Aside from the luxury conveniences onboard many superyachts, modern vessels utilise networked technologies in order to provide faster, more accurate, and more convenient operations. Whilst all of these modern conveniences have been a game changer for the superyacht industry, this connectivity can often unfortunately bring with it, new threats to the security of the vessel, its crew, and its passengers, while additionally bringing unique marine-specific challenges in terms of systems maintenance.
Based on first hand security assessments conducted by Nettitude on a wide range of vessels, this blog post aims to express the current threat landscape for superyachts, likely tactics of threat actors, common security issues, and marine-specific challenges in maintaining secure systems and networks.
The pitfalls of luxury conveniences
Superyachts often have periods where the owner is not making use of their vessel, allowing for the crew to undertake patching, architecture revisions and security upgrades. Whilst the owner is aboard however, the need to guarantee 100% availability of internet, gaming connections, theatre systems and HD streaming can lead to misconfigurations due to the desire to ‘just make it work’. During a recent assessment, Nettitude saw an air-gapped AV network bridged by a well-intentioned firewall rule put in place to make it easier for the crew to copy newly downloaded movies onto the owner’s Plex media server. This had the unintended effect of allowing an attacker to gain access to the media network due to the lack of network access controls and then tunnel into the main superyacht operations network to carry out onward exploitation.
Crew members with multiple roles
Crews aboard yachts are often significantly smaller, with certain staff carrying several job roles concurrently. A perfect example of this could be the Electrical Technical Officer (ETO) who has responsibility for anything electrical-related aboard the entire vessel once the electricity leaves the engines. This can range from running the owner’s theatre system or replacing batteries in guest room doors through to managing the VSAT connection. Running the equivalent of a medium sized business’ IT network and guaranteeing the confidentiality, integrity and availability of data is a dedicated skillset that requires significant system administration experience. This is rarely combined with knowledge of marine electrical systems such as radar, radio, navigation systems and electrical distribution.
Weak design and commission
Yacht maintenance and inventory management software is often poorly designed or supports weak authentication mechanisms. This can allow attackers to gain access to internal plans and imagery of the vessel, removing the need for attackers to physically monitor and carry out reconnaissance of the vessel – this data is now accessible remotely to the attacker after a single successful phish of a crew member. It is also essential during the design, procurement, build and commission of new vessels that secure design principles are applied to networks, software and the operational procedures to be used within these environments
What can you do to protect against these cybersecurity issues on superyachts?
Holistic simulation of real-world impacts
Where owner buy-in is proving difficult to achieve, engagement with the owner’s own security team and the commencement of a threat-intelligence led penetration test against the vessel and its crew can often serve to highlight areas of weakness and demonstrate the impact of a future compromise. Nettitude have recently carried out a cybersecurity assessment of a superyacht, resulting in multiple CVEs being discovered in custom yacht software and the production of a full attack chain representing a total compromise of all data on the vessel in under nine hours. As part of this assessment, Nettitude were able to determine and alter the blind spots of security cameras, as well as alter the logging posture of the door control software to allow unauthorized access to the owner cabin and the engine room.
Roles, responsibilities, training and testing
Nettitude would recommend that owners invest heavily in the training of ETOs in modern business IT practices, as well as partnering with CREST-accredited security firms to carry out rolling Vulnerability Analysis and Penetration Testing. Where ongoing training is not possible, it is possible to employ a dedicated security administrator who is responsible for security aboard all fleet vessels, manages relationships with third party security companies and holds third party IT / OT outsourcers to security best practices. It is critical that owners see that their business affairs and personal security are being placed at risk from poor systems administration practices, coupled with a perception that the yacht is ‘water-gapped’.
For more information on reducing risk within the superyacht industry, check out our full whitepaper.