How many different networks are on board your yacht? Are they isolated to stop any access from the guest wifi to a sensitive network such as the CCTV or navigation? How many suppliers and manufacturers have remote access to your yacht? And are their passwords something other than 0000? Are your crew trained to spot and not click on suspicious links? What devices on board require connection without security, like toys, lamps, cameras, watches? Your captain and officers should be able to answer all of these questions.
“Yachts have what all hackers love: money, secrets, negotiations for deals, reputations, famous people…” says Andrei Dragos, founder of DRAGOS GROUP, which specializes in ICS/OT and Yacht Cybersecurity. Cybercrime is big business that’s getting ever more sophisticated. For instance, as of 2020, mercenary hackers with skills that used to be reserved for government agencies have been available for hire for targeted attacks, says Andrei.
AstaaraCyber, a ship and port security firm, observed that between just February and May 2020 maritime cyber attacks quadrupled as remote work became the norm. Yet yachts are unique when compared to their commercial cousins, where disrupting operations is the strategy. “With yachts, criminals target the owners or guests,” says Andrei.
A superyacht, by its autonomous nature, can give a false sense of security. “People feel safe on a remote and protected cocoon. That is the first misunderstanding,” says Andrei. Their need for high connectivity makes them vulnerable.
Blackmail is often the goal. Cyber criminals can gather information to use against a high profile or high net worth individual through malware or spyware, via compromised crew credentials or by gaining access to the yacht’s more sensitive networks via a less secure one like the guest wifi. Yachts are also prime targets for invoice fraud since the captain and manager have to validate a lot of diverse transactions. “Invoice fraud is not just for yachts, we find this in all businesses, but yachts are not organized. If anything looks a bit urgent, the payment goes,” says Andrei.
In addition, there can be attacks on the operational technology that can interfere with a yacht’s systems. These disruptions can even be due to non-malicious activity, for instance, when a supplier accesses the network remotely to update firmware without the captain being aware.
Peter Broadhurst, senior vice president of maritime safety and security at Inmarsat, describes cyber security as CIA: “Confidentiality, making sure that only the people you want to see the data will see the data; integrity, so if you say something is X it doesn’t get to the other end and say, no, actually that’s Z – that happens in GPS and position spoofing and taking control of engines, closing down pumps and systems and things like that.” And finally, access, “who can access the information, making sure that you know exactly who has the rights to that and nobody else.”
The good news is cyber security doesn’t require a massive investment. “Just having a bit of awareness and good practice raises your (protection) level,” says Andrei. “It is like running from a bear. You don’t need to be the fastest, you just need not to be the last one!”
Indeed, cybercriminals look for the easiest target, and the human element on board often supplies that. “The biggest threat comes from within – it’s the people on board that can be compromised – without them knowing,” says Will Faimatea, founder and director of Bond TM, a technology management and consultancy firm for superyachts.
“From a cybercrime perspective, it costs a lot of money to try to hack into a system. It’s a level of skill that generally has to be paid for, but sending phishing links or whaling, purchasing databases of email addresses and sending out thousands of emails and hoping someone clicks on it, that’s your low hanging fruit,” he continues. “You can upgrade all your systems and have the policies in place. If someone goes around that policy, which is human, then all those things become redundant. (For example) they plug in an (infected) USB or click on a link that they shouldn’t have.”
That is why crew awareness training is a crucial part of the solution. Developing a culture of cyber risk awareness as well as addressing vulnerabilities in practices and in systems’ design, maintenance and integration are now required for yachts that adhere to the International Safety Management Code (ISM). The IMO has mandated that all safety management systems include a plan for cyber risk management by a vessel’s first audit after January 1, 2021.
“The IMO guidelines are saying, first of all, find out what you’ve got connected on board. A lot of yachts don’t know that. Who’s got access to your passwords and your security, who has access to the files on your computers on board, in the cloud, etc., who issues those passwords, do those passwords get removed when crew members leave… all of those general pragmatic steps that don’t take too much time and don’t cost a lot. But it takes you to a higher level of security,” says Broadhurst, who calls the guidelines prudent and pragmatic steps and recommends all yachts, regardless of whether they fall under the ISM umbrella or not, comply with them. His company, Inmarsat, endorses a crew training course and provides a low-cost tool called Fleet Secure Endpoint security, which monitors networks, including all connected devices, to detect and report any change in patterns and isolate malicious activity.
Superyacht insurers may also require a cyber risk plan, as CSS Platinum points out in its September 2021 newsletter: “Underwriters are introducing new cyber risk clauses that require cyber risk management systems and policies must be in place and demonstrated to be working, otherwise, policies are invalidated.” There are numerous companies, like Xperys, Bond TM and CSS Platinum, that can help yachts manage cyber risk with a holistic approach that integrates technical, crew training and organizational solutions. In line with what the IMO recommends, they look at where a vessel is now in regards to cyber security, where it should be and develop an action plan to address all vulnerabilities.
“In cyber security, there is no miracle technology to protect the yacht,” says Andrei. “The attack surface of a yacht is wide. Very often, some areas are highly protected. Other areas are just not considered; (there is) no awareness of vulnerability. This is the syndrome of the ‘armoured door and open window’.” Fortunately, help is available to find and close these windows.