Cybersecurity and Yachts: Risks, Dos, and Don’ts

9 October 2018 By Aileen Mack

With more and more data online and data breaches a common headline these days, cybersecurity vulnerabilities will continue to exist and be an issue for the yachting industry. However, the yachting industry is no more at risk than shoreside businesses and individuals, says Alan Bernardi, managing director of Yacht Intelligence Limited.

Will Thomson, chief technology officer of Cyber Defence Solutions Group, says, outside of AIS/GPS hacking and spoofing, engine management and control, yachts face the same threats and cyberattacks as every other organization. To gather data, intercept, and redirect financial transactions, usernames, and passwords, cyberattacks include email phishing to emails with malicious attachments that at as Remote Access Trojan and key loggers. These attacks are very common and happen on a daily basis, Thomson says. “From what we know so far, the attacks relating to AIS/GPS etc. are not so common; possible, but most things are if the attacker has the time, resources, and commitment to achieve it.”

The largest risk is the lack of understanding and education when it comes to emails and working online. People can be too quick to open emails or attachment these days. Graeme Lord, Fairport Yacht Support president, says you should drill deeper into the actual email address being used instead of simply looking at the sender’s email name. “If you are unsure, don’t open it and contact the person who sent it to you, confirm with them that it’s authentic,” Bernardi says.

While guests should be able to do what they like within reason, there should be protocols and network separation in place to ensure that they can’t affect the yacht’s operations, Bernardi says. “At the end of the day guests should be ring fenced as the yacht doesn’t have any control when it comes to their private machines/devices,” he says. “The worst a guest can do in that situation is slam the network and cause it to grind to a snail’s pace. That is easily managed and fixed.”

Lord recommends making sure that all devices on board have virus protection and all devices that sign onto the onboard wireless network must be vetted. For crew, Thomson advises keeping devices, operating systems, applications, and anti-virus up to date, along with only installing apps from trusted services and not giving away information unnecessarily.

MedAire’s Insight Report notes that the luxury yachting community is particularly vulnerable as the threat is multi-faceted and could target the vessel, its crewmembers, or the often high net-worth passengers or owners. Their affluence and access to private data makes them lucrative targets for criminal organizations and hackers. Whether or not the owner uses it for business or claim they don’t hold data, yachts and management companies hold data of interest to hackers, Thomson says.

The increased interconnectivity of systems and everyday objects from a refrigerator to a television can be a vulnerability to the network, MedAire says. Many of these devices lack basic security protocols and can be the weak link that hackers can exploit. The report says, “A single improperly secured device can make every device on the vessel’s network vulnerable, including such critical systems as propulsion and navigation.”

Loss of data, corrupted backups, and expensive data bills and IT costs are among the risks if proper steps aren’t taken to secure the boat. Servers being taken over and held for ransom is not unheard of, but generally hackers will “look around” for other systems they could compromise to gain a further foothold, look to create admin accounts, or elevate user privilege to achieve their goal. Not all attacks or hackers will operate the same way, but elements can be monitored, alerted, or stopped with the right solutions and processes in place.

“Systems should be secure by design. Cybersecurity should be an integral part at the start of any new build project,” Thomson says. “Waiting to ‘bolt it on’ when the vessel goes operational or as a potential afterthought, costs more in terms of money, time, and disruption.”

While no network will be completely and 100 percent secure, owners and operators should take a holistic approach and take steps to protect onboard IT. Thomson suggests performing a vulnerability assessment and/or penetration test to determine how weak the system is and how successful any attack may be, and then decide what to do with these risks: accept, manage, or mitigate. Select solutions that won’t cause massive disruption because it will only lead to rejection of solutions or process, and an IT acceptable use policy should be in place that can be enforced by technical controls and proper monitoring.

The onboard network also needs to be of a particular standard with appropriate software installed and kept up to date, and a best practice manual should be in place that includes how to manage passwords, change of passwords (especially as people change and move on), use of USBs, and email management.

Password managers are a great tool to help with generating secure passwords and other login information. Also, there is no harm in running two different anti-virus and malware software on your machine because it can fill in any holes left open, along with firewalls. Ensuring communications and data connections are encrypted can help protect onboard IT.

“It always has been and always will be a game of cat and mouse — the attackers and the defenders,” Thomson says. “Hackers are always evolving their techniques, always looking for new ways to reach their aims, they never sit still and neither should we.”