Make cyber security a priority in refit season
When it comes to scheduling general maintenance or planning a refit project, one area that doesn’t always take top priority is that of cyber security. In our increasingly digitally-reliant world, this really should not be the case; refit is the ideal time to look at the bigger IT picture and secure a vessel’s networks. For the cyber security professional, it’s a rare opportunity to build security from scratch as opposed to the all too common task of untangling “other people’s” networks which involves dealing with questions such as: Why have they done that? Where does that go and what does it do? They did what? Faced with a choice between all of this and a blank sheet of paper, the decision should be easy.
For a number of reasons technology on board yachts seems particularly prone to uncontrolled organic growth, which greatly increases the security challenge. The crews change relatively frequently and each change usually brings a new way of thinking about, and approach to, technology. Owners and guests are also very demanding – because they want their technology to work immediately, and many want quite different things. Also, for ETOs and engineers, cyber security is just one of their myriad responsibilities and this can result in their time being stretched far too thinly.
Existing networks on board a superyacht can be a mess, and such disorganisation always brings security risks. Old, unclosed accounts of long departed crew members; forgotten and unsupported hardware and software, servers left unsecured in public areas – all of these are a cyber criminal’s dream and leave a vessel vulnerable to attack. A refit therefore, is a chance to sort out the mess, to take out the old and start again. It’s the perfect opportunity to invest in state-of-the-art security and to build it in to the core of the yacht.
Cyber security is a service which is all set to become ubiquitous across the marine communications industry; it’s too important to ignore. e3 has been one of the early adopters of a cyber security strategy, offering a range of solutions to all of its superyacht clients. It does this in partnership with ITC Secure – one of the world’s leading cyber security consultancies, as Greg Butler-Davis, e3’s Direct Sales Manager Europe, explains: “We ensure all new networks are configured for maximum security at installation. Similarly, when a client is planning a refit, we encourage them to consider adding a cyber security element to their network while they have the chance without the owner, guests and crew putting demands on the system. You have to ask yourself why you would put your personal, business and banking data at risk by not having a security system that is fit for purpose?”
This is a strategy supported by Malcolm Taylor, Head of Cyber Security at ITC, who explains that within three years ‘simply thinking’ about cyber security may not be an option: “The International Maritime Organization (IMO) has introduced a new ISM Code from 2021, requiring all vessels above 500gt to demonstrate they have protected themselves from cyber attack. This can be done after the fact, but a boat undergoing refit now is unlikely to do so again before the deadline, meaning this refit might be the ideal time to build cyber security into the core of your yacht.”
Cyber attacks: what are they?
We hear a lot about cyber attacks, but in reality what form do they actually take and what damage can they do. Here ITC highlight a number of real-life scenarios and look at steps which could have been taken to prevent and limit damage.
A yacht was about to go on a charter when the crew discovered that ransomware was affecting all their systems – entertainment and yacht management. They were in the unenviable position of having guests imminently due, yet were all-but immobile with no technology at all. A well defended network would have reduced the impact massively. First, by limiting the privileges of the machines on board so the malicious software could affect only the machine it landed on – not the whole yacht. Second, by having good, regular back-ups in place as ransomware prevents access to data by encrypting it – so a recent back up allows the system to be cleaned and the recent back-up restored, with minimal impact or data loss. Third, as we saw with the Wannacry ransomware, a good software-patching regime minimises the risks significantly. And finally, good AV and email etiquette can prevent a lot of ransomware – the AV should catch it as it comes in, but if it does get through then the crew will recognise the threat and know what to do and what not to do.
An Ultra High-Net-Worth Individual on a yacht fell victim to an email scam which led to the loss of several million pounds. A simple hack of their system enabled the criminal to sit between them and a client at the completion of a deal, and use a fake email to divert the funds to the attacker’s own account. In this case the money was gone in less than an hour and is unlikely to be recovered. This is an increasingly common scam and it has several lessons, but uppermost amongst them is the importance of having policies in place to govern financial transactions completed over email, and the need for well trained staff who are much more likely to identify this sort of thing as a scam. Policies should require a human check to be made for all significant payments; these scams often centre on changed bank account details (substituting the attackers account for the real one, just as happened here). When this happens by email, call and check – even (or perhaps especially) internally. This method of attack is relatively common against superyacht targets, both because yachts are often unsecured and because they regularly make large payments online. And imagine for a moment how this attack feels to the victim – an honest and straightforward business transaction made in all good faith, leading to that size of loss. It’s almost unimaginable.
Invasion of privacy
A high-profile HNWI lost private, family photographs which were stolen in an attack on an unsecured network and then offered for sale online. We worked subsequently to harden the networks and provide ongoing security, and alongside the client’s legal team to recover the photographs and prevent their sale. This was a particularly difficult case because the photographs were highly personal and intrusive, and also because it is all-but impossible to recover any stolen data after the fact. The client suffered significant personal distress and financial cost, and lives with the knowledge that copies of the photographs are out there somewhere and may resurface at any time. The lesson here is simple – prevention is better than cure; get secured not scammed.
Cybersecurity as a priority
The danger and very real possibility of these situations show that cybersecurity should always be considered as part of scheduled refit maintenance. As we can see, all of these circumstances are easily solved but require forethought. The opportunity to build security from scratch is a massive advantage to any yacht and should always be taken if possible. After all, when it comes to cybersecurity, it’s definitely better to be safe than sorry.
Want to hear more from Superyacht Technology News? Subscribe to our magazine free!