Don’t be an online victim — boost your boat’s online security protocol.
Cybersecurity is becoming increasingly relevant to all crew on board. We’re going to see more of it included in the IMO’s focus — and so it should. The stakes are higher than ever with our industry performing in the global spotlight these last few years.
Cyber threats aren’t new to maritime. Shipping company Maersk suffered a ransomware attack in 2017 with estimated damages of $300 million, affecting 76 ports, as a result of the NotPetya attack.
Yachting has seen a few already. Ransomware disrupted operations at the Lürssen yard over Easter 2023, bringing large parts of its shipyard operations to a standstill. And there was an $11 million email phishing scam in 2019 that implanted false banking details inside a brokerage deal.
Ultimately, it’s the crew’s responsibility to safeguard a vessel and its operation, which absolutely includes cybersecurity. So how do we practice good cyber hygiene? There are three main areas that crew can practice to reduce the likelihood of falling victim to an attack.
Social Media Posting
It seems counterintuitive as many charter yachts thrive on a big online presence (and it acts as advertisement to attract future charter clients) but there’s a lot that needs to be stripped off a public-facing social media presence, and charter advertisers know this. A potential attacker thrives on an ability to plan around details, and they will target crew who broadcast this information. Certain postings may be fine, but here’s some absolute no-gos:
- An owner’s live location, and real-time geotags via stories or posts.
- Any footage of guests, especially their faces.
- Footage of the interior of the yacht, especially of the bridge. (Types of hardware used, software programs and serial and model numbers)
- Boat logos, even those of companies and contractors involved with the yacht.
Network Segregation
Much like the bulkheads’ function on a vessel, where, in the event of a breach, it’s contained to part of the vessel, our networks must be structured similarly.
Chief engineer Ryan LaRoche on board a 180-foot yacht advises, “Separating networks via Kerio or another firewall is standard, carve the network into bridge, crew, AV/IoT and guest VLANs, and default-deny anything between them.”
As crew, our responsibility is simple: connect only to your assigned SSID/Wi-Fi. It seems painfully simple, but it’s what compromised the $11-million phishing scam mentioned, potentially via a crew phone that was targeted, which then connected to the vessel Wi-Fi.
And we treat removable media as untrusted by default. “Extensive security is locking all USB ports on every PC that can see the boat’s network,” LaRoche says. “If a stick is truly needed, it’s yacht-issued, encrypted and scanned on an isolated machine before it ever touches a ship system.”
A cybersecurity threat, even if resulting in no gain for the attacker, severely harms a yacht’s reputation and ability to charter, losing the very thing a yacht can advertise — safety and privacy. It’s a fast-moving world, and upskilling in cybersecurity is just one more asset crew can continue to add to a vessel.
Personal Cyber Hygiene
We’re all avenues of a potential attack on all our devices. Here are the basics, for use both off and on board.
Use a VPN (Virtual Private Network): Particularly on public Wi-Fi (hotels, Airbnbs, cafes, marina Wi-Fi, etc.). Never do online banking on an untrusted Wi-Fi.
Keep devices updated: An ETO/second engineer on a 210-foot private motor yacht advises, “Keep your operating systems updated. Whether using Apple or Android, part of what keeps their ecosystems safe is using an up-to-date OS. A big service these multi-billion-dollar companies provide is actually patching and identifying security threats through regular updates through the hundreds of technical staff they employ. That includes all devices, laptops, tablets, phones, etc.”
Passwords: Get a password manager, or at the very least, use Google Password Manager. Don’t reuse old passwords for multiple logins.