Town Hall: ‘We are in a battle with cyber criminals’
Superyacht owners, managers and crew are in a battle with cyber criminals to protect the safety of their vessels and the integrity of data, according to speakers at last week’s Superyacht Investor Town Hall online meeting.
Mike Wills, co-founder and chief data officer of superyacht security specialist CSS Platinum, told delegates: “As a former military man, I would say we’re in a battle now with cyber criminals that is not going to go away.”
The risks were heightened everyday by the increasing prevalence of technology. “You only have to look at 5G, which is establishing itself and 6G, which is on the horizon. The increase in data transfer that provides for the proliferation of smart devices will start to encompass our lives in ways we don’t yet know,” said Wills. Data transfer, the Internet of Things, wearable devices, block chain and smart contracts will increasingly “touch everything we do”.
Awareness of digital and cybersecurity risks were improving, but there is still significant scope for progress, Wills told delegates. He believed cybersecurity was a life skill that should be taught in schools and colleges to help protect people from the growing threat.
In the superyacht sector, Wills thought awareness of cybersecurity topics was growing but had yet to reach the right standard. “People intend to get round to it,” said Wills. “Then it comes to the point where documentation and compliance needs its annual verification and suddenly there is a mad rush to do something now.”
International Maritime Organization (IMO) Resolution MSC.428(98), requiring vessels to undertake an annual documentation of compliance audit after January 1st, 2021, has helped focus attention on cybersecurity, speakers agreed. But compliance was not enough to guarantee protection. Also, Covid-19 had raised the cybersecurity risks, as staff were required to work from home – sometimes with laptops that lacked effective cyber protection.
Another military perspective on cybersecurity was offered by Martin Smith, chief operating officer at cybersecurity firm Cyber Prism. “You might think that after 33 years in the Royal Marines, this would be a big change for me, leaving and becoming MD of cybersecurity company. But it’s been pretty intuitive for a couple of reasons.”
Smith and other military planners realised after the 9/11 attacks on the World Trade Center: “The future of warfare resulted in information and he who controlled the information space in future was likely to win.” Security topics, which eight years ago referred mainly to hiring security guards while navigating the Straits of Hormuz and other areas, had now expanded to include cybersecurity.
“Now security is seen as a more multifaceted entity and it needs multifaceted solutions but we’re not renouncing physical security any more than the military is renouncing physical warfare.” said Smith. “The two now seem to be in tandem. It’s all about striking that balance between the physical and the information and doing that in such a way that the costs of ownership are contained, so that ownership and chartering is still possible for people but in a secure environment.”
Insurance had also been a driver to improve cybersecurity standards. But there has been a concentration on what happens after an attack rather than prevention. “The more insurance companies try to avoid pay-outs and get into the prevention end of the business, the more secure we will all become,” said Smith.
The need for more effective cyber protection was demonstrated by recent surveys of superyachts conducted by Pelion Consulting, according to Campbell Murray, its chief security officer. The research revealed 80% of superyachts surveyed have no protection against the software virus Blinky, first detected in 2017, and Dropbear, identified in 2019. “It’s quite astonishing that a lot of thought is put into architecture and privacy, but the execution of the technical controls is severely lacking. Whether that is through lack of education on the part of those running ships or lack of will is not entirely clear,” said Murray.
Other common problems revealed by the survey included Wi-Fi names which revealed too much information, including owners’ names, lack of effective password management and IT firewalls that were not configured to offer effective protection.
“Education is obviously a problem with the ships’ systems and those managing the ships’ systems,” said Murray. Managers and senior crew need to raise their understanding of security engineering.
Asked to identify the Achilles heel of cybersecurity, Wills of CSS Platinum replied: “People are, in any business, your greatest asset. The opposite can also be true: the greatest vulnerability.”
He likened the security of a superyacht to the skins of an onion. “At the very centre is the yacht or the owner. That maybe the target criminals want to exploit for any number of reasons – information, personal data, intellectual property – whatever the motivations of the criminal are.”
If the yacht has good security at its centre, cyber criminals may try to “peel off the layers of the onion skin”. They will search for access points, he said. It could be free Wi-Fi networks, but often it can be people who either knowingly or unknowingly do inappropriate things, such as patching devices and failing to update software and security systems.
“There’s lots of opportunity to socially engineer someone and then either exploit them unknowingly or coerce or bribe them into doing something,” said Wills. “So, I think that the greater vulnerability is through people.”
Implementing an effective defence depended upon taking a comprehensive approach and looking at crew governance. Develop a plan and plan for information security, both for yachts and their crew, said Wills. “Looking after your people, understand what risks they pose to you and try to make sure that they are aware of how they can impact the security of the vessel.”
Technological defences were important too, but people posed the biggest risk, he said.
Howard Ricklow, partner with law firm Collyer Bristow, highlighted cybersecurity risks linked to reputational damage, the dangers of publicising high-profile passengers’ or owners’ information and the risks posed by General Data Protection Regulations (GDPR) introduced in 2018.
Last year, the hacking of an international crew recruitment agency resulted in a data breach, which released details of crew medical certificates, insurance certificates, visas and passports onto the dark web.
“That’s real damage,” said Ricklow. “If you’re caught by GDPR that can mean fines of up to €20m, or 4% of your gross annual turnover across your whole group.” Individuals harmed by data breaches also have the right to sue for damages.
The reasons for the hacking could be mayhem, mischief, military or money – including hacking for ransom, said Ricklow. The first step to lifting safety standards was data mapping to understand what personal data is being held and where and have privacy notices been produced for those individuals whose data is being held?
Wills, of CSS Platinum, summed up on a cautionary note: “This is not going to go away. This is a life skill and businesses need to respond to the cybersecurity threat. This will become part of your operational overheads for evermore.”
The Town Hall – Cybersecurity and superyachting in 2021 – took place on Thursday 29th July. You can listen to the Town Hall podcast here and watch the video here.
Meanwhile, sign up here for next Superyacht Investor Town Hall, on Thursday September 30th, here.