The essential guide to preventing superyacht cyber crime
by Risa Merl
Cyber crime is a growing threat to the superyacht industry, but what do you need to know to minimise the risk to your yacht? Risa Merl investigates...
A cyber assault is worrisome for its stealthy nature, with the ability for a culprit to hold you to ransom — or even take over your yacht’s navigation — without ever threatening physical harm. As we face a world where cyber intrigue is regularly making headlines, it is surprising that the yachting industry is only slowly waking up to the reality of cyber attacks.
“When I speak to consultants we work with, they’re amazed at how late the maritime industry is to adopt cyber security,” says Nick Clarke, director of superyacht security specialists Akula Yachts. “Cyber attacks are something that for most of the world is already happening. It’s affecting [industries] and our clients are suffering from it. But yachting is almost in the Dark Ages.”
"The industry emphasis to date has been on prioritising performance over security, but the threat of cybercrime requires both," adds Maurizio Minossi, product manager at Videoworks. "Many yacht owners conduct private and professional business while on board. This makes their personal data such as e-mail addresses, photos, videos or even bank account details, vulnerable to malware and phishing. As almost everybody on board uses the Internet connection, the risk could come from an unsuspecting crewmember downloading a virus that self-installs and spies on passwords, or even hijacks smartphones and computers via the network."
Yacht owners pay for insurance and hope they will never have to use it, but know it’s a fallback in the worst-case scenario. Not so in the case of cyber attacks, as expert Nancy Poppe of Willis Watson Towers Insurance tells us.
“The malicious introductions of viruses are being excluded from insurance coverage,” she says. There’s a possibility that collisions caused by GPS spoofing won’t be covered as well. Instead, the captain could be held responsible.
The only upside, says Poppe, is that the lack of insurance coverage has caused owners to sit up and take notice. “Owners have to deal with it and enact their own cyber security protocols — i.e. limiting who has access to the server.”
In the future, cyber security training might become as commonplace as STCW95 training for crew. Jordan Wylie’s company, JWC International, has developed the first internationally approved, including by GCHQ, cyber security training course for superyacht crews.
“We have delivered it in Monaco, Antibes, Nice and Barcelona,” he says. “The training is a half-day programme with Akula Yachts and is available for all members of the crew. It is delivered in a common language without ‘technical cyber speak’ to ensure the crew really do understand the risks.”
Clarke says that in future you might see a crew member on some of the world's largest superyachts whose role is dedicated to cyber security, but what’s more likely is that the duties will fall to the technical officer, who will be responsible for keeping all the software and technical equipment up to date and adhering to the plan they are given by a cyber security firm.
He also thinks there will be an uptick in yacht management companies getting more involved in prevention, and Akula is already training many onshore companies to liaise with the yachts and make sure they’re adhering to any cyber security schedules just as they would other maintenance.
Physical cyber security might sound like an oxymoron but there are physical methods to prevent cyber assaults, says Patrick Estebe, president of Affairaction, who points out that the FIFA scandal started on a superyacht.
One is to build a Faraday cage around the owner’s office, which entirely prevents electromagnetic transmissions from leaving or entering. “It’s a useful idea for an owner to design a special office without any Wi-Fi connection if he is a head of state or has a similar need for privacy,” says Estebe. “It’s ideal for high-level meetings that could remain private no matter how people would try to listen in electronically.”
As for the slew of vendors traipsing on board: “There’s simply no way to prevent the vendors transmitting with their phones, taking pictures or ‘forgetting’ a phone hidden on board without confiscating all phones and placing those in a Faraday cage container,” he says. “It is a tricky thing to ask these days, but ideally all smartphones from visitors would be collected and placed in a Faraday cage — any fully metallic case not grounded. Even a microwave would do.”
Estebe admits it’s complicated to protect LAN signals themselves. “On a yacht, wires are hopefully hidden — assuming the security consultant knows what he is doing — and not easy to access. But the vulnerability rests likely at the endpoint equipments (computers, servers, switches, etc).” So in the end, awareness and prevention are key.
“Don’t be afraid of the cyber threat — but do engage with it. Find out how vulnerable your yacht is, decide your risk tolerance, and then balance the two and invest in better security on board,” says Malcolm Taylor of G3 (Good Governance Group), a bespoke cyber security consultancy comprising experts from the UK intelligence, information technology and cyber security sectory.
“Ultimately, it’s not about cyber security, it’s about protecting yourself, your family, your businesses and your guests. Having good security on board is about privacy — and, in one sense, the whole point of owning a superyacht is privacy. It’s hard won and easy to lose.”
An except from Hacked by Risa Merl — originally published in Futureyachts, the new bookazine from Boat International Media, which is out now.