure, it is a good practice to have another trusted company try to penetrate your network, testing the resilience and security of that infrastructure. I haven’t seen many vessels – whether large yachts, cargo lines or cruise lines – with cybersecurity standards even close to that of the healthcare and financials industries. As an industry, we have a long way to go.
Corey D. Ranslem is the CEO IMSA and a recognized expert on maritime security. He hosts the companies weekly Maritime Video Blog on You Tube. He has been in maritime security and law enforcement for over 24 years; serving eight years with the U.S. Coast Guard. You can follow him on Twitter.