connectivity through an amalgam of shoreline, 4G, 5G, and VSAT services, lead to a level of convenience, efficiency, and luxury that are unparalleled anywhere on land and sea. However, those very same features open yachts up to a wide array of cyber risks. While we have not yet publicly seen cyber-criminals take control over a yacht’s OT network, we have seen an increasing trend in attacks designed to steal money and even blackmail owners. While building a cybersecurity program generally requires trade-offs and compromises, the nature of the yachting creates a unique opportunity to develop a cybersecurity program without compromise.
The core of any good cybersecurity program is about managing and mitigating the risks associated with the implementation and usage of technology. By engaging in cyber risk management, yachts can set their agenda by identifying, managing, and mitigating risk effectively on the yacht. The process of cyber risk management is not purely a technical question, but rather must include business process and industry knowledge in determining the most serious risks to the yacht.
A moderate vulnerability on a critical system can pose a significantly higher risk than a serious vulnerability on an unimportant system. While defining the exact contours of cyber risk management can be difficult, it cannot a one-time occurrence, but rather it must be a constantly evolving and iterative process that should be refined and strengthened by folding in new knowledge, evolving threats, and changing security tactics.
Traditional defenses, such as firewalls and antivirus, generally fall into the ‘Protect’ function, and are designed to keep the criminal out, but yachts need a defense-in¬depth approach that not only keeps criminals at bay, but can catch and respond to them if a criminal breaks through before he can do any real damage. Ensuring security controls are well balanced between the functions is critical to enabling the cybersecurity to effectively, prevent, detect, and respond to any threat.
Yachts exist in a much broader ecosystem, including builders, suppliers, managers, crew, and countless other companies. In order to effectively control for the broader landscape of cyber threats, yachts must practice third-party vendor risk management, to ensure that the ecosystem supporting yachts is safe, secure, and doesn’t pose a risk to the yacht.