EDITORS NOTE A huge thank you to Benjamin Dynkin, Barry Dynkin, Eric Stride of the American Cybersecurity Institute & Co-Founder of at Atlas Cybersecurity who wrote this guide specifically for our industry.
Superyacht Security: A QuickStart Guide
Benjamin Dynkin, Barry Dynkin, Eric Stride
The superyacht industry has long been a leader in technical innovation, not only for the maritime world but for countless other industries as well. The unique set of challenges in providing the services needed in the middle of the ocean forced innovation and implementation of everything from telecom services, to audiovisual experiences, to cutting-edge IoT sensors and devices. The one technical aspect that has lagged innovation has been cybersecurity.. While the world has grappled with the ever-rising threat posed by cybercriminals, superyachts, due to their general lack of connectivity and highly specialized profile largely believed themselves squarely outside the sights of criminals. While this is not case, the industry has begun to change its perceptions – from new regulations from the International Maritime Organization (“IMO”), to updated insurance requirements, to an evolving ecosystem around security, it is clear that security will be a core feature of the superyacht industry. This article will look at the industry threat landscape and then turn to offer guidance on how to build a security program for a superyacht, considering both the procedural and technical elements required to ensure a robust and dynamic program.
The Cyber Threat Landscape
There has yet to be a highly visible case study of a superyacht coming under attack, but there are countless cases of serious cyber incidents in the maritime industry, ranging from breaches affecting shipping operations to ports being taken offline. With increased IT and OT infrastructure, there is a tremendous threat surface through criminals can launch their attacks. On the IT-side of the conversation, a superyacht more closely resembles an enterprise environment more than a boat. From enterprise networking to Microsoft Exchange environments, to virtualized servers, and a litany of onboard computers supporting IT, AV, and business applications, it is abundantly clear that superyachts are run like businesses. If that were not a dire enough diagnosis (over 55% of businesses have self-reported cyber-attacks), superyachts face a unique set of difficulties due to there being significantly fewer of them, and ease with which they can be identified by IP Address when using a VSAT connection – this makes targeted scanning for vulnerabilities a routine effort for criminals. On the OT, or Operational Technology, side of superyacht the picture is even grimmer. Operational Technology is driven by industrial controls systems and the Internet of Things, which have only truly arrived on superyachts in the last several years. While control systems have been present for a long time, only recently have the exploded in connectivity. For example, the newest Rolls Royce engines features advanced connectivity, over several methods of communication, to ensure that there is increased visibility to ensure problems are detected and addressed before they arise. While this is a noble goal, each of those services opens the boat up to new avenues of assault. While the above is an illustrative example, these kinds of connected control systems have appeared on virtually every facet of the superyacht, from cameras to blinds to bridge control systems – everything is connected, thus it is accessible. In addition to the general threat posed by IoT and ICS systems, there is no guarantee that the technologies have been built securely – in fact insecure IoT devices is a systemic problem across the entire industry, where the rush to bring devices to market leaves vulnerabilities aplenty.
When considering the cyber threat landscape, the above considerations are key drivers within all organizations, but the superyacht industry faces a uniquely pernicious threat – the high-profile nature of the owners. Most organizations tend not to have to deal with targeted attacks perpetrated by high-profile threat actors. Owners of superyachts tend to be captains of industry and global leaders, making them uniquely intriguing targets for sophisticated malefactors. This means that a standard approach to cyber defense alone is insufficient, the calculus must change to adjust for this heightened threat profile. In sum the cyber threat landscape is dire, but once it is understood, it is possible to build a tailored program around defending against these heightened threats.
Building a Security Program
Understanding the threat landscape is a critical first step in marshalling defenses, but the real work of defending a superyacht is in building a cybersecurity program that covers the threat surface and effectively addresses the threat landscape. The IMO, in a new regulation, explicitly requires the adoption of a cybersecurity program. While there are many internationally regarded standards that can be implemented to build a cybersecurity program, this article will take an agnostic approach that focuses on core tenants featured in nearly every standard, breaking down a cybersecurity program into its constituent elements: Identify, Protect, Detect, Respond, and Recover. These functions provide a holistic view of what is required.
While some believe protection and detection are the most critical functions, everything begins with identification. This is not merely an asset inventory, but rather a broader inquiry into understanding the IT and OT environment on the vessel, what connectivity is required, how networks are segmented, what threats and risks exist in the environment, the supply chain and potential third-party risks, and the broader business environment as well. These steps are necessary for two reasons. First, it is important to understand, with granularity, the risk environment so that remediation steps can be taken. This is a process that is not done once, but rather is done regularly so as to account for the implementation of new technologies, and new and emerging threats. Second, the process of identifying assets currently on the vessel in essentially real-time is critical to ensuring defenses do not fall to basic threats. A simple USB key or raspberry pi tucked away in a corner could give criminals persistent access to the superyacht and bypass countless lines of defense – being able to accurately identify everything on the network and all applications run within it ensure that you can tailor a security program to the real world rather than to network schematics that may be months or years old.
MEET US @
Once the assets, threats, risk, and general business environment have been accounted for a program for protection can be created, which is both tailored to the risk environment, and integrated into the broader risk management program. While there are certain tools that are often considered the core of protecting data (firewalls, anti-virus, etc.), protection features a much richer set of requirements, including, for example, access controls, network segmentation, training, and data-centric security, are all necessary features of a robust protection program. Protective measures focus on keeping criminals out of the organization, as such, it is important to ensure that there are controls addressing the most common ways that criminals gain ingress: users. First and foremost, by implementing access controls and access management, an organization is able to clearly define user roles and apply the principle of least privilege, which holds that users are only able to access data and systems that they are required to in order to complete their duties. By limiting access to necessary systems and data, in the event of a compromise, the criminal will be unable to gain access to troves of data. Furthermore, robust access controls ensure that lateral movement across an environment are difficult. Access controls also include authentication mechanisms, which should be implemented depending on the risk assessment of the system or data being accessed. For example, an A/V system may have a minimal risk profile and thus only require a single factor of authentication, but a sensitive system, such as the domain controller, should require multiple factors of authentication to ensure access is narrowly tailored to those that are authorized.
While access controls are critically important to ensuring that only those who have access to systems can gain access to them, it is important to recognize that malicious actors can and will gain access to networks, thus minimizing their ability to move laterally across different systems becomes very important. The mechanism for doing this is network segmentation through the implementation of VLANs. Particularly on a superyacht, where the various technologies aboard are all networked and internet-connected, the need to segment OT and IT, as well as individual systems, becomes readily apparent. In addition to knowing who has access, how they authenticate, and how networks are segmented from one another, it is also important to educate users on the threats that they will be facing from phishing attempts. Over 90% of cyber-attacks involve some aspect of phishing, and unfortunately these are not ‘Nigerian Prince’ schemes, but rather sophisticated attacks that are indistinguishable to the human eye. The solution is to train employees to identify situations of high risk, and ensure that they have the heuristic measures in place to mitigate the threat and report the attack and protect themselves and their colleagues.
While ensuring that internal processes are hardened to keep criminals out is important, there are still technical requirements needed to ensure that adequate controls and safeguards are in place. In the modern era, at the network level, this role is filled by a firewall. In truth, firewall is a misnomer, as these modern network security appliances provide far more than a pure firewall. The modern network security appliance builds off of the traditional work of a firewall, layering in intrusion detection/prevention, application control, antivirus, and other services engineered to combat modern threats. A proper protection program not only features the use of these solutions and others, but also requires the active management and support of their functions.
The final general requirement of a protection program centers around data. The previous controls all focus on keeping criminals out of the environment, but ultimately data is something is destined to be trafficked, whether across systems, across networks, or across the world. To ensure that whatever data is stored and whatever data is transmitted, it is identified, secured, and kept away from prying eyes. The process of securing data is often a microcosm of the broader goals of a cybersecurity program, featuring requirements to identify what data exists, how it flows throughout the environment, and how it is protected both at rest and in transit. In the world of superyachts issues around data present a unique set of challenges since there is a varied landscape of data, and unique concerns about the threats to each. Whether it be phone calls open to eavesdroppers, private emails examined by private eyes, or navigation data tainted by criminals look to cause harm, data requires different methodologies for protection depending on its use and state. While there is no single exhaustive list of data security solutions, certain principles apply, most importantly ensuring data is encrypted both at rest and in transit.
Identification and Protection are functions that exist to keep criminals off of systems and networks, but detection is a function that centers around mitigating harm and disrupting criminals before they have a chance to achieve their ultimate goal. First and foremost, when considering detection it is important to recognize that a hack is not a binary action, one does not go from being not being hacked to being hacked, but rather a hack can take days, weeks, or months – in fact in a recent study it was found that the mean time to detection of a hack was 197 days. Moving laterally from a compromised system across a network that has adequate security monitoring in place without tripping security controls can be a difficult and time consuming task, and it represents a prime opportunity to expel criminals before they have an opportunity to cause any real harm or damage. Unfortunately, detection is not merely a tool that can be put in place but is rather the art of finding things that are fighting to stay hidden. The core of any real detection program centers around data, namely gathering data from throughout the environment, putting it through a correlation engine (also known as a SIEM, or Security Information Event Management, tool) to look for activity that may flag suspicious or malicious activity. In addition to data from within the environment, it is also important to get external data, namely cyber threat intelligence, from external sources, which is invaluable in knowing what kinds of indicators of compromise to look for when examining the data. While this may sound like a streamlined process, when implemented at the scale of a superyacht, from IT and OT systems, creates a deluge of unique data that must be classified, managed, analyzed, and investigated. The scale of these efforts is not measured in hundreds or thousands of events, but rather in the tens of millions of events that must processed and analyzed. With careful tuning, quality intelligence, and a skilled team of operators, those millions of events can become a manageable set of alerts that can be carefully examined and investigated to yield actionable results to better secure the environment.
Response & Recovery
The final functions of a cyber risk management program center around the inevitable question of what to do if and when you are the victim of a cybercrime. These functions, while distinct are uniquely intertwined, thus we will treat them as a singular function for the purposes of our analysis. In the world of superyachts, response takes a unique position. There very well may not be any regulatory or legal obligations, nor is there anything that might resemble customer or client data. As such the traditional routes of breach response are not present (i.e. compliance with state breach notification rules, customer notification, or identify theft monitoring). While the lack of a clear path of action may troublesome, it also represents a tremendous freedom allowing focused response that is tailored to answer the questions of “how do I fix my problem” (investigation) and “who did it” (attribution). While treatises can be written on these processes, that would be far beyond the scope of the present analysis. For present purposes it is sufficient create an incident response plan that engages management and leadership, as well as technical experts that can provide real-time forensic analysis so that management can make informed decisions on how to stymie and mitigate harm, while ensuring the steps taken align with goals that can be pre-determined, such as getting back online, finding the perpetrator, preserving data for law enforcement, etc. The only important component is that these decisions are made beforehand, so that the incident response team is free to act immediately, rather than waiting for decisionmakers to act. Recovery is the follow through the response, ensuring that lessons are learned and controls are implemented to prevent the harm from happening again.
Building a cybersecurity risk management program is not something that can be done in a day. It is an involved process that needs to be revisited and updated often. It is impossible to be completely secure, but rather the goal is to strive for adaptability, aiming to get ahead of the criminals when possible, and being able to detect their malfeasance rapidly. As superyachts continue to become increasingly connected and available to criminal probing, attacks will only increase in occurrence. From ransomware attacks rending yachts immobile on the sea, to high-tech espionage and blackmail, to corporate spying, superyachts represent a plethora of opportunities for creative criminals. The question is not “if” but “when” there will be high profile attacks, and regulatory bodies are not taking the risk laying down; the ball is now in the court of superyachts act now or assume the risk of inaction.