Cyber-crime dominates the headlines, with high profile security breaches occurring almost daily. Ensuring the safety and security of your family and guests onboard a superyacht along with your information, is therefore ever more pertinent. Tim Erridge and John Higginson of Context outline vulnerabilities and risks, as well as discuss solutions.
DUE TO THE REMOTE AND VAST ISOLATED nature of the open sea, it is easy to think that cyber security is not an issue and that securing the vessel’s WiFi access will provide a secure cyber perimeter even in port. In truth that is far from the case. A yacht by its very nature signifies considerable wealth and perhaps the presence of valuable artworks, expensive jewellery and large amounts of cash – all presenting a potentially lucrative and attractive target for pirates and criminals. Pirates are becoming increasingly sophisticated in their tactics and even using advanced technologies
such as drones to their advantage. Cyber space is no different from the physical world; criminals that operate in this domain are also becoming increasingly capable and resourceful.
What is the concern?
As superyachts harness emerging technology, they are becoming ever more automated and computer-managed. This has led to far simpler control and monitoring of ship systems, including navigation, engine controls, heating and ventilation, entertainment, security and fire, to name but a few. However, despite the huge benefits that the
computerisation of these systems delivers, they also present significant vulnerabilities that can be exploited.
Many of the on-board systems automatically send data back to system manufacturers to enable them to remotely monitor (for example) engine performance. These protocols therefore represent potential entry points into the ship’s network that can be attacked. Once an attacker has gained access to one system, if the network is poorly protected
and simplistic in architecture, as is often the case, an attacker is able to readily infiltrate and assume control of the entire network to carry out a range of attacks. The recent WannaCry worm, that propagated rapidly to infect more than 300,000 computers worldwide within 72 hours, brought into stark light the indiscriminate nature of cyber-crime –
simply put, you do not need to be targeted directly to fall victim. The attack may, however, be a wake-up call
for those thinking, “It won’t happen to me”? In addition to the internal vessel systems, any smart device (phone, tablet or laptop) that is brought on board, either by crew or passengers is a potential access point for hackers to compromise the ship’s network.
So what are the risks?
The consequences of the vessel systems being compromised are wide-ranging and potentially critical to the safety of the passengers and crew. g The vessel could be rendered immobile and held to ransom, or, more dangerously, may be
remotely piloted and run aground. g Sensitive information stored within, or being transmitted by the network and its systems, could be stolen and be used for financial gain by the attacker, either through direct ransom or sold on the black market to potential extorters. Alternatively, banking or financial transaction details could be intercepted and
funds diverted, or a competitive advantage gained indirectly. These events are not the stuff of Hollywood fiction;
they are entirely feasible and have been happening for some time:
Rupert Neate writes in the Guardian newspaper, that “one billionaire had £100,000 stolen when criminals hacked his bank account [via his yacht]. Others have been blackmailed with compromising photos, and some have already been forced to pay a ransom to unlock their vessel’s navigation systems.” Additionally, the University of Texas* have
demonstrated the ability to fool the GPS of an $80 million superyacht and steer the vessel onto a course of their choosing totally unbeknown to the crew. One potential scenario could see a cyber-attack combined with a physical one – a growing trend of cyber-enabled crime. In this scenario, the navigation system could be compromised and the vessel piloted towards pirates. The security camera feeds could be viewed and/or cut and the door locks operated
remotely to permit unfettered access to anywhere on the vessel.
How do hackers gain access?
The easiest and most common way for an attacker to compromise a network is through a phishing (pronounced ‘fishing’) attack, where an email or other communication with a link to malicious software (known as malware) is sent to a target that unknowingly downloads the malware to their device. In this way, an already infected device could
be brought on board and then connected to the ship’s WiFi resulting in the ship’s network being compromised.
A common misconception is that by securing the ship’s WiFi connection, the network is, as a result, locked down and secure. However, in effect this only means one of the doors to the network has been closed. In reality, a number of entry points to the network are likely to still be wide open. Indeed don’t underestimate the likelihood of an opportunistic compromise, whereby mobile malware finds itself on board a vessel and provides its controller a lucrative
target. Other, more technical, attack vectors can be used to gain access to the vessel’s computer systems, which can be vulnerable either through badly configured network settings or a failure to update security controls.
What is the solution?
In light of the increase in system interconnectivity, a more proactive risk management stance needs to be adopted – as it is not if, but rather when the hip’s network will be attacked. As the risks become more recognised, solutions emerge to mitigate them, and we now see specific cyber cover in superyacht insurance, either dedicated or as part of other
policies. However, the best way to truly enhance the cyber security of a vessel and safeguard its content is to bring in specialist external expertise. The use of expert cyber security professionals will significantly reduce the vessels attack surface, i.e. the amount and type of vulnerabilities that are exposed for hackers to exploit.
The MoD has recently mandated thorough assurance testing of everything from their field networks up to aircraft carriers, so a good place to start is by adopting the military approach and conduct a comprehensive cyber investigation. This involves commissioning expert threat assessment, and using that intelligence to set the scope for a
penetration test against the vessel, i.e. attempting o hack in to it from multiple angles, in order to identify how it could be compromised by a cyberattack and focus mitigation efforts to reduce the risk. It would be prudent to assume that if cyber security has previously been neglected, the vessel may already have been compromised. If this is the case, a compromise assessment or threat hunting engagement could be used to discover any evidence of previous or ongoing breaches, allowing them to be investigated and removed. There is no point in spending time and effort to improve the defences if they have already been breached. Finally, an indepth review of policies and procedures associated with running the vessel and some specific cyber awareness briefings and guidance for both the crew and passengers, would complete the assessment and provide a number of opportunities to considerably reduce the exploitable attack vectors.
The requirement to conduct cyber assessments routinely is paramount. The pace of technological change and the development in capability of cyber criminals is increasing; what was effective mitigation last year may well have been superseded and may no longer be effective or appropriate. Moreover, having a range of controls in place, and the awareness to detect and react appropriately in the event of network compromise, will significantly reduce the
impact and severity of any attack. Coherent security solution Cyber security is not just a problem to be solved by
IT. It needs to be owned and supported by everyone on-board, and viewed in the same light as, and in conjunction with, physical security policies and controls. However, unlike physical security, the vast array of devices that connect to the internet makes cyber security a more complicated and difficult problem to solve.
Security can often be perceived as boring whereas a superyacht is meant to be about having fun. However, when fun is on the agenda, people’s guards are often down and they are typically more vulnerable. Superyachts can also be serious places of business, as well as representing both a significant investment and revenue stream in their own right.
Therefore it’s important to ensure vessels are secure by design and that their owners and various inhabitants can relax and enjoy their luxurious environment without fear. Appropriate cyber security is about enabling a business to continue to operate and perform its intended function, but with the assurance it does so in a secure manner.
The increasing prevalence of cyber-attacks is a clear indicator that this threat is one that will endure and which needs to be taken seriously by all on-board. Criminals will continue to target the wealthy, looking for a large and easy payday, so securing a superyacht’s network is critical to ensuring the safety and security of all of its passengers and data.
Tim Erridge is the Director of Response and Advisory services for the GCHQ accredited cyber security company Context Information Security. John Higginson is a Senior Consultant within the Advisory branch at Context, with a Master’s degree in Communications and Information Systems Management. They can be contacted by visiting www.contextis.com
www.theguardian.com/world/2017/may/05/cybercrime-billionaires-superyacht- owners-hacking ** www.theregister.co.uk/2013/07/29/texas_students_hijack_superyacht_with_gpsspoofing_luggage/