The recent Twitter security breaches have given many people food for thought on the subject of cyber protection.
Every time you make a transaction, click on a website or post a status on social media, your personal information is harvested and your privacy is compromised, yet cyber security is still often overlooked in our private lives and places of work.
It’s the reason Richard Hodder left his comfortable job in satellite communications and founded Pelion Consulting to protect the privacy and assets of those most notoriously at risk, namely superyacht owners. And with IMO regulations on cyber security set to be introduced in 2021, meaning that every vessel will need cyber risk management in place, the timing couldn’t be better.
“I don’t think people are fully aware of the extent of their digital footprint, which covers every transaction, every movement and every conversation on social media,” explains Richard, who is based in Palma.
“Some people care more than others about privacy; often, it’s taken for granted yet it’s a fundamental building block to human rights. It’s easy to forget that all this information is stored, collated and recorded and will always be there on the web.”
Misconceptions Around Risk
It was while working in telecommunications in the oil and gas industries that Richard first became aware of the potential damage caused by cyber-attacks on the infrastructure of oil boats and rigs he was managing.
“I took a Masters in Cyber Security and together with two colleagues we came up with the concept of Pelion Consulting two years ago.”
With the right to privacy, anonymity and the desire not to be tracked as core values, Pelion Consulting aims to increase awareness among yacht owners of exactly what they should be doing to ensure their vessels are fully protected.
“There is a misconception that because you’re on the sea in the middle of nowhere, nobody will know what you’re doing. But the fact is, you have internet connections, satellite and 4G as well as systems including WiFi, AV, entertainment, operational technology, navigation, propulsion and electrics.
“These systems should be ‘air-gapped’ from the IT system and WiFi, meaning there is no connection between them. But if an owner wants to see navigation data on his TV in the cabin, a cable is often connected from the IT equipment to the operational equipment so, in effect, you have connected your navigation equipment to the internet.
“It’s one thing to hack into someone’s laptop, it’s quite another to get onto the bridge PC where you can make steering adjustments. That’s a whole new level of risk.”
Yet as scammers invent ever more ingenious methods of attack, only a tiny proportion of superyachts have stringent cyber security in place, making them prime targets for hackers.
“There is a level of complacency that wouldn’t be happening in the business or personal world of a HNWI yacht owner,’ asserts Richard. ‘With the right knowledge and tools, someone can hack into a superyacht in under 10 minutes through the WiFi network.
“A yacht is advertising on their WiFi signal what their name is and whether it’s a crew network or even an owner network. The WiFi password can be cracked and, if there are no controls in place, and systems aren’t air-gapped and you can see the other devices sitting there, someone can get into the navigation, PC or propulsion and do a lot of damage.
“If the WiFi password is already known generally, your WiFi is insecure. Hackers can sniff the traffic, set up a fake yacht network - known as spoofing the network - and when people log in they harvest their information. It’s one of the reasons why I advise people not to use café networks unless they have a VPN which scrambles the data, otherwise it’s safer to use 4G."
Worst Case Scenarios
Cyber attacks can be the stuff of nightmares for a captain or owner. ‘I’ve seen routers hacked where they haven’t been updated and someone has changed the configuration on the router controlling all the vessel networks. A bridge PC can be infected with ransomware, which can take out functionality of the boat and lead to a critical situation.
“There’s also the risk of GPS spoofing – if someone can get close enough to the boat with a strong enough signal, they can inject their own coordinates into the yacht’s GPS, so while crew on the bridge believe they are going at 10 degrees, they are actually sailing at 12.
“It’s also possible that a crew member has been placed undercover for a year or two in order to pass information to a hacker who has remote access to the engine propulsion systems or other critical systems on board.
“Worst case scenario is that the boat is in the middle of nowhere, the engines can be shut down and the boat can be controlled remotely, or hijacked and held to ransom. The sci-fi films of old are not science fiction anymore. These things can happen.”
Tracking is nothing new; it started with the advent of mobile phones in the 1990s but Covid-19 and the track and trace systems people are encouraged to sign up to spell a new level of access to information that would usually be guarded by an individual.
“Something that has been happening covertly for the last 30 years is now in the public psyche thanks to the pandemic,’ adds Richard. ‘Covid-19 saw an upturn in scams regarding track and trace and furlough payments in a bid to get personal or bank details from people. We’ve given up our privacy for the sake of public health but we need to ask who is using that data and do you trust them to look after it?
“This is why we do not harvest data or install cookies or trackers on devices. Data is the new oil, the new currency. Often, 100 different vendors will have access to the website requesting you to accept cookies, and whether for tracking or targeting ads, they all get your info. What happens if they lose your data?
“Our view is if we don’t have your data, we can’t lose it, and this emphasizes to our clients that we take their privacy seriously and are here to empower them.
Protecting Your Privacy
Having recently partnered with high profile security expert Campbell Murray - who headed up cyber security at BlackBerry when his encryption consultancy was acquired by the mobile phone giant in 2016 - Richard feels Pelion is in an ideal position to capitalise on the post-pandemic economic recovery.
“Campbell brings a lot of experience to the team as well as a level of credibility. He has worked for GCHQ and his new company Merimetso adds an extra dimension. It’s a great partner for us as we consolidate our foothold in the superyacht industry.”
The key question to ask is whether superyachts can afford NOT to have cyber security. In the meantime, Richard has some advice for anyone wanting to improve their cyber hygiene and minimise their risk factors.
“There are some crucial dos and don’ts which can help you protect your information and privacy,” he reveals. “Make sure you and your crew know not to click on links and attachments which may be in phishing emails and don’t give out location or details about your yacht on social media.
“Ensure good password practises by changing passwords every time a crew member leaves. Password123 is not unusual because we are creatures of convenience and we want the path of least resistance but there are password management tools which can take care of this for you.
“Be wary of social engineering and people trying to get on board the yacht, with special attention to the engine room and bridge. And finally, always use your own charger and only plug it into the wall. Don’t plug chargers or USB sticks into the bridge PC because malware can be embedded in phone chargers and they can then act as a GSM bugging device.”