Breaking the Deadlock:
When Cyber Security regulations came on the floor, I couldn’t help wondering which industry stakeholder had put enough pressure on IMO for something like that to happen, but mostly, for it to happen so fast and so poorly defined.
Let’s look at it from a functional point of view. Cyber security is a very ship specific concept. Within a company operating possibly many, potentially different ships, the requirement that cyber issues are addressed in the company SMS cannot mean more than some vague statement that individual ships have been assessed and made compliant in a ship specific way. That brings me to the first quandary: How can a “security” aspect, something intrinsically confidential, be handled in the company SMS? The SMS should be the most openly and widely published document in any company. Doesn’t Cyber Security rather belong in individual ship’s SSP’s ?
With that question in the air, there is the other aspect. What do we mean with “Cyber Security”? In our luxury yacht industry, people promptly jumped to data protection and the confidentiality of owners and guests. The concentration was always on malignant activities, while the focus of the rules, in my opinion are rather on the prevention of accidental events. Where malignant events are concerned, the fact that the regulations have been put under ISM rather than ISPS should be an indication that they are still concerned with the safe operation of the ship rather than data theft or its use for criminal activities.
In a recent video pitch, Matthew Roberts of Riela Yachts very smartly used the term “Cyber Safety”, and the whole speech was very much in the same line of thoughts. Have a listen as it is quite insightful: https://www.youtube.com/watch?v=_NQxzStcy0o
A few months ago, I had a discussion with a friend about Motor Yacht VENUS and her bridge visibility. The opposing argument was that all is computer driven and the captain just walks about on deck with a little interface device and steers the boat from anywhere. The thought of all that can go wrong there plain frightens me. Must be me being old school, but then again…
… Most people in our industry are aware of the very recent incident with MY GO in Sint Maarten, The first indications, as commented on by captain Johnson himself, are that a heavily computer based system suddenly decided to take maneuvering in its own hands. This is no “Speed 2” material, nor any malignant attack. Your computer at home does crash or act up once in a blue moon. In a bridge controlled by 14 computers, unexpected things will happen. It’s not a question of if, but just of when.
Would this be what Cyber Safety is all about, rather than cloak and dagger hacker stuff?
I’d be curious to have the industry’s operational staff honest opinion on the whole deal.
(c) GO picture from Superyacht News, the others from google.