By Tom MacDonald, Managing Principal Security Consultant at Nettitude
For superyacht owners, ensuring the privacy of their personal and business affairs, as well as ensuring that physical security is never compromised, is of paramount concern. As these vessels become increasingly technologically advanced, cyber security becomes an increasingly crucial concern in order to protect owner privacy and safety. But what exactly are the cyberthreats that superyachts are facing, and how can owners and their crews protect themselves?
Context: Nettitude’s Experience
Nettitude have recently completed a variety of cyber engagements for our marine and offshore (M&O) clients, encompassing ISO 27001 assessments and incident response services through to penetration tests and threat intelligence-led red teaming.
As a result of these engagements, we feel well placed to offer guidance on how marine and offshore companies can improve the cyber security practices within their organisations – implementing change at the strategic level to set the conditions for future success, whilst also incorporating some quick wins at the operational and tactical levels of marine operations.
Nettitude have been carrying out full spectrum cyber assurance for over 15 years, and firmly believe that an isolationist approach to cyber security is unlikely to result in success. It is critical to consider an approach that comprises changes to people, process and technology within the business, as challenges in one area of the triad can be mitigated with strengths and successes in others.
Superyachts’ Cyber Security Challenges
Due to the unique nature of operations on board a superyacht, there are distinct cyber security challenges present, including IT system complexity, design and uptime requirements as well as the challenges involved in ensuring that there is sufficient technical expertise among what is often a small crew.
Roles, responsibilities, training and testing
Crews aboard yachts are often significantly smaller than they are aboard other vessels such as cruise ships, with certain staff carrying several job roles concurrently. One example of this is the Electrical Technical Officer (ETO), who has responsibility for anything electrical-related aboard the entire vessel once the electricity leaves the engines. This can range from running the owner’s theatre system or replacing batteries in guest room doors through to managing the VSAT connection. Running the equivalent of a medium sized business’ IT network and guaranteeing the confidentiality, integrity and availability of data is a dedicated skillset that requires significant system administration experience. This is rarely combined with knowledge of marine electrical systems such as radar, radio, navigation systems and electrical distribution.
Nettitude would recommend that owners invest heavily in the training of ETOs in modern business IT practices, as well as partnering with CREST-accredited security firms to carry out rolling vulnerability analysis and penetration testing. Where ongoing training is not possible, it is possible to employ a dedicated security administrator who is responsible for security aboard all fleet vessels, manages relationships with third party security companies and holds third party IT / OT outsourcers to security best practices.
Superyachts often have periods where the owner is not making use of their vessel, allowing for the crew to undertake patching, architecture revisions and security upgrades. Whilst the owner is aboard however, the need to guarantee 100% availability of internet, gaming connections, theatre systems and HD streaming can lead to misconfigurations due to the desire to ‘just make it work’. During a recent assessment, Nettitude saw an airgapped AV network bridged by a well-intentioned firewall rule put in place to make it easier for the crew to copy newly downloaded movies onto the owner’s Plex media server. This had the unintended effect of allowing an attacker to gain access to the media network due to the lack of network access controls and then tunnel into the main superyacht operations network to carry out onward exploitation. Alongside the need for convenience, it is critical that owners see that strong systems administration practices are critical for both the security of their business affairs and their personal safety.
Secure design and commission
Any design flaws or weak authentication mechanisms in yacht maintenance and inventory management software can allow attackers to gain access to internal plans and imagery of the vessel, removing the need for attackers to physically monitor and carry out reconnaissance of the vessel – this data is now accessible remotely to the attacker after a single successful phish of a crew member. It is also essential that during the design, procurement, build and commission of new vessels that secure design principles are applied to networks, software and the operational procedures to be used within these environments.
Holistic simulation of real world impacts
The commencement of a threat-intelligence led penetration test against the vessel and its crew can often serve to highlight areas of weakness and demonstrate the impact of a future compromise. Nettitude recently carried out a security assessment of a superyacht, resulting in multiple CVEs being discovered in custom yacht software and the production of a full attack chain representing a total compromise of all data on the vessel in under nine hours. As part of this assessment, Nettitude were able to determine and alter the blind spots of security cameras, as well as alter the logging posture of the door control software to allow unauthorized access to the owner cabin and engine room.
Overall, businesses in the M&O space are an attractive target to attackers, and superyachts are no exception. However, by implementing sector-specific modern enterprise IT practices around people, processes and technology, implementing a cyber security strategy, and carrying out cyber hygiene, it is possible to drastically reduce the likelihood and severity of a compromise.
To learn more about the developing cyberthreats that are affecting both the cruise and superyacht industries, take a look at our full research report here.