RESEARCH PROGRAMME

WHITE PAPER
DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

2 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

CYBER SECURITY
REQUIREMENTS FOR IMO 2021

CONTENTS
1 Introduction 5
2 Cyber risk management – the threat to superyachts 6
– Vessel threats and vulnerabilities 6
– Hardware, software, personnel 8
3 The basis for IMO 2021 10
4 IMO 2021 in practice 13
– Systems inventory 14
– Risk assessment scope 15
– Responsibilities 15
5 IMO 2021 compliance 17
– Responding to, recovering from and training
for cyber attacks 18
– A pathway to compliance 18
– Compliance checklist 18
6 Fleet Secure Endpoint – an introduction 20
– Security and endpoints 21
– Fleet Secure Endpoint onboard 22
7 Fleet Secure Endpoint – supporting IMO 2021
compliance 24
– Identify, Protect, Detect, Respond and Recover 24
– Recovery, reporting, manageability 26
– Fleet Secure Endpoint compliance checklist 27
– Fleet Secure Endpoint key benefits 28
8 Fleet Secure Endpoint - installation and use 30
– Dashboard and alerting 30
– Fleet Secure Endpoint use in context 31
9 Cyber security, Crew Training and Awareness 32
10 Fleet Secure Endpoint – real case studies 34
11 Conclusion and Next Steps 36

inmarsat.com 3
White Paper
Cyber security requirements for IMO 2021

4 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

crisis coincided with a fourfold increase in maritime

01 cyber attacks from February onwards, for example.

INTRODUCTION Given that, according to IBM, companies take on

average about 197 days to identify and 69 days to
Developments in connectivity and the transfer of contain a cyber breach, it is clear that an attack
data in greater volumes between yacht and shore on a vessel’s critical systems could threaten
continue to bring significant gains for guest and the safety of a superyacht. The fact that a 2019
crew experience, operations, yacht management Data Breach Investigations Report from Verizon
efficiency and crew welfare, but they also increase indicates that nearly one-third of all data breaches
the vulnerability of critical systems onboard involve phishing provides one indicator that the
vessels to cyber attacks. "human element" can badly expose existing cyber
vulnerabilities.
Despite an increase in cyber attacks on both OT
(Operational Technology) and IT (Information The U.S. Coast Guard has already advised ship
Technology) systems onboard superyachts in line owners that basic cyber security precautions
with the growth in digitalisation in the sector, there should include: segmenting networks so that
is still a lack of awareness amongst superyacht infections cannot spread easily; checking external
professionals about cyber resilience and the hardware such as USB memory devices for
most effective cyber security measures. The viruses before connection to sensitive systems;
2020 Inmarsat Superyacht Connectivity Report* and ensuring that each user on a network is
reported that 40% still did not know the difference properly defined, with individual passwords and
between anti-virus software and network endpoint permissions.
security, while 43% said their vessel’s crew had not From 2021, the Convention for the Safety of Life
completed cyber security training. at Sea will formalise a stricter approach to cyber
Cyber attacks on superyachts typically focus security for both charter and private superyachts,
on threats to privacy and reputation, theft of including yachts over 500 GT and those with more
financial data and personal data, ransomware, than 12 passengers.
malware, industrial espionage and attacks on By International Maritime Organization (IMO)
crew and guest devices. Once a system has been resolution, no later than a yacht’s first annual
breached, malicious hackers can do anything Document of Compliance audit after 1 January
from stealing data to gaining and maintaining full 2021, every Safety Management System must
access of a device, jeopardising the safety of both be documented as having included cyber risk
the individual and the operational integrity of the management, in line with the International Safety
vessel. Management Code.
The enduring feature of cyber threats is their The following report offers superyacht owners and
ability to adapt and evolve, with new lines of managers guidance covering their responsibilities
attack developed as barriers are put in place, and under the new IMO regime and explains how the
strategies to expose vulnerabilities constantly cyber security solution Fleet Secure Endpoint
emerging. A June 2020 White Paper** from provides a comprehensive tool to support them
the British Ports Association and cyber risk towards compliance.
management specialists Astaara suggests that
reliance on remote working during the COVID-19

*2020 Inmarsat Superyacht Connectivity Report downloadable at: https://www2.inmarsat.com/superyacht-connectivity-

report-2020
** Managing Ports’ Cyber Risks: https://www.britishports.org.uk/system/files/documents/bpa_astaara_white_paper_0.pdf

inmarsat.com 5
White Paper
Cyber security requirements for IMO 2021

maintenance, or any activity involving connectivity

02 for a third party onboard).

CYBER RISK MANAGEMENT - Effective cyber risk management must therefore

consider not only multiple cyber assailants but:
diverse lines of attack (targeted and random);
THE THREAT TO SUPERYACHTS continuous efforts by assailants to update
strategies including malicious coding; and
One description of cyber risk management used by
vulnerabilities in hardware, software and human
IMO sees it as “the process of identifying, analysing,
behaviour.
assessing, and communicating a cyber-related risk
and accepting, avoiding, transferring, or mitigating
it to an acceptable level, considering costs and SUPPLY CHAIN CYBER THREATS AND
benefits of actions taken to stakeholders”.
VULNERABILITIES
The description draws on wording developed by
THREATS:
the National Institute of Standards and Technology
caret-right Adversarial: e.g. insertion of counterfeits,
(NIST) of the US Department of Commerce for Cyber
tampering, theft, insertion of malicious
Supply Chain Risk Management (C-SCRM). In full,
software.
NIST explains C-SCRM as the process of identifying,
caret-right Non-adversarial: e.g. natural/man-made
assessing and mitigating the risks associated
disaster, poor quality products/services, poor
with the distributed and interconnected nature of
practices.
data-centric information technology (IT) systems
and the operational technology (OT) systems VULNERABILITIES:
monitoring events, processes and devices. It is a caret-right Internal: e.g. information systems and
process which covers a system’s entire life cycle components, organizational policy/processes.
(design, development, distribution, deployment, caret-right External: e.g. weaknesses to supply chain/
acquisition, maintenance, and destruction), given within entities in supply chain, dependencies
that supply chain threats and vulnerabilities may (power, communications, transportation, etc.).
(intentionally or unintentionally) compromise IT/OT
at any stage.
The increase in cyber attacks on superyachts was
Businesses most commonly experience the evident before this year, but the rate of growth
consequences of cyber threats as financial has accelerated during the pandemic. It is not
penalties but this is not always the case, as just superyachts over 500 GT that are under
perpetrators can include: threat. Smaller yachts, though not covered by the
caret-right Terrorism IMO regulations, can also be targeted. Reported
caret-right Hacktivists groups incidents include an owner that lost $11 million in a
caret-right Nation states cyber attack when a hacker used a phishing email
caret-right Insider attacks to get into the network, while another Captain lost
caret-right Cyber criminals €100,000 on what he believed was a fuel payment.
Further incidents include blackmailing and ransom
While all of the above involve ‘bad actors’, many
requests.
attacks are also automated and their source
is not immediately apparent: they succeed by
repeated or multiple probing for weaknesses in
an organisation’s systems or by individual acts YACHT THREATS AND VULNERABILITIES
of carelessness by those having access to them. For superyachts, which often have High Net Worth
In addition, cyber security can be vulnerable Individuals onboard in a sector consisting of the
where ‘threats’ are non-adversarial (e.g. software rich and famous, plus high complexity of systems

6 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 7
White Paper
Cyber security requirements for IMO 2021

and good internet connectivity, the risk of targeted breach. Failure to comply can bring fines of up to
and untargeted attacks is significant and the cost 4 per cent of an organisation’s global turnover or
of inaction when it comes to cyber resilience is £17.5m, whichever is higher.
high.
With more devices on board, and more applications
However, superyachts themselves increasingly play and media channels being used than ever before,
a fully connected data-centric role in the supply some superyachts are doubling their data usage
chain. In doing so, common cyber vulnerabilities every six months according to an Inmarsat analysis
can be found onboard existing vessels, and on of its more than 10,000 Fleet Xpress customer
some new-build vessels. These may include: vessels. The need for cyber resilience has therefore
never been greater.
– Obsolete and unsupported operating systems
– Outdated or missing anti-virus software and
protection from malware
– Inadequate security configurations and HARDWARE, SOFTWARE AND PERSONNEL
best practices, including the use of default Understandably, the superyacht is not itself likely
administrator accounts and passwords, and to be the focus for targeted Denial Distribution of
ineffective network management Service (DDOS) attacks, whose targets tend to be
– Onboard computer networks which lack corporate or more transactional. However, malware
boundary protection measures and segmentation and Ransomware can be introduced easily enough
– Safety-critical equipment or systems always to the unguarded yacht network, via:
connected with the shore side
– Terminal hardware
– Inadequate access controls for third parties
– Software updates
including contractors and service providers
– Misconfigured systems
If these vulnerabilities are well-known, it is also – Inadequate integration
widely recognised that incidents onboard are – Maintenance and design of cyber-related
under-reported. Furthermore, a hallmark of systems
successful cyber crime will be a lack of publicity.
In addition, yacht networks are vulnerable to cyber
In fact, the full extent of the incidents affecting
threats arising from:
the yachting sector is therefore hard to gauge. It is
evident that the sensitivity issues of high net worth – Email, Phishing, social media scams, etc.
and famous individuals may play a part in the under – USB memory stick as a source of malware
reporting of cybercrime onboard superyachts. – Downloaded malware
Superyacht managers and owners may prefer – Connection with infected devices – cell phone,
to keep matters of ransom, privacy breaches or laptop, tablet
blackmail private, with the temptation to deny any – Unauthorised use of bandwidth, exposing a lack
attacks over concerns that the superyacht would of network segregation
not be accepted for charter, or to protect privacy or
These second types of vulnerability relate to ‘the
reputation.
human element’, and specifically to weaknesses
It is nonetheless fair to point out that – for the in cyber resilience brought by shortcomings
connected superyacht – the vulnerabilities listed in procedures, training and awareness among
above are not simply exposed to the same spread personnel.
of cyber threats as land-based counterparts: they
Even setting aside the operational headaches, cost
are also subject to the General Data Protection
of system renewal and expenditure on training that
Regulation (GDPR). Effective in EU jurisdictions from
a cyber breach can bring, superyachts that fall
2018, GDPR requires businesses to demonstrate
victim to a cyber attack can expect far-reaching
sufficient control and protection over the data
implications that may include:
they own - especially if they subsequently have a

8 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

– Claims against interruption to operations, e.g.,

a virus affecting onboard systems causes
costly delays in getting to port, potentially
leading to charter party disputes and claims for
compensation
– Loss of business-sensitive information could
result in blackmail, with settlement no guarantee
of closure
– Insurance cover: impact on premiums due to lack
of cyber security measures
– Loss of reputation: image tarnished by
vulnerability to hackers
– Privacy impact: fined for failing to secure guest or
crew information

SYSTEMIC VULNERABILITIES
IMO highlights the following superyacht systems
as vulnerable to cyber attack:
1. Bridge systems
2. Propulsion and machinery management and
power control systems
3. Access control systems
4. Passenger servicing and management systems
5. Passenger facing public networks
6. Administrative and crew welfare systems
7. Communication systems
8. Cargo handling and management systems

inmarsat.com 9
White Paper
Cyber security requirements for IMO 2021

Management System. These functional elements

03 can be explained as:

THE BASIS FOR IMO 2021 – Identify: Develop the understanding to manage
cyber security risk. Define personnel roles and
To be approved as IMO-compliant, after 1 January responsibilities for cyber risk management
2021 every superyacht's Safety Management and identify the systems, assets, data and
System MUST include a Cyber Security Plan. capabilities that, when disrupted, pose risks to
However, some will be unfamiliar with the rationale yacht operations.
driving ‘IMO 2021’. – Protect: Safeguard to ensure delivery of critical
infrastructure services. Implement risk control
Regulators have aligned the provisions with processes and measures, and contingency
International Safety Management Code (ISM Code) planning to protect against a cyber-event and
guidelines to ensure that companies and their ensure continuity of operations.
employees, on superyacht and shore, observe the – Detect: Develop and implement activities
Convention of the Safety of Life at Sea (SOLAS). necessary to detect and identify the occurrence
The ISM Code requires all identified risks to of a cyber-event in a timely manner.
superyachts, personnel and the environment to – Respond: Develop and implement activities
be assessed and appropriate safeguards to be and plans to provide resilience and to restore
established. systems necessary for operations or services
IMO sees it as the responsibility of the superyacht impaired in the event of a detected cyber
owner/manager to “Identify, Protect, Detect, security breach/cyber-event.
Respond [to] and Recover [from]” cyber attacks – Recover: Identify measures to back-up and
through the preparation of cyber security planning restore cyber systems necessary for operations
that can be audited as part of a superyacht's Safety impacted by a cyber-event. Maintain plans for

10 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

resilience and to restore all that was impaired by

the cyber security event.
Guidelines on Cyber Security Onboard Ships Version
2.0 were produced with input and support from
a joint maritime industry working group whose
members include BIMCO, Cruise Lines International
Association (CLIA), International Chamber of
Shipping (ICS), International Association of Dry
Cargo Shipowners (INTERCARGO), International
Association of Independent Tanker Owners
(INTERTANKO), International Union of Maritime
Insurance (IUMI) and Oil Companies International
Marine Forum (OCIMF). These guidelines describe
vessel cyber security as “an inherent part of the
safety and security culture necessary for the safe
and efficient operation of the ship”. The guidelines
are addressed to senior management ashore and
onboard personnel alike.
The following section offers guidance on what ‘IMO
2021’ means in practice for owners.

inmarsat.com 11
White Paper
Cyber security requirements for IMO 2021

12 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

examinations would verify that a management

04 system includes cyber risk management with a
cursory review of the system’s documentation.
IMO 2021 IN PRACTICE Achieving and documenting compliance relies on
By IMO resolution (MSC.428(98)), no later than a superyacht owners and superyachts having had
superyacht's first annual Document of Compliance their IT, operating technology systems, procedures
verification after 1 January 2021, any superyacht's and crew training risk-assessed to demonstrate
Safety Management System (SMS) will need to take that they are prepared for cyber attacks and the
account of cyber risk management to secure Flag actions that will be taken should systems be
State approval, in accordance with the ISM Code. compromised.
The Cyber Security Onboard Ships Version 2.0 The IMO resolution on cyber risk - MSC.428(98)
Guidelines note that chapter 8 of the International – references MSC-FAL.1/Circ.3 on Guidelines
Ship and Port Security Code obliges vessels to on maritime cyber risk management offer an
conduct security assessments, which should introduction to cyber threats in the maritime
include all operations that are important to protect. domain covering:
They should address radio/telecommunication – IT and OT systems
systems, including computer systems and – Intentional and unintentional threats
networks and those controlling and monitoring – Identify – Protect – Detect – Respond – Recover
yacht to shore internet connectivity. The Guidelines – International best practices – ISO and EN
note, in the context of the fast adoption of standards
digitalised onboard OT systems, that systems “have
not always been designed to be cyber resilient”. This is all-embracing, and the modular concept
of the ISM Code is also flexible enough to offer a
The objective of a superyacht's Safety Management framework for continuous improvement that can
System (SMS), meanwhile, is to provide for safe accommodate cyber security in a superyacht's
practices and a safe working environment by SMS.
establishing appropriate mitigation measures
based on an assessment of all identified risks to Even so, individual superyachts will clearly vary
superyachts, personnel and the environment. in terms of systems, personnel, procedures and
As cyber-enabled systems present operational preparedness. The risks to a specific yacht will
risks, the justification for incorporating cyber risk also be unique and dependent upon the specific
management into Safety Management Systems is integration of cyber systems aboard.
self-evident. It is nonetheless up to superyacht owners and
To verify that companies have adequately and managers to assess their cyber risks and to
appropriately implemented and incorporated implement appropriate mitigating measures: each
appropriate cyber risk mitigation into their ‘Document of Compliance’ holder must consider
SMS, internal and external audits are required their own cyber risks and implement necessary
in accordance with the ISM Code. Routine measures in their SMS.

inmarsat.com 13
White Paper
Cyber security requirements for IMO 2021

ISM CODE CYBER SECURITY PROCESS

(SOURCE: DEUTSCHE FLAGGE – ISM CYBER SECURITY 2018)

1. POLICY 8. QUALIFICATION 9. EMERGENCY

2. RESPONSIBILITY 7. OFFICE SUPPORT 10. REPORTING 15. CIP (Improvement)

3. COMPLIANCE 6. MASTER 11. PMS 14. EVALUATION

4. RISK ASSESSMENT 5. SMS (RESULT RA) 12. DOCUMENTATION 13. VERIFICATION

Incorporating cyber risk into the SMS can take – IoT Systems
several months, depending on the complexity of – Navigation
the systems onboard the vessel involved. Meeting – Engine Control
the 2021 deadline, or the first inspection thereafter – Cargo Control
will require a combination of technical mitigations, – DP, Gas, Firefighting, etc.
revised (or new) procedures and staff/crew training – ICT – Business Computer System
to develop a practical and cost-effective route to – ICT – Crew Systems
compliance.
This list needs to include:
It is important to add that ISM does not prescribe a
Hardware
calendar schedule for assessing new risks, instead
advising that they are accommodated as soon – Record make, model, version, function on all your
as possible. For this reason, the SMS should be hardware
considered by owners as a ‘live’ document that is – Individual hardware (and IP address) and patch
regularly updated and improved as risks evolve. panel, power
– Take note of possible attack surface/connection
point among your hardware and work to secure
SYSTEMS INVENTORY them (USB, Ethernet, exposed wiring)

Developing a process to identify, protect against, Software

detect, respond to and recover from cyber attacks – Record make and version of the applications
is no box-ticking exercise: in the first instance, used on the superyacht across all hardware.
the superyacht owner/manager must establish – Firmware and software application versions,
an inventory of all critical hardware and software patch levels, malware protection
systems onboard its superyacht, listing the:

14 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

Existing documentation should be used as much individual managing the superyacht's IT policy
as possible (especially Technical & Engineering and documentation (usually, the ‘ICT Manager’)
details). would also normally be responsible for the owner/
manager ISM documentation system.
In terms of response and recovery, it is also the
owner’s/manager's responsibility to formalise the Critically, under IMO 2021, at a minimum a
workarounds that address cyber security gaps, so superyacht's SMS will identify the party ashore and
that the superyacht can continue to operate in the onboard taking responsibility for cyber security (ICT
event of a cyber attack or its aftermath, or risks Manager, Chief Security Officer, or any other).
can be mitigated. Workaround plans for critical
In broad terms, that individual will take
systems and processes should be incorporated into
responsibility for:
the network and system design and described for
Captains in a vessel’s emergency manuals. These – Having an understanding of the extent of cyber
plans should include instructions and/or checklist risks
in the event of critical system failure, due to cyber – Managing crew awareness of and preparedness
incident or unplanned system breakdown without for threats to the vessel’s systems
a need to request and wait for help from the shore – Steps to secure vessel systems to minimize the
office. impact if a threat is actualised
The responsibility for verifying these steps when Given that, in line with the ISO27001 standard, IMO
the superyacht's Document of Compliance is due 2021 also states that the owner’s risk assessment
for renewal also falls to the superyacht's owner/ should be auditable for the following attributes:
manager. – The hardware installed
– The software in use
– Details of what is connected to the network
RISK ASSESSMENT SCOPE – How the above is protected
The goal of the assessment of a superyacht's The ICT Manager will need to work with the Head
network and its systems and devices is to identify of Crewing to ensure that Crew understands the
any vulnerabilities that could compromise or result importance of cyber security and have been
in either loss of confidentiality, loss of integrity trained either in the classroom or online. A record
or result in a loss of operation of the equipment, of the crew’s performance in these training
system, network, or even the vessel. As explained exercises should be kept on file by the HR/Crewing
elsewhere, these vulnerabilities and weaknesses department.
broadly fall into one of the following categories:
1. Technical such as software defects or outdated
or unpatched systems
2. Design such as access management, unmanaged
network interconnections
3. Implementation errors for example
misconfigured firewalls
4. Procedural or other user errors

RESPONSIBILITIES
IMO 2021 requirements do not cover servers
or staff onshore but they clearly have a major
impact on yacht management. For example, the

inmarsat.com 15
White Paper
Cyber security requirements for IMO 2021

RELATED CYBER SECURITY GUIDELINES 2. NIST framework

Published in 2014 by the US National Institute of
Related guidelines
Standards and Technology, the NIST CSF guide
IMO’s GUIDELINES ON MARITIME CYBER RISK focuses on the same five functional elements
MANAGEMENT refer to three specific guidelines presented by the IMO for risk management -
as having been developed to help the superyacht Identify, Protect, Detect, Respond, Recover, to
sector get ‘cyber ready’: assist organisations in:
1. Guidelines on Cyber Security Onboard Ships – Describing their current cyber security posture
– BIMCO, CLIA, ICS, INTERCARGO, INTERMANAGER, – Describing their target state for cyber security
INTERTANKO, OCIMF, IUMI and WORLD SHIPPING – Identifying/prioritising opportunities for
COUNCIL. improvement within a repeatable process
Guidance to superyacht owners and managers on – Assessing progress toward the target state
procedures and actions to maintain the security of – Communicating among internal and external
cyber systems onboard superyachts; designed to stakeholders about cyber security risk
help owners understand, and manage: The NIST framework includes usable profile
– Limitation and control of network ports, templates for use in risk assessment profiling at
protocols and services the individual vessel level. The resulting profile will
– Configuring network devices such as firewalls, help to identify and prioritise actions to align policy,
routers and switches business and technological approaches in order
– Secure configuration of hardware and software to manage and reduce risks. Sample profiles are
– Protecting web browsing and email publicly available.
– Satellite and radio communications 3. ISO27001
– Defences against malware The ISO27001-Annex A of cyber security objectives
– Data recovery capability is published currently as ISO 27002. Here, cyber
– Wireless Access control security controls are not specifically focused on
– Application software security (patch Critical Infrastructure Protection or on the Maritime
management) Industry, but with appropriate focus on cyber risk
– Secure network design they may be applied by any organization.
– Physical security
ISO27001 is also the only information security
– Boundary defence
management system standard that can be
The Guidelines also includes procedural controls for independently certified with a level of authority.  
crew, including training and awareness, software
maintenance and upgrades, and anti-virus updates.
However, the Guidelines are not a basis for external
auditing of a superyacht's approach to cyber risk
management.

16 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

to Port State Control or any other recognized

05 authority that the superyacht, its systems and its
crew are prepared for cyber risks and what to do
IMO 2021 COMPLIANCE about them in the same way that they would need
to document any other safety issue.
Managing cyber risk onboard a superyacht
is considered a natural extension of current Therefore, prepared answers are needed to the
operational risk management practices questions:
incorporated into existing Safety Management – What assets do we have (kind of hardware/
Systems within the existing ISM Code. software and what is connected to the network)?
The relevant MSC.428(98) - Maritime cyber risk – What would we do if they do not work?
management in safety management systems – How are assets protected?
resolution therefore: – What would we do if they were compromised?
– Who has control ashore and onboard?
caret-right Affirms that an approved safety management
system should consider cyber risk management As well as being able to liaise with or identify
in accordance with the objectives and functional the person responsible for cyber security on
requirements of the ISM Code. the superyacht, the Port State/Flag State/RO
auditor should be able to check that the Safety
caret-right Encourages administrations to ensure that
Management System documents this and shows
cyber risks are appropriately addressed in safety
that the superyacht's owner or manager:
management systems no later than the first
annual verification of the superyacht's Document 1. Has identified the systems onboard and outlined
of Compliance after 1 January 2021. the relevant cyber risks
The owner/manager must be able to demonstrate 2. Has the ability to detect breaches in cyber
security onboard

inmarsat.com 17
White Paper
Cyber security requirements for IMO 2021

3. Has measures in place to protect systems and of backup email ID from yacht-to-shore and from
software onboard shore-to-yacht
4. Has response measures in place to deal with – Fall back to paper charts in case of compromised
a cyber attack, specifically related to system ECDIS
redundancy, training and workaround plans
In all cases, the ICT Manual inserted into the
superyacht's SMS/ISM Code documentation should
provide full guidance and document the Cyber
RESPONDING TO CYBER ATTACKS Security Plan for all critical onboard systems.
The Cyber Security Plan should, at minimum,
include:
– A process for initial incident triage
TRAINING FOR CYBER ATTACKS
– Steps to quarantine all electronic traffic to and As the Plan is part of the Vessel’s ISM it is also
from the superyacht. Procedures for alerting and essential to periodically carry out drills to test any
requesting communication vendors to check issues, train the crew, HSSE (Health, Safety, Security
traffic & Environment) team and any other stakeholders
– Procedures for keeping corporate IT security on how to respond to a cyber incident onboard the
department abreast of the situation superyacht, and encourage a culture of continual
– Procedures to secure/establish backup improvement. This means superyacht owners and
communications to the affected vessel(s) managers should give cyber security drills the
– Steps to stabilize and isolate the infected system same weight as they give any regular Incident
to guard against further spread Management Drill – whether for grounding, yacht
– Steps for gathering Intelligence and evidence fire or collision.
from affected systems
Under the new regime, cyber drills should be
– Procedures for executing recovery of critical
conducted at least once a year to test response
systems remotely
procedures and assess crew preparedness,
– Arrangements for completely replacing the ICT
procedures during a cyber incident onboard. It is
system at the next safe port after a cyber event
essential that the Superyacht Manager’s Incident
Commander takes charge and demonstrates
effective leadership in these exercises to ensure
RECOVERY FROM CYBER ATTACKS the security of the vessel, its crew and guests,
Workaround plans are required to take account of while allowing the IT team to concentrate on
possible failures in critical onboard systems, with securing the ICT infrastructure and resolving the
the processes described in a vessel’s emergency cyber issues.
manuals so that the Captain can respond without In addition, regular anti-phishing campaigns and
the need to ask for help from/wait for shore-based penetration testing using simulated malicious
colleagues. These plans should provide the Captain emails can maintain high-levels of crew vigilance
with instructions and/or a checklist on what to do. and test onboard systems and processes.
In the case of cyber resilience, workarounds plans Penetration testing by professional ‘white-hat’
might include: hackers should also take place to identify technical
weaknesses.
– Actions to restore crashed/ failed email
clients or degraded/failed superyacht to
shore communication links; use backup
FleetBroadband for email/voice until recovery
A PATHWAY TO COMPLIANCE
– Actions to work around/recover failed PCs As a leading supplier of yacht-to-shore connectivity
– Usage of citadel telephone to send telex; testing in the superyacht sector, Inmarsat is also a

18 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

stakeholder where the development of industry THE COMPLIANCE CHECKLIST

best practices are concerned, both as a service
1. As a superyacht owner/manager, to defend
provider and as custodian of a global network that
your IT set-up you MUST:
is secure across all touchpoints. In fact, its secure,
encrypted network uses military-grade satellites, is – Know what you have: all IT systems/systems
fully approved by the highest standards of the IMO controlled by IT - including Main Engines and
and is fully audited by the stringent standards of Navigation Systems, etc.
International Mobile Satellite Organization (IMSO). – Defend what you have: to fight off basic
threats to your organization, systems
Based on its experience of offering a secure
should be designed to guard against failure,
communication platform from the shore to the
using Software/Hardware/Ship’s Systems
maritime terminals onboard the superyacht,
redundancies.
Inmarsat has developed security services designed
– Be able to recover: workarounds and recovery
to uphold cyber resilience at sea. These are most
processes must be in place for ICT and onboard
effective with Inmarsat's high-speed service Fleet
systems, with crews trained and at least Yearly
Xpress and include:
Incident Drills for Cyber Security.
– Fleet Secure Endpoint - a powerful multi-layered
2. However, IMO 2021 Compliance is NOT just
endpoint security solution for remote monitoring
about defending ICT against cyber threats. It is
of onboard computers
about Total IT Best Practice on a superyacht's:
– Fleet Secure Cyber Awareness - a mobile training
app for crew to gain up-to-date cyber security – IT system AS WELL AS
knowledge – Technical, Navigation, Safety and Mechanical
Systems.
The following section of this report offers guidance
covering Fleet Secure Endpoint, with a specific 3. Therefore, as an IMO 2021-compliant cyber
focus on the digital tool’s potential to offer direct secure superyacht owner/manager, you MUST:
support to superyacht owners/managers seeking – Know what you have – Establish and record all
to implement IMO 2021-ready cyber security SMS. the systems (ICT and Technical) used on your
While not representing compliance itself, Fleet superyacht (including make, model, version,
Secure Endpoint implementation provides vessel software updates, supplier, etc.).
network protection based on IMO’s ‘identify, detect, – Defend what you have - Ensure that steps
protect, respond, recover’ pillars for cyber security are being taken to harden ICT and Technical
planning. In offering a fully IMO-compliant reporting systems against cyber threats.
solution, it also supports superyacht owners/ – Be able to recover – update all documentation
managers to achieve compliance at every stage in onboard to include guidance on what to do in
an orderly and straightforward manner. case of IT or Technical system failures on the
superyacht, including IT Policy in ISM Manuals,
Training for Crew, Workarounds Process and
Drills.

inmarsat.com 19
White Paper
Cyber security requirements for IMO 2021

– Fostering a culture where Inmarsat people

06 embrace security and where threat-based
security measures are embedded in their day-to-
FLEET SECURE ENDPOINT - AN day working
– Sustaining a demonstrable framework for
INTRODUCTION effective, efficient, and adaptable threat-based
cyber risk management
Inmarsat’s objective is to deliver cyber
Day to day protection of Inmarsat’s Information
resilient digital services and mission-critical
Systems infrastructure is the responsibility of the
communications to its global maritime customers.
Security Operations Team. Inmarsat has instituted
It does so by:
an in-house 24/7 Cyber Security Operations
– Embedding threat-based risk management into capability that collaborates actively with the cyber
Inmarsat systems, products and services security intelligence community as well as Cyber
– Delivering operational resilience by identifying, Security, our partners and maritime customers to
managing and responding to cyber threats with tackle cyber threats and manage incidents.
people, process and technology capabilities

20 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

SECURITY AND ENDPOINTS were conceived around a machine-centric view of

security and worked by scanning and quarantining
Security devices such as Unified Threat suspicious files to prevent them from being
Management/Next Generation Firewall sit at the launched and were not geared to offer protection
superyacht network level, where they detect and against attacks launched on a machine from its
protect against attacks commonly made from host network.
shore to yacht and vice versa. However, while
network monitoring will display a detailed view Conventional AV software requires constant
of the vessel’s IT infrastructure, it will not have updates of new signature files to remain current.
any jurisdiction over the endpoint, meaning that Having only one security feature to protect the
endpoints such as business-essential PCs and crew endpoint will rely heavily rely on a signature set by
laptops remain at risk. one security vendor and, in many cases, individual
security vendors will not catch 100% of malware.
Traditional anti-virus solutions were not really To maintain integrity, a full system scan would also
designed to prevent the sort of sophisticated and be required after every update, which would often
targeted malware that has become the mainstay slow the machine’s performance to a crawl and
of today’s maritime cyber threat landscape. They frustrate end-users.

inmarsat.com 21
White Paper
Cyber security requirements for IMO 2021

If no or a lower form of security is installed on FLEET SECURE ENDPOINT ONBOARD

the endpoint, then it is at risk of infection even
if the vessel network is protected by a security Fleet Secure Endpoint provides an extension of
device. For example, someone plugging a USB into security to all endpoints on a vessel and delivers
the computer can infect it even without clicking several security functions in a single managed
anything. If a network security device is being used, service which protects everything from business
then it may recognize the device is infected but essential PCs to crew laptops. Fleet Secure
cannot clean the infection. Endpoint can be applied to multiple Inmarsat
maritime services – Fleet Xpress, FleetBroadband,
With new variations of malware emerging almost and Fleet One.
daily, no single vendor is able to keep up and
include all new signatures in their database. Cyber Fleet Secure Endpoint scans the network for
criminals preference for the latest iterations security issues and records its findings, providing
shows they know this and actively exploit the lag an auditable trail covering alerts and network
between new malware being detected, a signature status. Its reach extends to any new devices joining
being developed, and an update being issued and the network. Whilst Fleet Secure Endpoint itself
installed. does not deliver IMO 2021 compliance, it provides
the superyacht owner/manager with a cyber
Inmarsat Fleet Secure Endpoint avoids many of security solution that facilitates and supports
these shortcomings as it was built from scratch compliance.
with a network-centric view of security in mind but
targets endpoints. Endpoint protection is a crucial
step to ensuring layered protection and not just
relying on firewalls, company policies, and network
security devices to be the saving grace for security.

22 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

MORE THAN ANTI-VIRUS

Standard anti-virus is no longer adequate protection

GENERIC ENDPOINT FLEET SECURE

ANTI-VIRUS PROTECTION ENDPOINT
(Bitdefender, (ESET Protection)
Symantec, etc.)

Anti-Virus (Anti-Spyware, Anti-Phishing) R R R

Web control R R

Two-way firewall R R

Botnet protection R R

Ransomware prevention R R

Multi-engine scanning R

Network monitoring R
Asset inventory (software, hardware,
driver, etc.) R

Endpoint health status alerting R

Endpoint threat alerting R

inmarsat.com 23
White Paper
Cyber security requirements for IMO 2021

07 PROTECT
Fleet Secure Endpoint is built around ESET Endpoint
FLEET SECURE ENDPOINT AND Security, an award-winning enterprise-grade
endpoint security product, and has special
FLEET XPRESS - SUPPORTING IMO adaptations for use in a maritime setting. It not only
detects and blocks files with known signatures
2021 COMPLIANCE from operating but monitors low-level system calls
and actively analyses software for suspicious
Fleet Secure has been designed to align with IMO’s behaviour in real time.
five pillars for cyber resilience, namely: identify; – Botnet protection shuts down malicious
detect; protect; respond; and recover, while its connections to known botnets. Botnets hijack a
reporting function has been developed with IMO machine without the owner’s knowledge to carry
compliance in mind. In addition, an ISO 27001 audit of out Distributed Denial of Service (DDOS) attacks.
Fleet Secure Endpoint conducted by DNV GL When activated, they consume processing power
describes Fleet Secure Endpoint as a single product and cause spikes in bandwidth consumption.
which can assist in achieving IMO 2021 compliance. – Multi-engine scanning broadens detection by
Although Fleet Secure Endpoint works across all of using malware signature databases from multiple
Inmarsat's maritime services, to maximise protection security vendors so that new fingerprints not
and compliance Fleet Secure Endpoint should be known by all vendors are included during
used in conjunction with Fleet Xpress, which provides inspection.
reliable high-speed internet access with the ability to – Ransomware prevention detects and prevents
separate crew and business traffic and make it easier malicious encryption attempts before they have a
to respond to and recover from attacks. chance to initiate and encrypt the device.
– Two-way endpoint firewall blocks malicious
incoming and outgoing network traffic.
IDENTIFY – Anti-spyware terminates malicious applications
designed to steal sensitive information.
Fleet Secure highlights where errors and warnings
– Anti-phishing blocks connections to sites known
have occurred in the superyacht, which enables the
to extract confidential user information.
designated security personnel to quickly ascertain
– Web control allows the system administrator
potential weak spots that require further
granular control over the websites users can visit.
investigation. It does this using a powerful network
– Endpoint Threat alerting sends an email
scanning and monitoring module, called Teyla, that
notification to the system administrator listing
automatically detects devices on the local network
recently detected threats on vessels.
and checks whether Fleet Secure Endpoint is
installed. If not endpoints will be marked as ‘rogue
nodes’ and alerts will be raised. The designated
security officer can either allow or deny network RESPOND
access privileges to that device. Knowing how to react during and after a cyber-
This oversight means someone on the yacht is incident is critical to a well-rounded cyber security
always aware of what is connected to their network. strategy. It is necessary to envisage a wide range of
To aid network audits, on machines where installed, potential scenarios and plan the steps needed, to
Fleet Secure Endpoint will also collect data on contain their impact on vessel operation and safety
installed software, hardware and system and secondly to restore impaired systems and
configuration. recover data in a timely fashion.

24 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 25
White Paper
Cyber security requirements for IMO 2021

Fleet Secure Endpoint can assist the response finally reporting it. The built-in memory analysis
stage in several ways. In contrast to off-the-shelf will detect both known threats and new security
products, the service is enhanced by round-the- vulnerabilities. If Fleet Secure Endpoint recognises
clock monitoring by a dedicated team of IT experts a file to be malicious, it will be stored in a dedicated
based in the Inmarsat Security Operating Centre, quarantine location on the device. Quarantined files
who check security events or other signs of unusual are stored in a location that ensures the malicious
network activity on a vessel as and when they file cannot infect the system.
occur. They are supported by marine engineers with
Once a security incident has been brought under
extensive knowledge of different hardware and
control and the immediate threat has been
software systems found on modern superyachts.
neutralised, attention shifts to restoring and
Via the portal, the superyacht owner’s in-house reconnecting systems needed for normal vessel
IT team can roll out updates in real-time, quickly operation. Work also begins on investigating the
and remotely to all computers installed with Fleet exact cause of the incident and taking measures to
Secure Endpoint in the wake of an incident, in prevent a recurrence or similar event from taking
order to prevent an attack spreading and reduce place.
exposure to similar attacks in the future.
Additionally, the shore-based portal retains a
centralised log of all flagged security events and REPORTING
allows bespoke alerts to be created. For example, Fleet Secure Endpoint comes with extensive
alerts can be set up to warn when a certain virus built-in reporting functionality which can help in
or class of virus is detected or certain software this exercise. A full report can be created on the
requires updating. yacht, containing a record of all devices connected
The asset management functionality incorporated to the network, their hardware and the software
into Fleet Secure Endpoint gives a clear overview that is installed. This report can be given to port
to designated security personnel and IT staff of state control and/or authorities to show them the
which devices are onboard and which devices have yacht has been taking adequate steps to minimise
Fleet Secure Endpoint installed. It also provides cyber security risks on board. While Fleet Secure
detailed information on assets and the software Endpoint implementation does not by itself achieve
environment available for responding to an incident compliance, Fleet Secure Endpoint reporting is fully
and for analysis during the post-incident review. IMO compliant.

– Alerting offers pro-active insight on what is The Fleet Secure Endpoint Security report shows
happening on board and helps react to incidents the following:
– Alerts can be created to E-mail the user when – Network connected devices with Fleet Secure
events happen on board, such as virus detections Endpoint installed, devices without Fleet Secure
or outdated software Endpoint installed
– A single agent handles all Fleet Secure Endpoint – System specifications such as free disk space,
related activities and multiple software packages CPU and amount of memory
are not needed, saving system resources – Installed software and their version
– A 24/7 Security Operations Centre takes action – Security events such as neutralized viruses and
when needed blocked USB drives
– Acknowledgements of the Security Operations
Centre team based on security events
RECOVERY Reports are generated in formats like PDF and can
If an infection is detected onboard, Fleet Secure be printed onboard and circulated among staff and
Endpoint will automatically detect the infection easily integrated into a yacht's safety management
and respond by blocking it, removing it and manual, or to show port inspectors that steps

26 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

have been taken to protect the superyacht and FLEET SECURE ENDPOINT - THE COMPLIANCE
its assets. Even if a yacht has not been the target CHECKLIST
of an attack, Inmarsat recommends that these
1. As a 'superyacht owner/manager, to defend your
reports are periodically reviewed to steer ongoing
IT set-up you MUST:
improvements to a superyacht's cyber risk
management plan. Any Cyber Review in the Change – Know what you have: all IT systems/systems
Management Process should: controlled by IT - including Main Engines and
Navigation Systems, etc.
– Include ICT staff when making major changes in
– Defend what you have: to fight off basic threats
superyacht's system
to your organization, systems should be designed
– Ensure Cyber Security is considered in the end-to-
to guard against failure, using Software /
end process when supplying new equipment
Hardware / Ship’s Systems redundancies.
– Be able to recover: workarounds and recovery
processes must be in place for ICT and the yacht’s
MANAGEABILITY systems, with crews trained and at least Yearly
Using the Fleet Secure web portal the superyacht Incident Drills for Cyber Security.
owner/manager can remotely upload configurations 2. However, IMO 2021 Compliance is NOT just about
to be implemented onboard so that Fleet Secure defending ICT against cyber threats. It is about
Endpoint can be configured remotely. The user can Total IT Best Practice on a superyacht's
also configure alerts to reflect owner/manager
– IT system AS WELL AS
preferences, so that events such as virus detections
– Technical, Navigation, Safety and Mechanical
or blocked network attacks are also flagged up.
Systems.
In common with any proposed solution, Fleet
3. Therefore, as an IMO 2021-compliant cyber
Secure Endpoint will only assist in reaching IMO
secure superyacht owner/manager, you MUST:
compliance when correctly implemented: this
means the risk assessment needs to have been – Know what you have – Establish and record all
completed, while the Fleet Secure Endpoint monthly the systems (ICT and Technical) used on your
report will be included in the Safety Management superyacht (including make, model, version,
Manual. software updates, supplier, etc.).
– Defend what you have - Ensure that steps are
being taken to harden ICT and Technical systems
against cyber threats.
– Be able to recover – update all documentation
onboard to include guidance on what to do in
case of IT or Technical system failures on the
superyacht, including IT Policy in ISM Manuals,
Training for Crew, Workarounds Process and Drills.
4. Fleet Secure Endpoint helps you, as a superyacht
owner/manager to:
– Step 1 Know what you have: Fleet Secure
Endpoint includes a module logging any new
hardware added to your network.
– Step 2 Defend what you have: via strong AV,
WebControl, Network Monitoring.
– Step 3 Recover – Fleet Secure Endpoint’s crew
training module covers a significant part of the
training needs demanded for IMO 2021
Compliance.
inmarsat.com 27
White Paper
Cyber security requirements for IMO 2021

FLEET SECURE ENDPOINT KEY FEATURES AND

BENEFITS:
– No additional hardware is required. Protections
are primarily introduced at the network level,
with ‘lightweight’ software installed on the
end-user machines to handle updates and
communicate system status back to the server
PC
– Multi-layered security. In addition to anti-virus,
Fleet Secure Endpoint features anti-phishing,
anti-spyware and botnet protection among other
features
– Enhanced network oversight: Fleet Secure
Endpoint includes sophisticated remote network
monitoring of endpoints
– Remote monitoring and auditing: Shore-based
portal lets in-house IT teams keep track of all
security events, set up alerts and remotely roll-
out configuration updates
– 24/7 Security Operations Centre: Fleet Secure
Endpoint is supported by a dedicated team
of trained cyber security experts and marine
engineers, with engineers having been onboard
vessels and so fully aware of the environment
– Low bandwidth consumption: Averages only
7Mb data per vessel per week, with lower options
available on request (for vessels that are at
always-on connection with no data limit the data
usage is higher)
– Tailored for maritime: One server located on the
vessel to manage all endpoints

28 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 29
White Paper
Cyber security requirements for IMO 2021

– Installed software
08 – Running windows services
– How long the system has been running
FLEET SECURE ENDPOINT - – Device hardware, such as remaining hard drive
space, type of processor, etc.
INSTALLATION AND USE – Which operating system the device is using
The portal has two versions, namely superyacht
Despite its superior scope and functionality, Fleet
and shore. With the superyacht version, all
Secure Endpoint is as straightforward for the
activities performed onboard can be accessed,
user’s ICT team to install as conventional anti-
including holding download files for clients
virus software developed by Inmarsat to protect
manuals and mapping out of all endpoints onboard
superyacht systems (AmosConnect AV and Globe
the vessel. However, the shore side portal holds
AV).
detailed information such as events and alerts for
the superyacht. The IT team of the vessel will have
access to the shore side portal.
FLEET SECURE ENDPOINT INSTALLATION
It is also possible to view the results of the network
For a standard vessel network and under normal scans performed onboard and see which devices
circumstances, and taking account of safety do or do not have Fleet Secure Endpoint installed.
guidance offered by vendors, the installation can be For the devices that have Fleet Secure Endpoint
expected to be completed on clean computers in installed advanced logging is available, allowing
approximately two hours. users to see things such as (but not limited to):
The clean computer provides the optimum case for – Firewall logs (when an attack or an event
any anti-virus software installation. However, pre- happens which triggers the firewall)
existing anti-virus software can present challenges – Device control logs (when USBs were inserted,
and the user’s ICT team will need to remove it whether they were blocked)
before Fleet Secure Endpoint is installed. Inmarsat – URL blocker logs (whether sites were blocked)
provides user guides/scripts to support the removal
of third-party anti-virus software.
Even so, it should be emphasised that there is no DASHBOARD AND ALERTING
requirement for the superyacht network to stop
The Fleet Secure Endpoint web portal can be
working in order to install or operate Fleet Secure
used to view events that occur on the yacht and
Endpoint. Fleet Secure Endpoint has a built-in
configure alerts based on those occurrences. Alerts
firewall, where ports can be opened for the most
will notify the user or multiple users via E-mail. The
commonly used applications on board.
user can configure alerts for events such as (but
The Inmarsat Security Operations Centre offers not limited to):
oversight for internet-connected superyachts
– Virus threats (receive a notification if a virus is
to support installation and the removal of old
detected)
systems.
– Firewall events (receive a notification when an
attack/event happens which triggers the firewall)
– When a new device has been detected on
FLEET SECURE ENDPOINT IN USE the network that does not have Fleet Secure
Once installed on a device, Fleet Secure Endpoint Endpoint installed
will start reporting to the web portal. The web – Software version control (receive an alert when a
portal can then be used to view elements such as new version of installed software is available)
(but not limited to): – User intrusion detection (receive an alert when a
failed login occurs)

30 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

Multiple OS Fleet Secure Endpoint supports Scenario: a crew member opens a phishing email
multiple operating systems. For Windows operating
The Fleet Secure Endpoint response:
systems, Vista and up is supported. OSX, Linux and
their mobile counterparts IOS and Android are also – Scenario 1: If Fleet Secure Endpoint is fully
supported. updated then it should detect that virus.
– 1.1: The Inmarsat Security Operations Centre is
Fleet Secure Endpoint is distinguished from
notified of this activity.
Endpoint Detection & Response (EDR) packages.
– Scenario 2: Fleet Secure Endpoint is not
While these solutions are highly effective, they
updated, the virus is not detected, and the
demand strict vessel networking setup to
ransomware process is not stopped.
‘signature’ and check every file on the superyacht,
– 2.1: The Inmarsat Security Operations Centre is
consuming huge amounts of data. Fleet Secure
notified of this activity.
Endpoint addresses attacks and infections without
– Scenario 3: The firewall in Fleet Secure Endpoint
needing to signature each file, saving on costs
introduces segmentation of the network so that
and data usage. In fact, Fleet Secure Endpoint
the virus cannot spread to other PCs as they
frequency and control reporting times can be
block the incoming attack.
adjusted, with data usage as low as 7MB a month.
Where superyachts have internet connectivity, Fleet Secure Endpoint handles all of these
Inmarsat recommends more frequent reporting scenarios automatically. An option is also available
of network status so that its security operation to block out an endpoint from the network
centre can take swift action when malicious traffic remotely.
is detected.
In addition, Fleet Secure Endpoint can be used
onboard vessels using FleetBroadband as their
connectivity solution. In this case, trench rules
need to be set correctly and onboard firewalls
(if any) must be updated to accommodate Fleet
Secure Endpoint IPs and port numbers.

FLEET SECURE ENDPOINT USE IN

CONTEXT
As noted earlier, Fleet Secure Endpoint installation
provides a route towards IMO 2021 compliance,
rather than offering a complete compliance
solution. However, in summary IMO 2021 can be
achieved using Fleet Secure Endpoint and its cyber
security reporting/response functionality covers
all of the IMO 2021 guidelines into the superyacht's
Safety Management Manual.

inmarsat.com 31
White Paper
Cyber security requirements for IMO 2021

MLA College, which is available to users of Fleet

09 Secure Endpoint at a discounted rate. Using a
combination of video modules, transcripts and a
CYBER SECURITY, CREW TRAINING concluding test, the course has been developed
in accordance with BIMCO, IMO, ICS and IACS
AND AWARENESS guidelines and has been approved by the Institute
of Maritime Engineers, Science and Technology and
Cyber attacks are constantly evolving and the University of Sunderland, UK. It is also in line
becoming more devious in their workings and, with the provisions of TSMA self-assessment.
while technical countermeasures will stop the vast
Uniquely, the course is deliverable by an app for
majority of attempted attacks, they are intrinsically
download through Google Play and AppStore to
reactive in their operation.
smartphones, tablets and laptops, after which it
The remainder of the protection relies on can be accessed offline. Guidance based on the full
crew vigilance, preparedness procedures and extent of IMO Cyber Awareness expectation can
understanding. Weak cyber security in any one of therefore be learned during voyages without the
these areas may undermine robustness elsewhere. need for scheduled classroom training during busy
Crew education is therefore an indispensable port stopovers, or even connectivity whilst at sea.
component in a well-rounded security strategy: a
Focusing on the basics of cyber security for
small investment in training and awareness can
the maritime user, the course is suitable for all
prove enormously valuable.
levels ashore and at sea, enabling seafarers to
The 2020 Inmarsat Connectivity Report confirms familiarise themselves with attacks they are likely
that despite a lack of knowledge about cyber to encounter in their day-to-day duties. It also offers
security requirements, 47% indicate that the ETO practical tips on how to avoid becoming a victim or
or Captain manages the cyber security, while endangering their vessel.
only 20% use a third-party organisation and 26%
Each 30-minute training module covers:
use a company IT manager. Many superyacht
professionals believe that a standard anti-virus Š Digital threats using personal information
program will keep them safe, with only 31% Š Digital threats using IT devices
indicating that endpoint security is used and 36% Š The physical and human threat
confirming UTM was in place. It is estimated that Š Final competency test and completion
significant superyacht system disruptions are the certificate
result of USB ‘abuse’, where infected memory sticks Subject to achieving a score of 80% from 20
or mobile devices (including secondhand phones) randomised questions, seafarers receive a
are plugged into the port. Other common cyber certificate valid for four months from the University
weaknesses include easily guessed passwords and of Sunderland and a certificate of Continuing
responsiveness to phishing. Professional Development from the Institute of
In bringing Cyber Risk Management into the Marine Engineering, Science and Technology.
ISM Code, MSC 428 (98) follows the latest Ship By completing this course, all personnel will be able
Inspection Report Programme (SIRE) questionnaire to further understand the principles and actions
to include cyber awareness training in IMO they must adhere to, thus ensuring that they are
guidelines mandatory requirements. fully compliant with the IMO regulations. It will also
Inmarsat has been one of the partners contributing help allay the fears of many within the sector and
to a Maritime Cyber Security Awareness training ensure that they remain cyber safe at sea.
course developed for Stapleton International by

32 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

inmarsat.com 33
White Paper
Cyber security requirements for IMO 2021

10
FLEET SECURE ENDPOINT - REAL CASE
STUDIES
CASE 1
CASE 2
Vessel type: Undisclosed
Vessel type: Liquid Ethylene Gas Carrier
Assailant: Multiple infections with normal anti-
virus installed Assailant: Emotet trojan, causing vessel
operations to stop
The customer was using Palo Alto cyber security
software when the vessel was hit by multiple Emotet is well-known as a trojan in banking circles
infections, including Trojans, Worms and data but was detected as infecting the majority of
exfiltration viruses infesting the system. The machines onboard a LEG Carrier, becoming active
customer decided to install Fleet Secure Endpoint whenever a PC was switched on. The virus can
as part of a shipboard trial. Inmarsat’s engineer intercept and exfiltrate data transmitted and
found 79 infections that had not previously been saved when the user is browsing banking websites,
detected. resulting in leakage of sensitive data and malicious
use of the user's banking details.
Among the significant findings, the HTTP Filter
detected users onboard unknowingly visiting As part of a Fleet Xpress agreement, the ship was
websites serving malicious code. The connection equipped with two Fleet Secure Endpoint security
was dropped, and the user informed accordingly. modules, installed across all PCs onboard:
Again, the Fleet Secure Endpoint email filter caret-right Advanced Memory Scanner – This detected
detected infected attachments, including: Emotet in the memory, terminated and blocked it
– CoinMiner.T trojan (A trojan which uses system from recurring.
resources to mine cryptocurrency for its caret-right Heuristic Intrusion Prevent System (HIPS) – This
distributor) detected the malicious code being executed and
– TrojanDownloader.Agent.OJL trojan (a trojan stopped the execution of this code.
capable of downloading and executing other The virus was successfully cleared from the
malicious code) memory on all infected devices.
– Agent.AQ trojan (A trojan agent template
frequently used as a starting point for malicious
code that can be modified to do whatever the
malicious actor wants)
The Fleet Secure Endpoint email filter disposed of
these infections, preventing further infections.

34 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

CASE 3 CASE 4
Vessel type: Undisclosed Vessel type: Bulk carrier
Assailant: Sohanad worm Assailant: CoinMiner
A USB memory stick infected with the NCB worm The vessel in question had trialled Fleet Secure
Sohanad was connected to an endpoint onboard Endpoint. After the trial’s conclusion, the ship ran
ship. Sohanad spreads via removable media and for two months without Fleet Secure Endpoint. On
shared folders: once it has infected any part of re-installation of Fleet Secure Endpoint, all devices
the network, it tries to replicate itself by infecting onboard that were tested were found to have
applications and files. been infected with a CoinMiner. CoinMiners use a
device’s processing power to mine cryptocurrency
Two Fleet Secure Endpoint security modules were
for the attacker without the user’s knowledge.
implemented:
Fleet Secure Endpoint was able to neutralise all
caret-right Real-time file system protection – Detected that
threats.
files were being infected and automatically
halted the process from accessing files so it
could be investigated by the engine.
caret-right Heuristic Intrusion Prevent System (HIPS) -
Detected the malicious code that was causing
the replication and stopped the execution of this
code.
Fleet Secure Endpoint was able to stop the infection
from continuing, cleaning 17,000 infections in the
process.

inmarsat.com 35
White Paper
Cyber security requirements for IMO 2021

11
NEXT STEPS - HOW TO PROCEED
CYBER RESILIENCE FOR IMO 2021 – NEXT STEPS
HOW TO PROCEED WITH FLEET SECURE ENDPOINT

APPOINT Appoint a person on board for cyber security planning for IMO requirements

Angle-Down
Review and check Cyber Security Plan against guidance on onboard ICT covering
REVIEW communication and vessel networks for business/crew
Angle-Down
PURCHASE FLEET SECURE
Purchase Fleet Secure Endpoint – one month free trial available
ENDPOINT
Angle-Down
PREPARE Remove any existing anti-virus software on each endpoint

Angle-Down
DOWNLOAD Download and run the installer

Angle-Down
SET-UP Set-up dashboard, manage reports

Angle-Down
CREW TRAINING Crew to complete MLA e-learning module, records kept for compliance purposes

Angle-Down
Repeat crew cyber awareness training annually – periodic threat intelligence
REPEAT offered via Fleet Secure Endpoint

36 DECEMBER 2020
White Paper
Cyber security requirements for IMO 2021

For further information and questions, please contact the Inmarsat Maritime Security Services team:
[email protected]

inmarsat.com 37
inmarsat.com
While the information in this document has been prepared in good faith, no representation, warranty, assurance or undertaking (express or implied)
is or will be made, and no responsibility or liability (howsoever arising) is or will be accepted by the Inmarsat group or any of its officers, employees or
agents in relation to the adequacy, accuracy, completeness, reasonableness or fitness for purpose of the information in this document. All and any such
responsibility and liability is expressly disclaimed and excluded to the maximum extent permitted by applicable law. INMARSAT is a trademark owned
by the International Mobile Satellite Organization, licensed to Inmarsat Global Limited. The Inmarsat LOGO and all other Inmarsat trade marks in this
document are owned by Inmarsat Global Limited. In the event of any conflict between the words of the disclaimer and the English version from which it is
translated, the English version shall prevail. © Inmarsat Global Limited 2020. All rights reserved. Cyber Security Requirements for IMO 2021 White Paper.
December 2020.