Experts have been advising for several years that the risk of cyber attack is rapidly increasing, with superyachts being an obvious target for hackers due to their value and high-profile status. Yet we still find complacency among yacht owners, crew, management companies and suppliers.
This complacency is especially apparent in the supply chain, where multiple third-party vendors are involved with onboard systems. This can range from the bridge, navigation, radar, engine management, internet communications and audio-visual equipment through to fridges and air-conditioning.
When we think of a cyber attack, we generally think of Information Technology (IT) systems being breached. However, increasingly we see Operational Technology (OT) being targeted, as these systems are often easier to access due to their lax security, outdated software and weak passwords.
All of these systems require regular maintenance and some require physical attendance on board the vessel. Increasingly, the vendor or supplier will require remote access to their system in order to log data in real-time or diagnose issues from ashore.
This is precisely how a potential hacker might gain access to the yacht, logging into connected systems, and those which are critical to the safe operation of the vessel are most at risk.
Recently, when working on a 50m yacht, I came across three PCs installed and connected in the bridge communications rack. When I asked the engineer who the PCs belonged to, the answer wasn’t clear.
The reason for this lack of clarity was that the current crew had just joined without any handover documentation, meaning they had to ‘find out as they go’ about vessel operation, logins and passwords and the numerous vendors and suppliers involved – those little quirks that come with a yacht of such a size.
It turns out that each of the three PCs belonged to an Internet provider, the yacht IT guy and the yacht management company, with at least one of the PCs in front of the yacht’s firewall, exposed to the Internet.
In another example, new stabilisation was installed and the equipment manufacturer asked for an IP address to connect it to the local network. This meant it could connect to the Internet and the manufacturer could log in for remote support and to monitor the data it produces.
But how will the manufacturer connect this stabiliser - with a VPN? If there’s a firewall on board, access rules need to be implemented to prevent access by unwanted sources on the Internet.
Imagine the scenario where a hacker has taken control of the yacht stabiliser. Besides the potential discomfort for guests if it doesn’t function properly, the hackers could use the stabiliser to access other systems on the yacht.
Are your vendors and suppliers maintaining the same high standards?
If your suppliers and vendors are taking cyber security seriously, this can greatly reduce the risk of an attack. Hackers often use a third party to gain information about their targets, and if customer databases containing sensitive information such as names, products, credit card details, etc are compromised, they can use this information to craft a social engineering attack, like phishing emails.
These phishing emails contain enough specific information that the reader is tricked into opening links, attachments or even sending money to a fake bank account.
There have been numerous cases where business email servers have been compromised. This is where a hacker has gained access to the email server and has control of the emails coming in and out of that organisation. This allows the hacker to change the content of emails without either the sender or receiver knowing otherwise, unless some due diligence is followed.
We’ve all heard about cases where someone has sent an email authorising a bank transfer and by the time the transfer is made the bank details have been swapped for a rogue account in a completely different country.
The original email never makes it to the recipient’s email inbox but instead is intercepted by the hacker and replaced with a bogus email with different bank details. They’ll likely go as far as to keep the same grammatical errors as the sender. To prevent this happening, the best thing to do is to confirm the bank details with a recipient, by telephone for example, before the transfer is made.
Knowing exactly who and what is connected to your yacht and ensuring these systems are safe from outside interference is vital to safe operations. Any of these PCs could be used by hackers as a door to other onboard systems if they are not properly secured. Not only is having a full asset register vital, it’s also important to know exactly who might turn up at the yacht. Having a full list of vendors will help to ensure that security is not breached by someone unknown turning up and talking their way on board.
For a full cyber risk audit contact Pelion Consulting - also for a no obligations consultation.
Watch an interview with Richard: Cyber Security After a Yacht Purchase & Handover