Four years on, despite a sharp uptick in cyber-attacks in the maritime sector, despite the insertion into the ISM Code of a specific requirement for cyber risks to be assessed and mitigated, little has changed. In the yacht and superyacht sector, cybersecurity remains a grossly overlooked issue.
Sadly, the prevailing attitude, despite all the evidence to the contrary, is a collective denial of the risks cybercrime poses. Cyber-attacks are something that happen on land, targeting enterprises and institutions, not their high-net-worth owners, executives, and directors at leisure on their boats. They are more at risk when they relax and where do they relax? On their superyachts.
It doesn’t take too much analysis of the facts to debunk this view. It’s no secret that the world’s uber-rich like to carry on conducting their business even while they relax out at sea, whether that involves hosting important clients and business associates or, as is seen on some superyachts, installing fully kitted financial dealing rooms onboard, complete with Bloomberg terminals, so they can carry on trading in stocks and shares even as they trot around the globe.
It’s also no secret that the world’s mega-rich value their physical privacy greatly – and are quite prepared to pay a handsome price to protect it, should it ever be compromised. The same cannot be said for digital privacy. Finally, it is now anything but a secret that the typical modern superyacht is something of a soft target for would-be hackers. The preference for modern yacht owners to have powerful Wi-Fi and satellite communication systems on board so they can stay connected wherever they sail comes at a price – it offers an easy access point for cyber criminals unless it is robustly protected.
Furthermore, the fact that many superyachts feature Controller Area Networks (CANs) and other centralised control systems integrating IT and OT systems for ease of management means that hacking into a yacht’s Wi-Fi doesn’t just give you access to whatever laptops and smartphones happen to be connected to it. As we all know by now a boat’s Wi-Fi system can act as a gateway to the navigation system, the GPS, the onboard CCTV, and security – pretty much everything needed to take full control of a yacht, if it is not separated and protected correctly.
All of that said regarding Wi-Fi, which is still a risk, most attackers would no doubt find it far easier to simply send repeated phishing and spear phishing emails laced with malware, knowing that somebody will click and open one eventually; passed the Wi-Fi, passed the Firewall, on the inside sometimes soft, unprotected interior before the coffee has brewed.
Attacks in the maritime sector on the rise
Another stubbornly pervasive myth in the industry is that, while these kinds of risks might exist in theory, actual incidents of cyber-crime targeting superyachts remain rare. In line with figures across most sectors of the economy, the maritime sector experienced a 400% spike in cyberattacks during the initial phase of the COVID-19 pandemic, as criminals looked to cash in on the uncertainty and disruption.
It doesn’t take too much digging to come up with real-world examples that illustrate exactly how criminals are targeting yachts, and how costly their attentions can be.
Have you heard the one, for example, about the yacht owner who lost $11m in a business deal when he paid an agreed transaction into a fraudulent account – all because a hacker had tricked their way into his boat’s network via a phishing email scam, eavesdropped on negotiations, and then was able to send a spoof confirmation email sealing the deal containing the fake account details?
Or how about the one about the billionaire who lost £100,000 when criminals hacked his bank account through his yacht’s network, or another owner who paid a similar amount out in what turned out to be a fraudulent fuel payment?
There are other examples, ranging from yacht owners paying ransoms to stop private documents stolen from onboard computers being stolen, to so-called ‘ransomware’ attacks freezing propulsion and steering systems so a vessel is stranded out at sea until cash is paid for its release, to targeted phishing attacks using apparently authentic emails about ECDIS updates to install malware.
Underreporting a major barrier to tackling cyber threats
Yet for all these examples and all the statistics, it is widely acknowledged that underreporting of cybersecurity incidents remains a serious problem in the maritime industry, and nowhere more so than amongst yacht and superyacht owners.
This is partly down to the high profile of most wealthy yacht owners and their wish not to draw attention to themselves. But it also boils down to another stark fact about cybercrime – the majority of losses that stem from a cyber-attack, whether payment of a ransom, extortion, or loss of private data, are not covered by conventional yacht insurance policies. Incidents therefore go under the radar because no one reports them to make a claim.
This creates something of a paradoxical situation for yacht owners and their captains. With no recourse through insurance, the only way to protect yourself from losses is to take preventative measures. Yet the underreporting of incidents creates a false sense of security, that it is not a big enough issue to take seriously. Creating channels for anonymous reporting is one idea that would help raise awareness of the true nature of the threat, and therefore empower yacht owners and managers to be proactive in how they address the issue.
All too often, yacht owners and their captains come to us looking for a robust cybersecurity solution for their vessel only after they have suffered a cyberattack, at which point it has probably already cost them a considerable sum of money – not to mention the stress and anxiety of knowing that someone has had unauthorised access to your boat’s systems, your private data, perhaps even the capability to control the vessel remotely. For captains and operators, there is the issue of reputational damage to take into consideration, too.
From our perspective, the only way to counter the growing risk of cybercrime targeting yachts and superyachts is to take an end-to-end preventative approach – not just as a nod to compliance with the new ISM Code, but based on a comprehensive assessment of actual risks, with robust security and mitigation procedures put in place accordingly, as compliance does not equal secure.
Cyber Defence Solutions will be attending the Monaco Yacht Show from 22nd to 25th September. For a full discussion of your cybersecurity needs and a breakdown of the solutions available, why not contact us and arrange a time to meet our specialist team.