Cyber Security Onboard

There are times when being onboard your yacht can feel like you are disconnected from the rest of the world. For some, this is one of the greatest pleasures in yachting. However in this modern era, we are so dependent on technology that this is almost never the case, leaving yachts and their owners open to cyber threats from organised criminals.

How do I protect my yacht from cyber crime?

Assess your supply chain

Take a look at your full supply chain and conduct a supply chain audit. Your supply chain consists of everything from suppliers and manufacturers, for example, boat makers and boat managers, to end users such as captains and crew.

By targeting a weaker point within the supply chain a cyber attack may be more effective, as cyber criminals can exploit trust built with third-party suppliers.

Consider how many of your suppliers and manufacturers have remote access to your yacht at all times. If you don’t have proper security measures in place, remote connections could act as a gateway for cyber criminals to access your yacht and data.

In August 2013, GPS Expert Todd Humphreys and his team used a handheld device that generates a fake GPS signal that appears identical to those sent out by legitimate sources. A captain offered his boat for experimentation. The takeover occurred in June while the boat was travelling in the Mediterranean off the coast of Italy. From a perch onboard the yacht, the spoofing researchers shifted the ship’s course three degrees to the north. They also convinced the yacht’s GPS that the boat was underwater.

As a preventative measure, you could look at implementing a Privileged Access Management (PAM) system, through which users are given a time bound window of access to permitted areas in your network to carry out required tasks. The idea behind this is that even if one of your crew is compromised in some way, you’re able to stop the spread of vulnerability. By compartmentalising and adding multiple barriers, you enhance your level of protection.

Remember the Human Factor

Organisations with even the most extensive budget often fall short on the human element of security. Within cyber security, humans are often thought of as being the weakest link, as cyber criminals often manipulate our vulnerabilities and psychological elements to steal credentials and gain unauthorised access.

In order to achieve a higher standard of cyber security, there are tried and tested methods you can put in place for your crew.

You should always ensure, before giving a tool or person access to your network, that you have performed an effective risk evaluation. It’s important to remember that your crew, as individuals, are representing something or someone with a high net worth and could be targeted in a number of ways because of this. Getting those who have proximal access to someone or something in a position of power to think of themselves as potential targets is key. Their proximity to the yacht owner, means that they are of interest to a variety of cyber criminals such as ransomware gangs and opportunistic groups looking for unlocked doors in the cyber sphere.

Using a password management system is an effective way of keeping accounts secure. According to a 2019 security survey undertaken by Google, as many as 65% of people reuse the same password for multiple or all accounts. A cyber criminal may hack another organisation’s systems and acquire access to passwords and other login details and then place them on the dark web and use the login details to access other accounts with the same credentials. As a best practice, use strong passwords that are unique per account.

Cyber security is like you’re being chased by a bear. You don’t need to be the fastest, but you cannot be the slowest.

Put technical policies in place

On many yachts, crew members are often expected to use personal devices, and it’s likely they will connect their personal devices to the yacht’s Wi-Fi. You should separate out your networks so that your core systems are operating on one network and your crew are using a different network to connect their devices, too. That way, if one of your crew members’ devices is compromised, it’s harder for cyber criminals to access key systems. By having everything all on one network, you run the risk of hackers interfering with a yacht’s systems and installing malware across the network.

Also, training your crew in basic cyber security is an effective measure to help prevent hacks. Teach them to identify links that may look suspicious and email addresses that may look unusual.

Have aggressive and religious patching policies in place for anything that touches your network. Patching covers software and operating systems (OS) updates that address security vulnerabilities within a program or product. Every day, there are new cyber threats released into cyberspace. These are often referred to as zero-day threats, which is why we should take the approach that we can always improve and enhance our cyber security.

Use Multi-Factor Authentication

For an additional layer of security, use Multi-Factor Authentication (MFA). This is an authentication method that requires the user to provide two or more verification factors to gain access to an email account, online application or an internet connection system. You could do this in the form of a physical hardware key or thumbprint, which makes it much harder for hackers to obtain access to your systems.

Short Message/Messaging Service (SMS) is a popular format of multi-factor authentication. However, this is very easy to spoof. SMS is also not the preferred method of security for many yachts and yachting services. The transient nature of the vessel dictates that mobile numbers can change regularly, leaving the end user unable to access their system, even when using MFA.

Spoofing is when a cyber criminal pretends to be someone or something else in an attempt to abuse trust to get access to key systems to steal data, spread malware or steal funds.

Cyber criminals typically do this by sending a fake request from a website or application to gain credentials to access your email account. After this, they may sell your details to other cyber criminals or use social engineering tactics to pose as you to attain further access into the system to get to individuals such as captains or owners to approve invoices and other exploits. Yachts are key targets for invoice fraud due to the large quantity of invoices that have to be approved by captains and crew.

Take a zero trust approach to security. Zero trust is one of the buzzwords within the cyber security industry. Zero trust refers to a pattern of designing tech systems that requires all users inside and outside of the network to be authenticated, authorised and continuously validated.

Put simply, you are taking the approach that potentially all of your crew and any third parties could be compromised at any time, so they should have to keep having to authenticate into your network. This is where multi-factor authentication comes into the picture. Crew should have to use a hardware key or a thumbprint to prove they are who they say they are.

The International Maritime Organization (IMO)

The International Maritime Organization have also published their own guidance around cyber security risk management and cyber risk management in safety management systems to support safe and secure shipping, which is operationally resilient to cyber risks. For further information.