What are some of the most common cyber-attacks and how common are they?
That’s a difficult one to answer really. Would this be aimed at Yachts or just in general? Cyber attacks relating specifically to yachts would be AIS/GPS hacking and spoofing, engine management and control etc, but outside of that, in our opinion they face the same threats and cyber attacks as every other organisation. These happen on a daily basis the world over. The yacht sector specifically is being actively targeted and we have absolute proof of this. These range from simple phishing in emails in order to harvest usernames and passwords (to be used to gain access to other systems and information) to emails containing malicious attachments that act as Remote Access Trojan (RAT) and key loggers. Again, used to gather data, intercept and redirect financial transactions, usernames and passwords. From what we know so far, the attacks relating to AIS/GPS etc are not so common, possible (but most things are if the attacker has the time, resources and commitment to achieve it) but as mentioned, the yacht sector is no different, the other cyber attacks are very common and happen on a daily basis.
Is the yachting industry facing an increasing threat from these attacks? What’s the biggest threat?
Absolutely. Is it ‘new’? No. It’s been happening for years and being honest, most of the sector seems to be quite far behind in understanding and accepting this. Success is becoming more apparent and as such, the threat level will naturally increase. We’ve heard a number of times that ‘We don’t hold any data’ or ‘The Owner doesn’t use it for business’. Not the point. Yachts and Management Companies DO hold data of interest and regardless of whether or not the Owner uses it for business, financial transactions of large sums of money happen daily. The attractiveness of this and the ability to intercept and direct is of huge interest to hackers. Add in to this a high profile owner or vessels managed by an organisation, your risk level has to increase.
What can be done to protect a yacht? What extra steps can be taken to increase its security?
I’ll be quite generic here you need to first understand the risk(s). These then need to be accepted, managed or mitigated. Perform a vulnerability assessment and or penetration test to ascertain how weak the system is and how successful any attack may be. You then need to decide what to do with these risks, as we said above, accept, manage or mitigate. We would hope yachts have an IT Acceptable Use Policy, which should be enforced by technical controls and proper monitoring. We asked a room full of ETO’s back at a training session in March, how many of you would know if we were in your system, logging in, moving data and creating accounts? Not one them answered in the positive.
Systems should be secure by design. Cyber security should be an integral part at the start of any new build project. It then becomes part of the culture, is properly integrated and works as expected. Waiting to ‘bolt it on’ when the vessel goes operational or as a potential after thought, costs more in terms of money, time and disruption.
As there are already a large number of yachts out there that may not be as protected as they can be, follow the process set out above and carefully select any solutions so as not to cause massive disruption to daily life or operational activity, as this will only lead to rejection of solutions or processes.
What bad cyber habits by crew and/or guests need to change?
We have taken the line that it is unlikely you will change the habits of guests when they are on yacht. This is where the risk management, controls and monitoring come in. For crew or anybody come to that, start with education. Be aware of social engineering….talking in bars posting about the yacht or your position on social media, etc. Do not click links or open attachments in emails from people you do not know and if you do know them and aren’t expecting it, seek verification as emails addresses can be spoofed! Keep your own devices up to date, operating systems, applications and anti-virus. Only install applications from trusted services and don’t give away information you don’t need to, would be a good start.
Seriously consider the use of a password manager. These are great tools for helping with generating secure passwords and other login information.
What signs should you look for that might indicate you’ve been hacked?
This can be quite tough as not all attacks/hackers will operate in the same way but once they have access to a system, they would generally then ‘look around’ for what other systems they could compromise to gain a further foothold, look to create admin accounts or elevate user privilege to achieve their goal. This could be disruption, damage or data theft. These elements can be monitored for, alerted on and or stopped with the right solutions and processes in place.
What are the risks if you don’t take the proper steps to secure the yacht?
These could range from denial of service, financial and data loss to physical damage depending on how the yacht is configured. In terms of data loss, especially that of personal data, the fines under the General Data Protection Regulation (GDPR) that came in to force in the EU and for EU citizens wherever their data may be held, the fines could be €20 million, or 4% of global turn over. Taking into consideration that yachts and or management companies hold data on crew that is considered ‘special data’ under the regulation, we would argue this impacts far more yachts and companies than you may think!
What are common misconceptions or tricks that used to work but no longer do because of advanced technology for hacking?
It always has been and always will be a game of cat and mouse. The attackers and the defenders. Hackers are always evolving their techniques, always looking for new ways to reach their aims, they never sit sill and neither should we.