During the first part of 2021 there have already been a number of high-profile breaches affecting the yachting industry either directly and indirectly, the most notable being the Microsoft Exchange server vulnerabilities that were discovered during March. Larger vessels with a physical Exchange server on board for their email will all have been affected by this.
It’s likely that IT teams will have been called in to patch up these vulnerabilities and carry out further forensic examination to establish if there has indeed been a breach. Having been involved with a handful of yachts that have been directly impacted by this situation, I’m pleased to report that in no cases had a hacker taken advantage and accessed the servers involved.
If there is an Exchange server on board your yacht, please ensure that your tech support takes the necessary remedial actions and have it checked to ensure that it hasn’t been accessed by an unauthorised third party.
If it is suspected that your servers have been breached, it’s not enough to update your software and assume that will be the end of it; it’s very likely that any attacker will still have access. In such cases, it’s advisable to rebuild the servers and migrate to a newer solution to ensure the threat is completely removed.
On a personal level, the recent Facebook and LinkedIn data leaks have seen over 1 billion personal records leaked onto the Internet and dark web. The data includes phone numbers, Facebook IDs, full names, location, past location, date of birth, account creation data, relationship status, bio and some email addresses.
The problem here is the longer term consequences - hackers can use the data they obtain to impersonate and commit fraud in your name.
IMO 2021 Cyber Risk Management
As everyone knows the IMO regulations for cyber risk management came into force on 1 January 2021. Just in case you’ve been under a rock for the past couple of years, this is the IMO mandate that “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the International Safety Management (ISM) Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.”
What have we found so far?
Without exception, every yacht we have visited this year had failed to take cyber security into consideration up until that point. Our findings are similar in each case although the overall awareness and competency of the crew varies from yacht to yacht.
Bridge and engine systems
ECDIS is one of the most critical pieces of equipment on board and already well regulated, meaning that a defined set of procedures is already used to ensure that the system remains safe and that the updates it requires from the Internet are strictly managed.
To keep this system off the local networks and the Internet, a formatted USB stick is generally used on a particular laptop to transfer updates to the ECDIS system, thus minimising direct contact to the Internet and the risk of introducing something that could do harm.
However, has anyone checked the laptop? It turns out that this aspect is very often overlooked – we see screens left unlocked, operating systems that are out of date, a lack of malware protection and no firewall. Your risk has just increased. How do the crew know if they are inadvertently introducing something to the ECDIS? They don’t. In cases where this was identified, it was quickly rectified.
Each vessel varies in terms of what is connected and the complexity of the systems on board and a full risk assessment ensures appropriate controls can be implemented to protect those assets.
Passwords and backups
In almost all cases there’s a lack of secure password management on board. Usually, passwords are kept in a spreadsheet on a key crew member’s laptop which is not being backed up. In some cases, passwords for communications devices are printed out on labels and attached to the power plug of the device concerned or conveniently on the device itself.
On one occasion when a password was required for key network equipment, the captain sent me a photo of the spreadsheet with all the yacht’s passwords! Where was the spreadsheet? Lost. A secure password manager was quickly implemented, and individual accounts were created giving access only to the relevant crew. As well as being secure, this allows access requests to be audited. It’s also important to back up all laptops and servers weekly, as a minimum.
Out of date software
When we scan on board networks and systems for vulnerabilities we come across a lot of outdated software - a Windows server that’s not been updated for 10 years, CCTV cameras running software full of vulnerabilities, or weak encryption on WiFi networks, as some of the examples.
We appreciate there’s a balance to be found between everything on board functioning well - especially when guests are on board - and finding the time to update all systems without breaking something else further down the line. But the old adage ‘if it ain’t broke, don’t fix it” is somewhat redundant in a world where people are constantly looking for new ways to exploit systems.
Maybe you have a Kerio firewall on your yacht, maybe there is no firewall. A firewall is a device that provides a layer of protection between the vessel networks and the Internet. Configured correctly, it can provide protection from malware, stop malicious sources entering and can also protect the vessel networks from each other – no need for the guest network to access the AV or ship's control networks, for example.
On a number of occasions where a firewall has been present, it is not providing any security protection at all. At best it’s providing a convenient way to select which Internet connection the guests should have. Unfortunately, using it only for this capability renders it a bit of a brick and an expensive one at that. If you have a firewall on board, please ensure it's providing security as well as being a convenient way to select Internet connections. If you don’t have a firewall on board, it’s about time you invested.
Combining all of the above, a scenario that we’ve encountered goes as follows: crack the WiFi and access the main ship's networks. From there we’re able to see all the servers and computers on board, not to mention all the personal devices, such as smartphones. AV equipment is identified, as well as CCTV cameras, Internet connectivity, etc. Very quickly a picture of the vessel's connectivity is mapped out. Within minutes we’re able to exploit a vulnerability in the management console of the vessel's server. Now we have access to all the files, such as maintenance records, supplier details, job applications, CVs and even crew passports, and without a firewall we can easily send this data off the vessel.
The point is to get ahead of someone malicious and stay one step ahead of these cyber criminals – we do this on your behalf. Carrying out a basic cyber risk assessment and cyber audit are a couple of things that can reduce significant pain later on.
Supply chain threat
The number of third-party vendors and manufacturers involved in the overall yacht eco-system extends the threat surface beyond the yacht itself, and it’s important be aware of any indirect threats coming from the supply chain. All yachts are therefore encouraged to check if their vendors have taken appropriate measures to protect their data in order to minimise the threat of an indirect attack.
This can seem like an arduous task, but responsible companies will already be engaging with cyber security companies to ensure their IT systems are as secure as possible.
What all this means
While there are many more potential threats besides the few mentioned above, the most important thing to consider is what exposure might mean – for the vessel, the owner and the crew - and what steps can and should be taken to minimise the risks, by knowing what is on board your yacht and the potential vulnerabilities.
You may feel it like “it will never happen to us”, but a single device exposed to the Internet could be all that an attacker needs and, when they discover that the device is on superyacht, they’re not going to stop at anything to see what else they can find. That’s if someone hasn’t already got a vested interest in the yacht and the people on it. Hackers and cyber criminals will stop at nothing to achieve their end goal, which will likely be extortion, theft and criminal damage.
By being proactive and taking simple steps, the threats can be minimised. Stay one step ahead of the hackers. Not only are the IMO and flag states taking a keen interest in cyber security, but insurance companies are also starting to include it in their policies.
Please contact Pelion Consulting to find out more.