Heidi Wachs, vice president at Stroz Friedberg, a cybersecurity risk management firm that specialises in digital forensics and incident response, says, “The types of cybersecurity considerations people make in their daily lives largely apply to yacht owners.” She recommends owners be particularly vigilant around how they use technology on board and what type of online activities they engage in. She also endorses identifying onboard systems that can be controlled via a network, especially those that interact with the Internet, such as heating, cooling, and security systems that can be operated via Wi-Fi or mobile applications.

“If systems like these are compromised, it may lead to the disclosure of personal information or, in the worst case, malfunctioning yacht systems,” advises Wachs.

Many individuals on board a yacht feel secure as they are physically distant from others, but it is important to remain alert whenever using the Internet, regardless of location. “When at sea, it can seem that no one is close enough to ‘listen’ to Internet traffic coming from the yacht. However, if you click on a malicious link, provide your personal information to an illegitimate site, or fall victim to a phishing scam it doesn’t matter whether you are on land or at sea.”

‘Phishing’ refers to a technique that entices users to click on a malicious link while using email or surfing the web. It’s a common method of tricking people into revealing private information, and according to Stroz Friedberg, these types of attacks are increasing by almost 150% year-on-year.

Should anyone on board a yacht suspect or realize that the security system has been compromised, it is paramount that the incident responder and specialized cybersecurity counsel be contacted at the earliest opportunity, says Wachs. All usernames and passwords that relate to the compromised system should be immediately changed, and ideally law enforcement should be contacted.

“If you notice that a technical system or device is not operating as expected, you may want to consider engaging both the vendor and a digital forensics expert who can review available evidence to attempt to identify what may have happened,” adds Wachs.

In addition to the personal safety assurances that cybersecurity can bring, the International Maritime Organisation (IMO) has introduced a resolution that came into force on 1 January, 2021, whereby yachts that adhere to the ISM Code – including commercial operations, vessels with more than 12 passengers, and yachts over 500GT – must now formally incorporate “an appropriate level of awareness of cyber risks” into their onboard safety and security. Further IMO guidance states that an ongoing training and awareness programme is a crucial element of onboard and shoreside cyber risk management. Simultaneously, the United States Coast Guard has announced that from January 1, 2021, it will begin enforcing the universal requirement for a cybersecurity plan for all commercial yachts and ships over 500GT visiting US ports, regardless of flag.

In the modern age, it is important to assess the yacht’s system and equipment to determine whether a yacht is vulnerable to cyber threats. The IYC management team works closely with cybersecurity experts and can advise both owners and crew on how to ensure their vessel is as secure as possible. From providing a Ship Security Assessment (including evaluation of onboard remote accessible equipment, key shipboard operations, current security measures and the identification of possible security threats) to implementing a comprehensive cybersecurity plan in the yacht’s safety management system, there are many efficient steps that IYC can help yachts to take to prevent malicious cyberattacks on board and enable owners and guests to relax and enjoy the finer pleasures of life aboard a superyacht.

What are the effective strategies for strong cybersecurity? Noah Rubin, Manager at Stroz Friedberg, offers his advice:

There are several steps you can take to improve your cybersecurity systems and mitigate the risk of cyber attacks:

• Use good judgment and critical thinking when interacting online. Don’t click on links in emails or texts from unknown senders. Don’t accept friend requests or follow requests from users you don’t know. Don’t disclose personal information, including your whereabouts, on social media, or other public forums.
• Use strong, complex passwords or passphrases and rotate them every 60 or 90 days. Consider using a password manager to generate strong, unique passwords for each website or app, especially financial accounts.
• Always change default passwords for devices or systems on a yacht, including Wi-Fi networks. Refrain from logging in to any sensitive or financial accounts when using public Wi-Fi – for example at the marina.
• Use multi-factor authentication (MFA) where available. MFA is a combination of something you have or are and something you know. For example, you would know your password, but you would also receive a text message or use an authenticator app for a secondary code to enter before you can access an account.
• Practice a ‘need to know’ philosophy for disclosing sensitive or personal information, such as social security numbers and financial accounts.
• Minimise the number of people who have the credentials to any systems that control the yacht’s operations and know how to reset them when the crew changes.
• Be selective in websites or apps you grant permission to track your location or interact with your accounts on other sites.
• Update software when it becomes available. This not only applies to personal devices like cell phones, tablets, and computers, but also to the software used to control yacht systems.

For more information on implementing a comprehensive cybersecurity plan on board, contact the IYC team today.