Plans

Cyber Security Plan

This plan provides guidance for the master and other crew members on board the ship regarding procedures for cyber security.

Yacht Name	M/Y ---	Shipyard
Flag		Port of Registry
Revision	1.3	Date of issue	10 Dec 2023
Gross Tonnage		Date of Keel Laying
Company	Yachting Concept Monaco	Office Number	+377 99 90 16 30
Director	Thierry Roux
Designated Person	Christophe Guegan	24/7 Phone	+377 99 92 36 48
Company approval		RO approval
Date		Date

1. Definitions

Terms	Definition
Access control	Access control is a selective limiting of the ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains or to control system components and functions.
Back door	Back door is a secret method of bypassing normal authentication and verification when accessing a system. A back door is sometimes created in hidden parts of the system itself or established by separate software.
Bring your own device (BYOD)	Bring your own device (BYOD) allows employees to bring personally owned devices (laptops, tablets, and smartphones) to the ship and to use those devices to access privileged information and applications for business use.
Cyberattack	Cyberattack is any type of offensive manoeuvre that targets IT and OT systems, computer networks, and/or personal computer devices and attempts to compromise, destroy or access company and ship systems and data.
Cyber incident	A cyber incident is an occurrence, which actually or potentially results in adverse consequences to an onboard system, network and computer or to the information that they process, store or transmit, and which may require a response action to mitigate the consequences.
Cyber risk management	Cyber risk management means the process of identifying, analysing, assessing, and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level by taking into consideration the costs and benefits of actions taken by stakeholders.
Cyber system	Cyber system is any combination of facilities, equipment, personnel, procedures and communications integrated to provide cyber services; examples include business systems, control systems and access control systems.
Defence in breadth	Defence in breadth is a planned, systematic set of activities that seek to identify, manage, and reduce exploitable vulnerabilities in IT and OT systems, networks and equipment at every stage of the system, network, or sub-component life cycle. Onboard ships, this approach will generally focus on network design, system integration, operations and maintenance.
Defence in depth	Defence in depth is an approach which uses layers of independent technical and procedural measures to protect IT and OT on board.
Executable software	Executable software includes instructions for a computer to perform specified tasks according to encoded instructions.
Firewall	A firewall is a logical or physical break designed to prevent unauthorised access to IT infrastructure and information.
Firmware	Firmware is software embedded in electronic devices that provide control, monitoring and data manipulation of engineered products and systems. These are normally self-contained and not accessible to user manipulation.
Flaw	The flaw is unintended functionality in software. Intrusion Detection System (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
Intrusion Prevention System (IPS),	Intrusion Prevention System (IPS), also known as Intrusion Detection and Prevention Systems (IDPSs), are network security appliances that monitor network and/or system activities for malicious activity.
Local Area Network (LAN)	Local Area Network (LAN) is a computer network that interconnects computers within a limited area such as a home, ship or office building, using network media.
Malware	Malware is a generic term for a variety of malicious software, which can infect computer systems and impact their performance.
Operational technology (OT)	Operational technology (OT) includes devices, sensors, software and associated networking that monitor and control onboard systems.
Patches	Patches are software designed to update software or supporting data to improve the software or address security vulnerabilities and other bugs in operating systems or applications.
Phishing	Phishing refers to the process of deceiving recipients into sharing sensitive information with a third-party.
Principle of least privilege	Principle of least privilege refers to the restriction of user account privileges only to those with privileges that are essential to function.
Recovery	Recovery refers to the activities after an incident required to restore essential services and operations in the short and medium-term and fully restore all capabilities in the longer term.
Removable med	Removable media is a collective term for all methods of storing and transferring data between computers. This includes laptops, USB memory sticks, CDs, DVDs and diskettes.
Removable media	Removable media is a collective term for all methods of storing and transferring data between computers. This includes laptops, USB memory sticks, CDs, DVDs and diskettes.
Risk management	Risk management is the process of identifying, analysing, assessing and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level considering associated costs and benefits of any actions taken.
Sandbox	Sandbox is an isolated environment, in which a program may be executed without affecting the underlying system (computer or operating system) and any other applications. A sandbox is often used when executing untrusted software.
Social engineering	Social engineering is a method used to gain access to systems by tricking a person into revealing confidential information.
Software whitelist	Software whitelisting means specifying the software, which is present and active on an IT or OT system.
Virtual Local Area Network (VLAN)	Virtual Local Area Network (VLAN) is the logical grouping of network nodes. A virtual LAN allows geographically dispersed network nodes to communicate as if they were physically on the same network.
Virtual Private Network (VPN)	Virtual Private Network (VPN) enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, thereby benefiting from the functionality, security and management policies of the private network.
Virus	A virus is a hidden, self-replicating section of computer software that maliciously infects and manipulates the operation of a computer program or system.
Wi-Fi	Wi-Fi is all short-range communications that use some type of electromagnetic spectrum to send and/or receive information without wires.

Yachts are increasingly using systems that rely on digitisation, integration, and automation, which call for cyber risk management on board. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together – and more frequently connected to the internet.

This document identifies information sources that may aid in establishing policies and procedures for mitigating maritime cyber risks.

This risk assessment has been developed by Yachting Concept Monaco to establish safeguards against cyber risks for their Republic of the Marshall Islands (RMI) - flagged vessels.

2.1. Background

IMO Resolution MSC. 428(98) encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems (SMS) no later than the first annual verification of the Company’s Document of Compliance after 1 January 2021.

Marshall Islands Registry has implemented this Resolution through RMI Marine Notice 2-011-13, International Safety Management (ISM) Code.

The ship’s operations plans must ensure that cyber risks are addressed in the SMS no later than the first annual verification of the Company's Document of Compliance after 01 January 2021. See IMO Resolution MSC.428(98), Maritime Cyber Risk Management in Safety Management Systems.

3. Cybersecurity and safety management

The IMO guidelines set out the following principles in support of an effective cyber risk management strategy:

Identify: Define the roles responsible for cyber risk management and identify the systems, assets, data and capabilities that, if disrupted, pose risks to ship operations.
Protect: Implement risk control processes and measures, together with contingency planning to protect against a cyber incident and to ensure continuity of shipping operations.
Detect: Develop and implement processes and defences necessary to detect a cyber incident on time.
Respond: Develop and implement activities and plans to provide resilience and to restore the systems necessary for operations or services which have been halted due to a cyber incident.
Recover: Identify how to back-up and restore the cyber systems necessary for shipping operations which have been affected by a cyber incident.

Both cybersecurity and cyber safety are important because of their potential effect on the guests, the personnel, the ship or environment. Cybersecurity is concerned with the protection of IT, OT, information and data from unauthorised access, manipulation and disruption. Cybersafety covers the risks from the loss of availability or integrity of safety-critical data and OT.

Some aspects of cyber risk management may include commercially sensitive or confidential information. Companies should, therefore, consider protecting this information appropriately, and as far as possible, not include sensitive information in their Safety Management System (SMS). Sensitive information should be included in the protected and confidential version of the Ship's Security Plan.

Cyber risk management should:

Identify the roles and responsibilities of users, key personnel, and management both ashore and onboard
Identify the systems, assets, data and capabilities, which if disrupted, could pose risks to the ship’s operations and safety
Implement technical and procedural measures to protect against a cyber incident and ensure continuity of operations
Implement activities to prepare for and respond to cyber incidents.

3.1. Differences between IT and OT systems

Operational Technology Systems (OT) control the physical world and Information Technology systems (IT) manage data. OT systems differ from traditional IT systems. OT is hardware and software that directly monitors/controls physical devices and processes. IT covers the spectrum of technologies for information processing, including software, hardware and communication technologies. Traditionally OT and IT have been separated, but with the internet, OT and IT are coming closer as historically stand-alone systems are becoming integrated.

Disruption of the operation of OT systems may impose a significant risk to the safety of onboard guests and crew, damage to the marine environment, and impede the yacht's operation.

Category	IT System	OT System
Performance Requirements	- Non-real-time	- Real-time System
	- Less critical emergency interaction	- Response is time-critical
	- Tightly restricted access control can be implemented to the degree necessary for security	- Response to human and other emergencies is critical
· Access to OT should be strictly controlled, but should not interfere with user interaction
Availability Requirements	· Rebooting is acceptable
· Availability deficiencies may be tolerated, depending on the system’s operational requirements	· Responses such as rebooting may not be acceptable because of operational requirements
· Availability requirements may necessitate back-up systems
Risk Management	· Manage data
· Data confidentiality and integrity is paramount.
· Fault tolerance may be less important.
· Risk impacts may cause delay of the ship’s clearance, commercial ops and guests confidentiality.	· Control physical world
· Safety is paramount, followed by protection of the process
· Fault tolerance is essential, even momentary downtime may not be acceptable
· Risk impacts are regulatory non-compliance, harm to the personnel on board, the environment.
Operating System	· Systems are commonly known as operating systems
· Upgrades availability	· Proprietary OS, often without built-in security capabilities.
· Software changes must be carefully made by vendors, because of the specialized control algorithms.
Security Solutions	· Proprietary OS, often without built-in security capabilities.
· Software changes must be carefully made by vendors, because of the specialized control algorithms.	· Proprietary OS, often without built-in security capabilities.
· Software changes must be carefully made by vendors, because of the specialized control algorithms.

4. Identify

4.1. Identify threats

The cyber risk is specific to companies, ships, operations and/or trade. When assessing the risk, companies should consider any specific aspects of their operations that might increase their vulnerability to cyber incidents. Unlike other areas of safety and security, where historic evidence is available, cyber risk management is made more challenging by the absence of any definitive information about incidents and their impact. Until this evidence is obtained, the scale and frequency of attacks will continue to be unknown. The yachting industry is dealing with high-end guests and often public figures, therefore, the risk analysis should take into account this specific motivation driven attacks.

Group	Motivation	Objective
Activists (incl. former employees)	- Reputational damage	- Destruction of data
	- Disruption of operations	- Publication of sensitive data
		- Media attention
		- Denial of access to the service or system targeted
Criminals	- Financial gain	- Ransomware attack
	- Commercial espionage	- Stealing data for financial gain
	- Industrial espionage	- Selling stolen data
		- Ransoming stolen data
		- Arranging fraudulent cargo
		- Gathering intelligence for a more sophisticated crime.
Opportunists	- The challenge	- Getting through cybersecurity defences
		- Financial gain
States Terrorists	- Political gain	- Espionage
	- Espionage	- Gaining knowledge
		- Disruption to economies and critical national infrastructure

Besides, there is the possibility that the personnel, onboard and ashore, could compromise cyber systems and data. In general, the company should realise that this may be unintentional and caused by human error when operating and managing IT and OT systems or failure to respect technical and procedural protection measures. There is, however, the possibility that actions may be malicious and are a deliberate attempt by a disgruntled employee to damage the company and the ship.

4.2. Types of cyber attack

Untargeted attacks, where a company or a ship’s systems and data are one of many other potential targets

Malware: Malicious software which is designed to access or damage a computer without the knowledge of the owner. There are various types of malware including trojans, ransomware, spyware, viruses, and worms. Ransomware encrypts data on systems until a ransom has been paid. Malware may also exploit known deficiencies and problems in outdated/unpatched business software. The term “exploit” usually refers to the use of software or code, which is designed to take advantage of and manipulate a problem in another computer software or hardware. This problem can, for example, be a code bug, system vulnerability, improper design, hardware malfunction and/or error in protocol implementation. These vulnerabilities may be exploited remotely or triggered locally. Locally, a piece of malicious code may often be executed by the user, sometimes via links distributed in email attachments or through malicious websites.
Phishing: Sending emails to a large number of potential targets asking for particular pieces of sensitive or confidential information. Such an email may also request that a person visits a fake website using a hyperlink included in the email.
Water holing: Establishing a fake website or compromising a genuine website to exploit visitors.
Scanning: Attacking large portions of the internet at random.

Targeted attacks may be more sophisticated and use tools and techniques specifically created for targeting a company or ship. Examples of tools and techniques, which may be used in these circumstances, include:

Social engineering: A non-technical technique used by potential cyber attackers to manipulate insider individuals into breaking security procedures, normally, but not exclusively, through interaction via social media.
Brute force: An attack trying many passwords with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords until the correct one is found.
Denial of service (DoS): Prevents legitimate and authorised users from accessing information, usually by flooding a network with data. A distributed denial of service (DDoS) attack takes control of multiple computers and/or servers to implement a DoS attack.
Spear-phishing: Like phishing but the individuals are targeted with personal emails, often containing malicious software or links that automatically download malicious software.
Subverting the supply chain: Attacking a company or ship by compromising equipment, software or support services being delivered to the company or ship.

The above examples are not exhaustive. Other methods are evolving such as impersonating a legitimate shore-based employee in a shipping company to obtain valuable information, which can be used for a further attack.

4.3. Identify vulnerabilities

It is recommended that the yacht assesses the potential threats that may realistically be faced. This should be followed by an assessment of the systems and onboard procedures to map their robustness to handle the current level of threat. The result should be a strategy centred around the key risks.

Stand-alone systems will be less vulnerable to external cyber-attacks compared to those attached to uncontrolled networks or directly to the internet. Network design and network segregation will be explained in more detail in annexe 3. Care should be taken to understand how critical shipboard systems might be connected to uncontrolled networks. When doing so, the human element should be taken into consideration, as many incidents are initiated by personnel’s actions.

Incident - Crash of integrated navigation bridge at sea.

A ship with an integrated navigation bridge suffered a failure of nearly all navigation systems at sea, in a high traffic area and reduced visibility. The ship had to navigate by one radar and backup paper charts for two days before arriving in port for repairs. The cause of the failure of all ECDIS computers was determined to be attributed to the outdated operating systems. During the previous port call, a producer technical representative performed a navigation software update on the ship’s navigation computers.

However, the outdated operating systems were incapable of running the software and crashed. The ship was required to remain in port until new ECDIS computers could be installed, classification surveyors could attend, and a near-miss notification had been issued as required by the company. The costs of the delays were extensive and incurred by the shipowner. This incident emphasizes that not all computer failures are a result of a deliberate attack and that outdated software is prone to failure.

More proactive software maintenance to the ship may have prevented this incident from occurring.

Onboard systems include:

Bridge systems – The increasing use of digital, network navigation systems, with interfaces to shoreside networks for update and provision of services, make such systems vulnerable to cyber-attacks. Bridge systems that are not connected to other networks may be equally vulnerable, as removable media are often used to update such systems from other controlled or uncontrolled networks. A cyber incident can extend to service denial or manipulation and, therefore, may affect all systems associated with navigation, including ECDIS, GNSS, AIS, VDR and Radar/ARPA.
Propulsion and machinery management and power control systems – The use of digital systems to monitor and control onboard machinery, propulsion and steering makes such systems vulnerable to cyber-attacks. The vulnerability of these systems can increase when used in conjunction with remote condition-based monitoring and/or are integrated with navigation and communications equipment on ships using integrated bridge systems.
Guests, crew and management systems – Digital systems used for property management, boarding and access control may hold valuable passenger related data. Intelligent devices (tablets, handheld scanners etc.) are themselves an attack vector as ultimately the collected data is passed on to other systems.
Guests and crew wifi networks – Fixed or wireless networks connected to the internet, installed on board for the benefit of passengers, for example, guest entertainment systems, should be considered uncontrolled and should not be connected to any safety-critical system on board.
Administrative systems – Onboard computer networks used for administration of the ship are particularly vulnerable when providing internet access and email. This can be exploited by cyber attackers to gain access to onboard systems and data. These systems should be considered uncontrolled and should not be connected to any safety-critical system on board. Software provided by ship management companies or owners is also included in this category.
Communication systems – Availability of internet connectivity via satellite and/or other wireless communication can increase the vulnerability of ships. The cyber defence mechanisms implemented by the service provider should be carefully considered but should not be solely relied upon to secure every shipboard system and data. Included in these systems are communication links to public authorities for transmission of required ship reporting information. Applicable authentication and access control management requirements by these authorities should be strictly complied with.

4.4. Systems onboard

Name	Manufacturer	OS	Version	Connected	Risk
ECDIS	Furuno	Unix		No	Medium
GMDSS	Sailor	Proprietary		No	Low
Machinery Monitoring	B&B	Windows	7 Pro sp1	Yes	High
Chart & Publications	One Ocean	Windows	10	Yes	High
Wifi Controller	Cisco AIR CT2404-k9	Cisco 24_32_44	8.5.151.0	Yes	High
Firewall	Kerio Control	NG500	9.3.4	Yes	High
Management Software	DeepBlue	Cloud Unix/macOS		Yes	High
NAS	Qnap	TVS-EC1680U-SAS-R	4.5.1.1495	Yes	Medium
VSat Control Unit	Sailor Cobham	7016C		Yes	Medium
Modem	iDirect	IQ200		Yes	Medium
CCTV	Panasonic	WJ-NV200		Yes	High
Pro Crew Email	Microsoft Exchange	Windows		Yes	Medium
Crew Computers	Mix MS/Mac	Microsoft/MacOS		Yes	High
Domotic Systems	Videoworks	Ipad		Yes	Low

Incident - Navigation computer crash during pilotage.

A ship was under the conduct of a pilot when the ECDIS and voyage performance computers crashed. A pilot was on the bridge. The computer failures briefly created a distraction to the watch officers; however, the pilot and the master worked together to focus the bridge team on safe navigation by visual means and radar. When the computers were rebooted, it was apparent that the operating systems were outdated and unsupported. The master reported that these computer problems were frequent (referred to the issues as “gremlins”) and that repeated requests for servicing from the shipowner had been ignored. It is a clear case of how simple servicing and attention to the ship by management can prevent mishaps.

5. Protect

Cyber risk assessment should start at the senior management level of a company, instead of being immediately delegated to the ship security officer or the head of the IT department. There are several reasons for this.

Initiatives to heighten cybersecurity and safety may at the same time affect standard business procedures and operations, rendering them more time consuming and/or costly. It is, therefore, a senior management level decision to evaluate and decide on risk mitigation.
Many initiatives, which would improve cyber risk management, are related to business processes, training, the safety of the ship and the environment and not to IT systems, and therefore need to be anchored organisationally outside the IT department.
Initiatives which heighten cyber awareness may change how the company interacts with customers, suppliers and authorities, and impose new requirements on the co-operation between the parties. It is a senior management level decision whether and how to drive these changes in relationships.

5.1. Impact assessment

Potential impacts could be safety-related, operational, environmental-related, financial, reputational and compliance-related. Several assessment methodologies offer criteria and techniques that can help define the magnitude of the impact of a cyber-attack.

Impact	Definition	In practice
Low	The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on company and ship, organisational assets, or individuals	A limited adverse effect means that a security breach might:
		- cause degradation in ship operation to an extent and duration that the organisation can perform its primary functions;
		- result in minor damage to organisational assets;
		- result in minor financial loss;
		- result in minor harm to individuals.
Moderate	The loss of confidentiality, integrity, or availability could be expected to have a substantial adverse effect on company and ship, assets or individuals	A substantial adverse effect means that a security breach might:
		- cause significant degradation in ship operation to an extent and duration that the organisation can perform its primary functions, but the effectiveness of the functions is significantly reduced;
		- result in significant damage to organisational assets;
		- result in significant financial loss;
		- result in significant harm to individuals that do not involve loss of life or serious life-threatening injuries.
High	The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on company and ship operations, assets, environment or individuals.	A severe or catastrophic adverse effect means that a security breach might:
		- cause severe degradation in or loss of ship operation to an extent and duration that the organisation is not able to perform one or more of its primary functions;
		- result in major damage to the environment and/or organisational assets;
		- result in major financial loss;
		- result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

5.2. ECDIS

Risk	Likelihood	Severity	Measures
Compromising of safety of navigation	Rare	High	Unix based system
Remote Control	Rare	High	The system is not connected to the network
Hardware failure	Likely	High	Duplication of the systems

The ECDIS operating system is based on Unix and is not connected to the main network. Therefor less subject to cyber attack, nor viruses. Furthermore, the system is fully redundant to be restarted independently without compromising the safety of navigation. Chart updates are done using a dedicated USB stick used from the bridge charts and publications Windows OS laptop computer.

5.3. GMDSS

Risk	Likelihood	Severity	Measures
Compromising of voice communication	Rare	Moderate	The system is not connected to any network

The GMDSS system is completely independent of the network and uses a proprietary operating system. Therefore, the system should be considered to be at moderate risk.

5.4. B&B Monitoring

Risk	Likelihood	Severity	Measures
OS Crash	Rare	High	Windows XP not maintained by MS anymore, but the operating system works inside a « black box »
Hardware Failure	Likely	High	A pre-configured machine is available for immediate replacement
Remote access	Likely	High	The VPN is closed by the ETO after each remote operation

WARNING

The monitoring (2 servers / 7 clients) is Windows 7 pro based system used to monitor all vital operations of the vessel, including engines, bilge, fire pumps, alarms, ventilation, CCTV camera. Whilst most of the controls done with the monitoring can be done manually, a sudden crash of the system during a critical operation of the vessel can lead to an uncontrolled situation. Rebooting can be an option but at high risk depending on the situation. Both servers (ECR & Wheelhouse) are capable of same operation and are redundant for safety. The servers can also be accessed remotely for maintenance purposes using VNC & TeamViewer, the engine team should be trained to close the remote access when the contractor has finished the maintenance session. The windows 7 pro sp1 system is not equipped with anti-virus, nor firewall, but should not store data except running logs.

We recommend having an alternative hard disk already configured immediately available in case of failure. Or a spare server fully configured that can be used to replace rapidly a faulty device.*

Incident - Worm attack on maritime IT and OT.

A ship was equipped with a power management system that could be connected to the internet for software updates and remote operation. The ship was built recently, but this system was not connected to the internet. The company decides to perform vulnerability scans to determine if the system had evidence of infection. The team discovered a dormant worm that could have activated itself once the system was connected to the internet.

The shipowner advised the producer about the discovery and requested procedures on how to erase the worm. The crew stated that before the discovery, a service technician had been aboard the ship. It was believed that the infection could potentially have been caused by the technician. The worm spread via USB devices into a running process, which executes a program into the memory. This program was designed to communicate with its command and control server to receive its next set of instructions. It could even create files and folders.

The company asked cybersecurity professionals to conduct an analysis. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days.

5.5. Chart & Bridge Publications

Risk	Likelihood	Severity	Measures
OS Crash	Rare	Minor	Windows 10 continuously updated
Hardware Failure	Likely	Moderate	Not critical on OT security
Remote access	Possible	Major	- No emails read on that computer
			- A computer used only for that purpose
Virus contamination	High	Moderate	- This computer SHALL not be used for internet browsing
			- This computer is protected with an up-to-date antivirus software
Spyware & Fishing	Possible	Moderate	- This computer SHALL not be used for email
			- This computer is protected with an up-to-date antivirus software

Even if this MS Windows computer is used close to the ECDIS system and directly connected to the internet, only communication with a dedicated USB stick is allowed. This USB stick is regularly re-formatted for the same reasons.

5.6. VSat Controller & Modem

Risk	Likelihood	Severity	Measures
Control of the antenna	Rare	High	Firmware updated yearly
Sniffing	Rare	High	Firmware updated yearly
Dos	Rare	Medium	Out of the board scope of control

These devices can be accessed externally (i.e., from the SAT provider), which allow a potential external attack. The board only rely on the good will and the professionalism of the Internet provider and Sat operator. The reputation of the provider is critical element in the choice of the SAT provider.

5.7. Deepblue© Management System

Risk	Likelihood	Severity	Measures
OS Crash	Rare	Minor	Mac OS that should be updated regularly to the latest version by the IT person and based on provider advice.
Hardware Failure	Likely	Moderate	Not critical on OT security
Remote access	Possible	Major	The only latest version of TeamViewer to be used. ETO to regularly update TeamViewer
Virus contamination	Rare	Moderate	- This computer is not used for internet browsing
			- Based on BSD Unix system, less subject to an existing virus.
Spyware & Fishing	Possible	Moderate	This computer is never used for email but the administrator level user (management company, captain, ETO, …) are susceptible to receive phishing email requesting password. Users to be trained.
Ransomware	Possible	Moderate	Mac OS that should be updated regularly to the latest version by the IT person and based on provider advice. The server is a replication of a backed-up cloud server which can be re-synchronised.
Critical data breach	Possible	Major	The data stored are critical and higher attention to the code should be provided by the supplier.
Social hacking	High	Major	Training on the importance of password policy and phishing trap.

Deepblue© management system consists of 2 servers:

One server in the cloud using the state-of-the-art cloud facilities, Unix based system and audited open-source software. It is the responsibility of Deepblue to do their own due diligence.
A local server which replicates the cloud server. It is the responsibility of Deepblue© to maintain the layers of technologies used to the latest version and patch against known breaches of security.

In case of failure of the local server, a simple synchronisation should be sufficient and no critical vessel operation should be compromised, except ship-to-shore exchange can be reduced due to lack of local data.

This server is used to store critical data:

Crew personal data, including passport scans, bank details, ...
Guest sensible data, including passport scans, charter program, ...
ISM procedures and reports
Accounts, banking and financial data

This server is accessed by all the crew onboard and by shore side managers. Training about cyber risks and password social risks should be provided. Shore-based company managers have individual access to sensitive data, based on personal credential access.

Social hacking has to be considered a high priority

5.8. Wifi and Firewall

Risk	Likelihood	Severity	Measures
Password leak	High	Major	Wifi passwords to be changed (see below)
OS Crash	Rare	Minor	System continuously updated
Hardware Failure	Likely	Moderate	Wifi AP spare available onboard
Remote access	Possible	Major	Wifi passwords to be changed (see below)
Virus contamination	Rare	Moderate	Unix based system
RansomWare	Possible	Moderate	No data stored
DOS	Possible	Minor	Constant monitoring of the traffic by the ETO

The WIFI network uses CISCO Wifi/Lan controller and Kerio «RedBox» firewall, state-of-the-art hardware, but passwords are used by numerous people, crew, guests and external contractors.

The firewall must be continuously updated to its latest version and protected again virus and threads. The licence is to be annually renewed.

The internal network is segregated into leakproof sub-networks. Separating management level crew, owner, guests, AV and technical devices. The passwords shall not be shared by anyone with another.

Wifi passwords are to be changed:

Every charter for Guests network
Every year for Owner, Management and Crew networks
Every 5 years for technical devices

The company should be fully aware that this part of the equipment is the first wall against continuous evolving cyber-piracy attacks and uninterrupted effort to maintain the level to the latest technologies is crucial.**

5.9. Crew Computers

Risk	Likelihood	Severity	Measures
Wifi Password leak	High	Major	Wifi passwords to be changed annually
Uncontrolled Bandwidth Usage	High	Minor	- Bandwidth usage to be controlled
			- Video streaming to be monitored or banned
Virus spread	High	Minor	Crew network strictly segregated to operational networks.
			Particular attention to managers (Captain, CE, ETO that may interact with OT devices)
Yacht domain email addresses	Possible	Major	The vessel is equipped with yacht domain emails addresses which can be a breach of cybersecurity. Anti-Virus must be used on Windows computers that should connect to operational critical equipment. Anti-phishing training to be provided onboard)
NAS	Possible	Moderate	The network file server accessible to the crew should be regularly scanned against viruses.

Although it is very difficult to control each and individual crew computers, the network security rules should be never relaxed. An up-to-date banned websites list is to be automatically maintained using continuous firewall updates.

Bring your own device (BYOD): It is recognised that the crew may be allowed to bring their own devices (BYOD) on board to access the ship’s system or network. Although this may be both beneficial and economical for ships, it significantly increases the level of vulnerability because these devices may be unmanaged. Policies and procedures should address the control and use of BYODs, as well as how to protect vulnerable data, by using network segregation for example.

5.10. CCTV

Risk	Likelihood	Severity	Measures
Camera Hacking	Rare	High	The CCTV Network is only accessible on one Wifi sub-Lan. Others the management team are not allowed to use it.
Deletion of recordings	Rare	High	idem

The CCTV camera system is a critical part of the SSP. Therefor the ability of accessing this service on the internal network is a potential risk of breach of security. It is critical that the board management team is aware of not sharing the management Wifi password to lower rank of users.

5.11. Domotic

Risk	Likelihood	Severity	Measures
Remote Access	Rare	Low	iOs device updated

The iPads are controlling the domotic using a Krestron controller. It is part of operational technologies (OT) but limited to basic domotic operations (lights, curtains, AC, AV, few CCTV, …). No critical life-threatening risk has been found related to these devices.

5.12. Password Management System

The yacht is using a centralised and secured encrypted passwords pool. Passwords are not saved on personal or work computer. The password db are accessible only for the management team:

Master
Chief Officer
Chief Engineer (and by delegation ETO)

When a member of this team is replaced, his credential is to be removed and this as to be part of the handover procedure. Details of the password management tool are available at the discretion of the master to flag/port authorities only and are not written in the present document.

6. Detect

The outcome of the company’s risk assessment and subsequent cybersecurity strategy should be a reduction in risk to be as low as reasonably practicable. At a technical level, this would include the necessary actions to be implemented to establish and maintain an agreed level of cybersecurity.

It is important to identify how to manage cybersecurity on board and to delegate responsibilities to the master, responsible officers and when appropriate the company security officer.

6.1. Defence in-depth and in breadth

It is important to protect critical systems and data with multiple layers of protection measures, which take into account the role of personnel, procedures and technology to:

Increase the probability that a cyber incident is detected
Increase the effort and resources required to protect information, data or the availability of IT and OT systems.

Connected OT systems onboard should require more than one technical and/or procedural protection measure. Perimeter defences such as firewalls are important for preventing unwelcome entry into the systems, but this may not be sufficient to cope with insider threats.

B&B monitoring systems onboard should require more than one technical and/or procedural protection measure. Perimeter defences such as firewalls are important for preventing unwelcomed entry into the system, but this may not be sufficient to cope with insider threats.

This defence-in-depth approach encourages a combination of:

Physical security of the ECR following the ship security plan (SSP).
Protection of the network, including effective segmentation.
No external contractor should be left alone in the ECR.
Periodic vulnerability scanning and testing.
Software whitelisting.
Access and user controls: Only the chief engineer, ETO and B&B employees are allowed to access the ECR servers.
Systematic anti-virus scan of removable media and password policies and personnel’s awareness of the risk and familiarity with appropriate procedures.

6.2. Configuration of network devices: firewalls, routers and switches

It should be determined which systems should be attached to controlled or uncontrolled networks. Controlled networks are designed to prevent any security risks from connected devices by use of firewalls, routers and switches. Uncontrolled networks may pose risks due to lack of data traffic control and should be isolated from controlled networks, as direct internet connection makes them highly prone to infiltration by malware.

Networks that are critical to the operation of a ship itself, is controlled. These systems must have a high level of security and no device are allowed to be connected to this section of the network without extra security measures and scans.
Networks that provide suppliers with remote access to navigation and other OT systems’ software on board, should also be controlled. These networks may be necessary to allow suppliers to upload system upgrades or perform remote servicing. Shoreside external access points of such connections should be secured to prevent unauthorised access, opened from the inside before the maintenance and immediately closed after.
Other networks, such as guest access networks, crew networks, maybe uncontrolled, for instance, those related to recreational activities or private internet access for crew. Normally, any wireless network should be considered uncontrolled and potentially a source of a breach.

6.3. Wireless access control

Wireless access to networks on the ship should be limited to appropriate authorised devices and secured using a strong encryption key, which is changed regularly.

The following is considered for controlling wireless access:

The use of enterprise authentication systems using asymmetric encryption and isolating networks with appropriate wireless dedicated access points (e.g. guest networks isolated from the crew or management networks).
Modification of Wifi passwords:
- after each charter for the Guest network
- after each season for the Crew and Management
- after the departure of the IT manager, Master and Chief Officer for all network
The protection of the physical servers and network routers

6.4. Malware detection

Scanning software that can automatically detect and address the presence of malware in systems onboard should be regularly updated and security software licence to be renewed annually.

As a general guideline, onboard computers should be protected to the same level as office computers ashore. Anti-virus and anti-malware software should be installed, maintained and updated on all personal work-related computers onboard. This will reduce the risk of these computers acting as attack vectors towards servers and other computers on the ship’s network.

6.5. Secure configuration for hardware and software

Only senior officers should be given access to the management network so that they can control the setup and disabling of normal user profiles. User profiles should be restricted to only allow the computers, workstations or servers to be used for the purposes, for which they are required.

6.6. Email and web browser protection

Email communication between ship and shore is a vital part of a yacht's operation. Appropriate email and web browser protection serves to:

Protect shoreside and onboard personnel from potential social engineering
Prevent email from being used as a method of obtaining sensitive information
Avoid the exchange of sensitive information via email and prefer voice for example to credit card number authorisation.
Prevent web browsers and email clients from executing malicious scripts.
Usage of Peer Peer sharing software is strictly forbidden and locked by firewall rules.

Some best practices for safe email transfer are: email as zip or encrypted file when necessary, disable hyperlinks on the email system, avoid using generic email addresses and ensure the system has configured user accounts.

6.7. Data recovery capability

Data recovery capability is the ability to restore a system and/or data from a secure copy or image, thereby allowing the restoration of a clean system. Essential information and software-adequate backup facilities should be available to help ensure recovery following a cyber incident.

Retention periods and restore scenarios should be established to prioritise which critical systems need quick restore capabilities to reduce the impact. Systems that have high data availability requirements should be made resilient. OT systems, which are vital to the safe navigation and operation of the ship, should have backup systems to enable the ship to quickly and safely regain navigational and operational capabilities after a cyber incident.

A spare fully configured B&B monitoring server is available at all time for immediate replacement.
All personal work computers to be automatically backed-up at regular interval on the NAS file server.
No work-related data or document is to be kept on the personal work computer, instead, users should work directly on the NAS (which is automatically backup on redundant RAID disks) or work locally and upload on the NAS file server and immediately deleted, or upload on Deepblue© information system (which is secured and backed up online).

6.8. Application software security (patch management)

Safety and security updates are provided to onboard systems. Ordinary security patches should be included in the periodic maintenance cycle. Critical patches should be evaluated in terms of operational impact on the OT systems. These updates or patches should be applied correctly and promptly to ensure that any flaws in a system are addressed before they are exploited by a cyber attack. If a critical patch cannot be installed, alternative measures should be evaluated to help implement virtual patching techniques.

6.9. Remote access

The policy is established for control over remote access to onboard IT and OT systems. Clear guidelines should be given to who has permission to access, when they can access, and what they can access. Any procedures for remote access should include close coordination with the ship’s master or other key senior ship personnel.

The remote access should be closed immediately at the end of the work.

All remote access occurrences should be recorded into the Deepblue Maintenance System for review in case of a disruption to an IT or OT system. Systems, which require remote access, should be clearly defined, monitored and reviewed periodically.

6.10. Use of administrator privileges

Access to information is only allowed to relevant authorised personnel:

Master
Chief Officer
Chief Engineer (and by delegation to the ETO)

User privileges must be removed when the people concerned are no longer on board. User accounts should not be passed on from one user to the next using generic usernames. Similar rules should be applied to any onshore personnel, who have remote access to systems on ships when they change the role and no longer need access.

During the handover, this listed personnel must give their passwords bag, and it is the responsibility of the new member to modify the password and/or delete former accesses.

6.11. Physical and removable media controls

When transferring data from uncontrolled systems to controlled systems, there is a risk of introducing malware. Removable media can be used to bypass layers of defences and attack systems that are otherwise not connected to the internet. A clear policy for the use of such media devices is important; it must help ensure that media devices are not normally used to transfer information between uncontrolled and controlled systems.

The following systems should have dedicated USB removable media that should be reformatted before each use:

B&B ER monitoring server
Bridge ECDIS

The device should only be loaded on computers that have continuous monitoring of Virus and Malware or using a different operating system.

6.12. Equipment disposal, including data destruction

Obsolete equipment can contain data which is commercially sensitive or confidential. Before disposal of the equipment, the company should have a procedure in place to ensure that the data held in obsolete equipment is properly destroyed and cannot be retrieved.

6.13. Obtaining support from ashore and contingency plans

Ships should have access to technical support in the event of a cyber attack. Details of this support and associated procedures should be available onboard. The yacht had identified the following company to be used in case of cyber attack:

Name of the Company:

email and telephone number:

country:

6.14. Additional protection measures

Training and awareness of the personal onboard including the master, officers and crew on the cybersecurity plan, including but not limited to:

risks related to emails;
risks related to internet usage, including social media;
risks related to the use of own devices which may be missing security patches;
safeguarding user information, passwords and pin codes
cyber risks concerning the physical presence of external contractor personnel, where technicians are left to work on equipment without supervision;
detecting suspicious activity or devices and how to report a possible cyber incident. Examples of this are strange connections that are not normally seen or someone plugging in an unknown device on the ship network;
procedures for protection against risks from service providers’ removable media before connecting to the ship’s systems;
awareness that the presence of anti-malware software does not remove the requirement for robust security procedures.

Incident - Surveyor’s access to a ship’s administrative network.

During a routine survey, a surveyor requested permission to access a computer in the engine control room to print documents for signature. The surveyor inserted a USB drive into the computer and unwittingly introduced malware onto the ship’s administrative network. The malware went undetected until a cyber assessment was conducted on the ship later, and after the crew had reported a “computer issue” affecting the business networks. PDF files on USB devices could be instead inserted into the printer and printed directly.

7. Respond and recover

7.1. Effective response

A team, which may include a combination of onboard and shore-based personnel and/or external experts, should be established to take the appropriate action to restore the IT and/or OT systems so that the ship can resume normal operations. The team should be capable of performing all aspects of the response.

An effective response should at least consist of the following steps:

Initial assessment:
- how the incident occurred?
- which IT and/or OT systems were affected and how?
- the extent to which the commercial and/or operational data is affected?
- to what extent any threat to IT and OT remains?
Recover systems and data. Following an initial assessment of the cyber incident, IT and OT systems and data should be cleaned, recovered and restored.
Investigate the incident. To understand the causes and consequences of a cyber incident, an investigation should be undertaken by the company, with support from an external expert, if appropriate.
Prevent a re-occurrence. Considering the results of the investigation, actions to address any inadequacies in technical and/or procedural protection should be taken, including:
- adaptation of the current plan;
- investment in software, hardware, shore support consultancy.

7.2. Recovery plan

For every critical OT, recovery procedure should be available in hard copy on board and part of the dematerialised ISM on Deepblue©. The purpose of the procedures is to support the recovery of systems and data necessary to restore IT and OT to an operational state. To help ensure the safety of onboard personnel, the operation and navigation of the ship should be prioritised in these procedures.

Recovery of OT may be more complex especially and may require assistance from ashore. Details of where this assistance is available and by whom, should be part of the recovery procedures, for example by proceeding to a port to obtain assistance from a service engineer and direct contact information.

7.3. Investigating cyber incidents

Investigating a cyber incident can provide valuable information about how a vulnerability was exploited. Companies should, wherever possible, investigate cyber incidents affecting IT and OT on board. A detailed investigation may require external expert support.

The current plan should be amended based on:

the finding of the incident
the external support advises

Training onboard should include experience learned from previous cyber incidents.

7.4. Cover for liability

For insurers, the term “cyber” includes many different aspects and it is important to distinguish between them and their effects on insurance cover. Some insurers believe that there is no systemic risk to ships arising from a cyber incident and the impact of an incident will most likely be confined to a single ship.

Companies should be able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and to protecting the ship from any damage that may arise from a cyber incident.

7.5. Cover for property damage

Generally, in many markets offering marine property insurance, the policy may cover loss or damage to the ship and its equipment caused by a shipping incident such as grounding, collision, fire or flood, even when the underlying cause of the incident is a cyber incident. It may be noted that currently in some markets, exclusion clauses for cyber attacks exist. If the marine policy contains an exclusion clause for cyber attacks, the loss or damage may not be covered.

Companies are recommended to check with their insurers/brokers in advance whether their policy covers claims caused by cyber incidents and/or cyber-attacks.

7.6. Cover for liability

It is recommended to contact the P&I Club for detailed information about the cover provided to shipowners and charterers in respect of a liability to third parties (and related expenses) arising from the operation of ships.

An incident caused, for example by malfunction of a ship’s navigation or mechanical systems because of a criminal act or accidental cyber attack, does not in itself give rise to any exclusion of normal P&I cover. In the event of a claim involving a cyber incident, claimants may well seek to argue that the claim arose as a result of an inadequate level of cyber preparedness. This, therefore, further stresses the importance of companies being able to demonstrate that they are acting with reasonable care in their approach to managing cyber risk and protecting the ship.

8. Simplified Network Diagram

9. Revision History

Version	Date	Editor	Revision History
1.0	18 Feb 2021	Christophe Guegan	Initial Commit
1.1	26 Feb 2021	Christophe Guegan & Franck Robert	Mimtee Version
1.2	01 Mar 2021	Christophe Guegan	Simplified diagram added
1.3	10 Dec 2023	Christophe Guegan	Generalisation

Recovery of Persons from Water

This plan provides guidance for the master and other crew members on board the ship regarding procedures for recovering persons from water.

PWC Training Manual

The PWC Training Manual provides the procedures and recommendations to ensure the safety of guests undertaking courses and using Personal Watercraft (PWC) onboard.