Cyber crime now costs billions of dollars every year, even putting lives at risk, and yacht crew are an attractive target for these increasingly sophisticated criminals due the nature of their work. Rob Coston speaks to the experts to find out how seafarers can protect themselves
Every year, thousands of people and businesses are affected by cyber crime. Their records are stolen, their privacy is violated, or they are forced to pay a ransom to criminals in order to regain control of their computer systems.
The problem is bigger than it seems – for every case that reaches the newspapers, like the recent hack that shut down 45% of the US East Coast gasoline supply – there are many more companies and individuals that are unwilling to admit they have been victimised because of the embarrassment – or because the admission might draw further attacks.
A human problem
Seafarers are a potential target of cyber criminals, according to two experts with decades of experience in military intelligence and counter-intelligence; Daryn Liddle, and Rolf, who agreed to be interviewed on a first-name only basis. They are working with the Crew Academy, a Nautilus Yacht Partner, which has included a module in its new Command & Senior Leadership Programme for yacht crew that focuses specifically on the vulnerable human element in cyber security.
Paul Sykes, marketing and operations director at the Crew Academy, explains: 'The state of cyber security is better than it was in 2020 regarding the technical elements. There's still masses to be done though, particularly with the human side of things. It's a part of this puzzle that's generally overlooked.
'We feel this is so important we've integrated it into our leadership programme – while this training is needed for crew at every level, it will only work if it's driven from the top down and there's understanding among captains, owners and management companies that it's vital.'
Rolf, who delivers eight hours of training on topics ranging from common aggressors and their methods to safe behaviour on social media, emphasises that yacht crew should be aware. He points out that criminals, paparazzi, hostile nations and business all conduct some form of intelligence-gathering work and may target crew as a way to reach the high-net-worth individuals, celebrities and even political figures who own and charter these vessels.
'Superyachts are basically the most gratuitous display of wealth in history. With the caveat that I do not want anyone to panic, people in the industry need to know that they could be targeted.'
Nature of the threat
The threat of cyber crime is evolving, which makes training on the human element of cyber security more important than ever, Daryn explains.
'In the last year there has been a significant change to the threats because of Covid. Companies needed to adjust to people working from home, with Cloud computing and virtual networks, so there was a move to the Zero Trust cyber security model and multi-factor authentication. Because of that the threats have adapted to focus on people, with a rise in ransomware, insider threats and phishing.'
These threats that are becoming more common often depend on confidence tricks to work. This is sometimes called social engineering.
Rather than directly attacking a secure IT system, a criminal will try to 'hack' people – they might contact someone by email, pretending to be a colleague, as a way of getting access to passwords or other information.
Alternatively, they might plot to approach a crew member in person, when the target's guard is down – on shore leave, for example – then build rapport and try to extract information. They will even research the seafarer on social media to find out more about them, making the process of building rapport easier. Rolf teaches people about the conversational red flags that can help them identify when someone is trying to do this.
'The human element has become more vulnerable, so people need more training,' Daryn says.
'Cyber crime is now big money, and it is far more sophisticated now than in the old days when you might get an email from a "Nigerian Prince",' Rolf adds. 'There’s a planning element to the attacks, with attackers always looking for the most vulnerable point – it is much easier if you can go through the new steward or engineering student on board to get the information you need.
'People need to understand how to avoid revealing anything that can be exploited or identifying themselves as a person of interest; how to behave off-vessel in a way that doesn't compromise who they work for.'
Of course, there is also another major source for security breaches; attacks performed or abetted by disgruntled insiders. This threat is amplified when employees feel little loyalty to employers, especially if they feel like they have been mistreated – and poor treatment of seafarers is all too common.
A serious security breach could be a matter of life or death, Rolf says. 'In extremis, there's a possibility that everything [onboard] from steering control to engine control could be compromised.. In my experience that's fairly unlikely as those systems are so ringfenced. More likely is ransomware on normal operating systems, or something that could be embarrassing or very expensive: for example, rival businesses might want to find out where principals are going or who they're engaging with to get ahead of their competitors. Or if you have a yacht that charters to A-listers, attackers might gain access to the camera systems; that might be worth a lot of money to the paparazzi.'
Recognising the danger and expense of cyber attacks, the industry has taken some positive steps to address security in shipping. International Maritime Organization (IMO) Resolution MSC.428(98) entered into force on 1 January 2021. This notes the requirement under the ISM Code to provide an approved safety management system and says this system should include cyber risk management.
Although many professionally run vessels are probably operating above this standard, the Resolution provides parity across the board. According to the experts, responsible operators will go beyond the requirements of the Resolution when putting together their cyber security protocols and will consider what level of security is appropriate for the specific vessel due to factors such as cost, cargo or who the charterers might be.
The simplest way to reduce the likelihood of attacks being successful is for all crew to simply be aware that they might be a target in advance, so that they know what to do if they are approached online or in person. Crew should understand that they need to share information about any attack with others in the crew so that they can also be on their guard.
'Everybody needs at least a little training in this,' Rolf says. 'In firefighting, for example, everyone needs at least a basic level of knowledge to add value to the team. It's the same for security – you can't just delegate to one person on board and say it's taken care of.'