Cyber Security — What potential risks do you face?

30 June 2015 By Hillary Hoffower

In a digital era where technology is consistently at ourfingertips, it’s easier than ever before to stay connected. While it’s comfortingto send an email from your cabin to family back home and gratifying to upload alocation-enabled photo of your adventures to Instagram, it’s not all fun andgames when it comes to the web.

If you’re not careful, the age of instant connection maycause more harm than good and open up your yacht — and yourself — to a host ofthreats.

It’s important to note that yachts and yacht crew have morespecific vulnerabilities facing them when it comes to technology. A yacht’spresence on the Internet means it faces similar cyber threats as any otherInternet-connected, land-based businesses, but additional risk can come withthe unique way the other systems on board are connected and accessed, says CraigBoddington, head of Business Development at CDS-Marine.

“From engine management systems, power, lighting andentertainment, which in most cases are all connected to the same physical[item], and with ease of management pushing for these systems to be centrallymanaged and accessed wirelessly from iPads or other devices, this could open upthe entire vessel to [an] interesting set of challenges from a securityperspective,” he maintains.

It’s not surprising that Boddington adds that more famousyachts with well-known owners have higher risk profiles as the owner’s statuswill make the prospect of gleaning data from their onboard devices, such asbusiness dealings or personal and financial data, more appealing.

Cyber criminals or hackers can gain access to a system in anumber of ways — via phishing emails, hacking the Wi-Fi network or by chance,says Boddington. They can also hack using social engineering, a practice thatinvolves manipulating people into divulging confidential information orcarrying out an action unbeknownst to them.

Yachts are also at risk to malware, ransomware and other exploitson the computer that are not specifically targeted. Boddington has specificallyseen an increase in the Dridex Banking Trojan and Malvertising, in which “userscan be redirected in the background without their knowledge via maliciousadverts on legitimate sites leading to exploit kits that have very low anti-virusdetection rates and which take advantage of poorly managed and patchedsystems.”

But that’s not the only concern that should make crew morecautious. When it comes to technology, threats aren’t limited to onboardinfections, but also include premeditated and well-conceived plans by the savvycriminal.

Alistair Heane of ITUSYACHT maintains that what were oncerecognized as safe, tranquil waters are now becoming hotspots not just for theopportunist criminal, but for organized gangs operating with high-endtechnology thanks to the advent of smartphones, HDR video camera and apps witha Wi-Fi connection.

“‘Joe public,’ or what we perceive as the innocent watcher,can gather intelligence, store it and then what happens?” Heane asks. “If achild can use a phone to capture a moment, what can a potential criminal do?”

This is a big problem in what Heane calls High Risk Areas(HRAs), where criminals can target vessels in port as well as the crew andsecurity operatives joining them, the cargo loaded there and even at airportarrival terminals and hotels in the area. This gathered information can be sentthrough various technology forms in an innocent format, such as a basic mobilehandset, and with a bit of creativity, resulting in what Heane calls cyber-intelfor a well-managed operation in an HRA.

“Not only in HRA’s is this intelligence being gathered;expect the unexpected because the likelihood of hits to the ‘soft-target’superyacht world is ever increasing,” he says.

Another way criminals deliberately strategize a well-managedoperation is by preparing for their targets beforehand.

“Cyber criminals are developing sophisticated attackingtechniques that can remain latent and undetected for months, waiting to getaccess to valuable information,” says Phil Cable, CEO of maritime securitycompany MAST.

One method criminals use to do this is by easily searchingthe Internet to find information related to your vessel’s owner, such as theiridentity, financial status, residence and family, says James Kellett,operations director of risk management and security service company AllmodeLimited. He adds that this helps the criminal build a profile to predict wherethe intended target will be at any time.

According to Kellett, social networkers exacerbate thisproblem by posting their activities, locations and photos online, whichprovides GPS information through geo-tagging, or an enabled location service, thatcriminals can use to locate victims. As smartphone apps are susceptible tohacking, criminals can even attach malware to track crew movements without thecrew’s knowledge.

“Social networking puts [crew] at even greater risk ofunknowingly associating with a perpetrator who may target them because of [their]owner’s prosperity,” Kellett warns, echoing Boddington’s earlier sentiments. Viasocial media, criminals can also present themselves as someone else in order togain private information, a social engineering practice known as pretexting.

Social media certainly ushers in another safety concern crewdidn’t have to worry about not too many years ago. So what can you do to bemore cognizant of your social media activity?

For starters, adjust your security settings on all of yoursocial media networks to allow the most privacy and protection. Kellett advisesrefraining from posting personal details such as your address, telephone numberand bank information.

He also emphasizes that all posts related to the vesselshould be in concert with the vessel’s values, such as honesty, objectivenessand integrity. When using social media, you’re an ambassador for the vessel andshould think about what you’re posting and make sure it’s correct andnon-damaging.

“Online, on duty or off duty, you should always behave in alawful, appropriate and professional manner, wherever you are in the world,” headds.

But most importantly, he stresses, remember that what yousay online stays online forever.

Boddington also suggests having regular security awarenessbriefings over the use of social media, “free” Wi-Fi connections on shore andthe risks of enabling location services on your smartphone, as well as how tohelp spot a phishing email and exercising caution while browsing the Interneton board.

“Establishing a base awareness and educating crews on what’shappening, what they can do and that the yacht systems are not immune orinvisible is a place to start,” he says.

Following these rules will help keep the yacht safe, plusensure the safety of the owners, guests, your fellow crew and yourself. Keep inmind, though, that as technology evolves, so will consequent safety measures.

As Cable puts it, “The risks associated with cyber securitythreats in the marine world are growing at a faster pace than the defensescurrently in place. Considering that important business is conducted on yachts,there is always more that can be done, and needs to be done, to protectinformation and the privacy of yacht owners.”