Cyber defence at sea

Because IT and network security should never go ignored…

When we talk of safety and security at sea, we are not just talking about the risk of hijack, piracy or paparazzi. With the increasing capability of digital connectivity at sea, it’s now easier than ever for yacht crew and their guests to stay connected to loved ones back home, but the same technology could be providing a level of risk on board similar to that of unwanted guests.

Superyacht navigation domes and security systems

Everyone has their own opinion of cyber defence, IT and network security - some embracing and accepting what must be done to support safety, whilst a large majority simply adopt a ‘head-in-the-sand’ approach, opting not to talk about the ‘dark arts’ of cyber security in the hope that they will not be breached. However, with the high profile nature of superyachts and their guests, it’s no surprise that they are often targeted online more than many may expect. Superyachts have many things, but an anti-cyber attack-cloaking device isn’t one of them.

A different kind of fishing

Hackers and those behind E-crime are constantly evolving. Every day networks around the world are thrown into complete chaos because someone clicked an unknown link, opened an unverified attachment or visited a compromised website, resulting in the system becoming infected, leading to loss of service, or worse still, data. The situation is no different for those living and working aboard a superyacht at sea.

Often incorrectly thought of as simply a good antivirus programme, firewall and a solid password, the capabilities of a complete cyber security solution should be taken into account for all shore-based homes and businesses, and for all vessels at sea.

Craig Boddington, head of business development at CDS Marine, IT security specialists for the superyacht industry, said, “Attackers don’t necessarily care what system they attack, and most of the time they don’t even know if it’s an office, a house, a mobile phone, a luxury yacht, or even your fridge. They attack with impunity that affects livelihoods, bottom lines, and, in some cases, lives.”

Wheel and controls in luxury superyacht cockpit

Swept up in the large budgets and awe-inspiring possibilities of superyacht design projects, more focus is often placed on the yacht’s performance, aesthetics, cinema systems and exterior speakers at build stage than on its IT security system, which, if ignored, could easily compromise the privacy of guests, crew and data. When you stop to think about this, it becomes all too real that a phishing email or failed software security update could go on to cause so much devastation.

Craig said, “Most of today’s on-board systems are all connected, managed on a VLAN by a switch, in a lot of cases running through the same internet entry/exit point - the VSAT, 3G, 4G etc. This means all internet traffic goes through the same portal, so a would-be attacker gaining access to machine via a malicious email or a boundary hack also stands to risk the entire network of shipboard systems, from air-conditioning and AV systems through to alarms, security doors, engine management, navigation and monitoring systems.

“If the VLAN’s are not configured correctly, once inside, hopping between all of these networks, changing parameters and disabling the above-mentioned systems is a very real possibility.”

Taking superyacht security seriously

Craig suggests that the use of unsecured Wi-Fi networks, USB and endpoint devices when on board, and the increasing complexity of Exploit Kits, phishing emails and malware should be taken into account when considering a complete security solution.

Controls aboard a luxury superyacht cockpit

If not taken seriously, an IT security breach could compromise charter income and usability, after all, who wants to charter, live or work aboard a yacht that has been hacked, with the threat of identity theft, corporate data and private photo leaking being very real scenarios?

Risks within the sector are currently growing faster than defences in place, and so some steps should be put in place to try to manage the dangers. Known risks, such as the crew, can be trained to understand their role with the use of social media, email, ‘free’ Wi-Fi connections and location enabling services on smartphones.

Unknown or unforeseen risks, such as hijack, piracy and cyber threats cannot be managed quite so easily, and are better mitigated by hiring a superyacht security specialist to carry out a vulnerability assessment, identifying the gaps and ensuring a complete end-to-end solution is implemented.

Stern mast of a luxury superyacht lit up at night

Craig said, “Once you have realised the risks of your on-board security systems, your boundary should no longer be seen as your firewall, it should be wherever your data or systems can be accessed from.”

“There is no such thing as 100% secure. Assess the network, identify the risks and mitigate those as best you can. Close the gaps, essentially narrowing the attack surface, to make it harder for any would-be hacker.

“A complete IT security system should be an ‘enabler’; another weapon in the corporate arsenal that enables everybody within the business to work without the nagging worry of ‘what if?’ When implemented correctly, it should not be a barrier on performance, a hindrance to business or a drain on resources.”