Cybersecurity: ‘A problem of naivety’


You wouldn’t leave your house open to burglars, then why leave your yacht open to hackers? We are well used to locking doors and shutting windows in our homes, however we are not so used to locking and shutting virtual doors that lead to our private, sometimes invaluable, information.

A side effect of the technological age we live in means it’s now probably easier for criminals to steal your assets virtually rather than the classic swag-bag-through-the-window trick.

The main problem facing superyachts when it comes to cybersecurity is naivety about the real and present threat. Mike Wills co-founder and chief data officer, CSS Platinum, told Superyacht Investor that there are many potential threats against which a superyacht could need to defend itself. It is very easy to believe that all cyber threats are technical, but it is often human error – likely through lack of awareness, discipline and training of crew – that provides a hackers gateway into the system.

Now that everyone has a smartphone, we often forget the added risk that whilst these devices are connected via satellite, each provides a potential gateway for a hacker. Even if they find no immediate entry, it is now easy to trawl information from social media and the Dark Web and use it to target crew members and/or worse blackmail them in to carrying out theft or other illegal activity, said Wills.

Cybersecurity challenges are not receding. That’s why it has never been more important to ensure the cybersecurity and, just as vitally, training of crew on all superyachts is robust.

Let alone the fact you may end up being refused insurance if your software security systems are not up-to-date, the International Maritime Organization (IMO) is bringing in regulations as of January 1st, 2021. The IMO’s Resolution Management Systems Risk Management in Safety MSC.428(98) includes stipulations that all yachts add cybersecurity measures in training, risk assessments undertaken of IT systems and establish policy for removal of data (in line with GDPR) and the WiFi use for crews.

Regulations behind the curve

The regulations are behind the curve, according to Tom Frankland, co-founder, JWC Superyachts, a specialist in superyacht cybersecurity training. “It has taken five years [for the IMO] to get this point of regulation and what have they done in the meantime? Ship owners, certainly in the merchant marine sector, are having to decide between upgrading their scrubbers in the funnels [to comply with new EU regulations] versus putting a very basic firewall on the bridge to stop many of these cyber events happening.”

Drawing a comparison with aviation, Frankland estimates it is 30 years ahead of the maritime industry. “If you look at the ISOs (International Organization for Standardization), the basic regulations, and enforcement — for me shipping is archaic in that regard because at the moment a ship is still not classified as unseaworthy because its data systems aren’t up to current basic standards.”

He told Superyacht Investor: “Now shipping has begun to relay much more on technology, it is only now with the IMO Cyber Security regulations that the industry is starting to take this issue more seriously.”

For Frankland, the greatest cyber risk to a superyacht is always going to be people. While the technology continues to evolve, he says, that means the training burden on the yacht’s management and crew is only going to increase. “The weakest point in all of this new technology and protection is still the crew and they don’t realise how important they are in protecting the yacht’s owners, reputation and operational use, where so much of a yacht is now networked and interdependent through master control systems.”

Not just kids sitting around in hoodies

It is important to note hackers are not just “kids sitting round in their hoodies, as the iconography typically embodies”. These are sophisticated, well-resourced government-style agencies that are targeting some superyachts, Frankland notes.

Whilst it is impossible to know the full extent of cyber-attacks due to a lack of reporting as a result of the discrete nature of the yachting industry, a number of yachts have voluntarily made themselves available for testing. In at least one training exercise hackers were able to take control of the yacht’s ships navigation systems. In another, contractors were able to gain control of many of a yacht’s internal and security systems with minimal delay.

William MacLachlan, partner, HFW, told Superyacht Investor: “The persistent underreporting of cyber incidents in the yachting industry makes it hard to know how active the threat is right now, though a number of well-publicised incidents in the commercial shipping industry have highlighted the vulnerability of marine assets in general to cyber events”.

“I am aware of various controlled events in yachting which, to a degree at least, demonstrate the threat. However, I’m not aware of any publicised examples of a yacht being taken over by nefarious actors. That said, it remains the case that most vessel owners worry about a cyber event leading to a loss of control and a potentially serious incident, from which a liability might arise for which they do not have appropriate insurance cover.” So, it is a theoretical possibility.

MacLachlan added that yacht owners are also more exposed than commercial ship owners to the possibility of losing sensitive and personal data from their vessels. He points to this as perhaps why awareness of the importance of taking seriously your yacht’s cybersecurity arrangements has elevated in recent times.

‘Online 24/7 become God-given right’

Captain Iain Flockhart is unsure how seriously the potential threats and consequences are being taken by many owners, managers, captains and crew.

He told SYI: “As with so many things in yachting, it may take a very serious incident to get anyone to sit up and listen. On top of that, sadly with much of the IMO and all these multi-national organisations, the time it takes to agree on issues means they can already be outdated.”

Flockhart added: “I think raising awareness of the seriousness of the issue and its consequences is critical. Being online 24/7 has become such a ‘God given right’ that most people are completely unaware or simply do not care about the darker side of 24/7 connectivity and the complexity of its systems in general. Crew especially need to be educated.”

So just as you keep the firewall on your computer up-to-date, lock your doors when you go out or don’t train your guard dog to rollover for unwelcome intruders, we all need to adopt the safe approach when it comes to cybersecurity. While a potential threat may be harder to spot than a striped-shirt man in a mask, something as simple as keeping a well-trained eye for anything out of the ordinary could make all the difference.

Subscribe to our free newsletter

For more opinions from Superyacht Investor, subscribe to our email newsletter.

Subscribe here