Superyachts face The threat of cyber-attacks
Nowadays most ships are increasingly using systems that rely on digitization5, integration, and automation. As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are being networked together – and more frequently connected to the internet. This brings the greater risk of unauthorized access or malicious attacks to ship’s systems and networks. Risks may also occur from personnel accessing systems on board, for example by introducing malware via removable media.
In many cases, a yacht, especially a superyacht, can be managed from one central unit which controls navigation systems, engines, air conditioning/ventilation systems, lighting, and entertainment equipment. While cybercriminals can hack any network in the world, the increased use of computerized systems onboard ship can lead to cyber risks that should be addressed. A ship’s vulnerable systems could include, but are not limited to6:
a. Bridge systems.
b. Cargo handling and management systems.
c. Propulsion and machinery management and power control system.
d. Access control systems.
e. Passenger servicing and management systems.
f. Passenger facing public networks.
g. Administrative and crew welfare systems.
h. Communication systems.
Vulnerabilities can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyber discipline. Stand-alone systems will be less vulnerable to external cyber-attacks compared to those attached to uncontrolled networks or directly to the internet.
In a computing context, security includes both cybersecurity and physical security. Cybersecurity is the body of technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Physical security is the protection of personnel, hardware, software, networks and data from physical actions, intrusions and other events that could damage an organization. Yacht owners, Masters, and crewmembers must understand their systems in order to use and protect systems, data, and asset functions.
While cybersecurity is concerned with the protection of IT, OT and data from unauthorized access, manipulation, and disruption, cyber safety covers the risks from the loss of availability or integrity of safety critical data and OT. Cyber safety incidents can arise as the result of:
A cybersecurity incident, which affects the availability and integrity of OT, for example, corruption of chart data held in an Electronic Chart Display and Information System (ECDIS).
A failure occurring during software maintenance and patching.
Loss of or manipulation of external sensor data, critical for the operation of a ship. This includes but is not limited to Global Navigation Satellite Systems (GNSS).
Cyber risk management means the process of identifying, analyzing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders. Effective cyber risk management should start at the senior management level. Senior management should embed a culture of cyber risk awareness into all levels of a company or yacht and ensure a holistic and flexible cyber risk management regime that is in continuous operation and constantly evaluated through effective feedback mechanisms. A cybersecurity risk assessment is also necessary to identify the gaps in a yacht’s critical risk areas and to determine actions to close these gaps.
Cyberattack is any type of offensive action employed by nation-states, individuals, groups, or organizations that targets computer information systems7, infrastructures, computer networks, and/or personal computer devices by various means of malicious acts usually originating from an anonymous source that either steals, alters, or destroys a specified target by hacking into a susceptible system.
In general, there are two categories of cyber-attacks8, which may affect companies and ships, untargeted attacks, where a ship’s systems and data are one of many potential targets and targeted attacks, where a ship’s systems and data are the intended targets.
Untargeted attacks are likely to use tools and techniques available on the internet which can be used to locate, discover and exploit widespread vulnerabilities which may also exist onboard a yacht. The intent to cause damage to people’s software is a driving force behind these attacks, but no particular person or group is being targeted. They tend to take the form of malware, worms, and viruses and, for the most part, they are sent out via the internet. Examples of some tools and techniques that may be used in these circumstances include:
Malware: Malware, or malicious software, is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses, spyware, and ransomware. Ransomware, for example, is designed to infect a user’s system and encrypt the data. Cybercriminals then demand a ransom payment from the victim in exchange for decrypting the system’s data.
Phishing: Phishing is a type of security attack that attempts to trick or coerce targets into divulging sensitive/valuable information. Attackers target users’ login credentials, financial information (such as credit cards or bank accounts), company data, and anything that could potentially be of value.
Water holing: Setting up a fake website or compromising a legitimate one in order to exploit visiting users.
Scanning: Attacking wide swathes of the Internet at random.
Targeted attacks may be more sophisticated and use tools and techniques specifically created for targeting a yacht. An attack can be considered a targeted attack when it fulfills three main criteria:
a. The attackers have a specific target in mind and has been shown to have spent considerable time, resources and effort in setting up or carrying out the targeted attack,
b. The main aim of the targeted attack is to infiltrate the target’s network and steal information from their servers,
c. The attack is persistent, with the attackers expending considerable effort to ensure the attack continues beyond the initial network penetration and infiltration of data.
Examples of tools and techniques which may be used in these circumstances include:
Brute force: Brute force attacks involve a trial-and-error method used to get information such as a PIN or password. In this type of attack, automated software generates several consecutive guesses to try to isolate the correct solution.
Denial of service (DoS): In a Denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer. The most common and obvious type of DoS attack occurs when an attacker “floods” a network with information.
Spear-phishing: Sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software.
Subverting the supply chain: To attack equipment or software being delivered to the organization (ship, company, etc.).
But how can you protect your yacht from cyber-extortion? Here are a few ways that you can use to protect your vessel from a cyber-attack:
a. Develop and implement a cybersecurity plan that clearly outlines best practices for all crewmembers.
b. Protect your valuable data. You must understand what sensitive data is and know what data you need to protect.
c. Determine what risks to your yacht are low, medium, or high-level threats. This will help you prioritize your actions.
d. Educate your crew. The more your crew know about cyber-attacks and how to protect your data, the better off you’ll be. Develop Internet security guidelines and educate crew about Internet safety, security and the latest threats.
e. Password protection. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices.
f. Ensure all systems have an appropriate firewall. Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer and limiting the traffic you send.
g. Use and maintain anti-virus software. Anti-virus software can often recognize and protect your computer against most known viruses, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date.
h. Use with caution email attachments. Do not open email attachments that you were not expecting, especially if they are from people you do not know. If you decide to open an email attachment, scan it for viruses first.
i. Be wary of downloadable files on websites. Avoid downloading files from sites that you do not trust. If you do download a file from a website, consider saving it to your computer and manually scanning it for viruses before opening it.
j. Be careful what information you publicize and avoid posting personal data in public forums. Attackers may be able to piece together information from a variety of sources.
k. Hire a cybersecurity expert. The best solution for such type of problem is to handle the task to any professional company which is dealing with them regularly.
Cybersecurity is a complex subject and one of the most urgent issues of the day. A yacht faces similar cyber threats as any other commercial ship. Owners and masters must realize that a superyacht is an attractive target for hackers who are getting more sophisticated every day. An attack into the yacht’s systems and data could give attackers access to critical information that can threaten the security of the ship.
1- Global Economic Crime Survey 2016. 2- The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. 3- The British National Health Service, international shipper FedEx and Spanish telecommunications company Telefonica were among the targets. 4- https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#347e19a03a91. 5- Digitization, less commonly digitalization, is the process of converting information into a digital (i.e. computer-readable) format, in which the information is organized into bits. The result is the representation of an object, image, sound, document or signal (usually an analog signal) by generating a series of numbers that describe a discrete set of its points or samples. 6- IMO Guidelines on Maritime Cyber Risk Management MSC-FAL.1/Circ.3 5 July 2017 7- https://en.wikipedia.org/wiki/Cyberattack.
Bibliography.
The Guidelines on Cyber Security Onboard Ships Version 2.0 (Produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI).
IMO Guidelines on Maritime Cyber Risk Management MSC-FAL.1/Circ.3 5 July 2017.
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected - to-reach-2-trillion-by-2019/#347e19a03a91.
Global Economic Crime Survey 2016 (Produced by PricewaterhouseCoopers, www.pwc.com/crimesurvey).
Cyber Attacks White Paper January 2016 (Produced by National Cyber Security Centre, https://www.ncsc.gov.uk/).
https://www.us-cert.gov.
http://whatis.techtarget.com/
https://en.wikipedia.org/wiki/Cyberattack.
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack.
https://en.wikipedia.org/wiki/Computer_security.
https://en.wikipedia.org/wiki/Internet_security.