By most estimates some $20bn is spent every year in the superyacht industry and by any estimate that is a lot of money. A visit to one of the large trade shows, of which the superyacht pavilion at METS is perhaps the best example, shows the breadth and depth of the industry and the extraordinary amount of companies now seeking a portion of that market through their honest endeavour. Increasingly, though, the industry is being targeted by others wanting to tap into that market, just not be legal means; cyber criminals have turned their attention to the superyacht industry and are actively targeting yachts, brokers and builders – and probably anyone else involved. The people they are really targeting, of course, are the owners and guests who are the heart and driving force of the industry.

Since mid-2016 there have been a number of attacks targeting yachting directly. These have included phishing emails specifically targeting yacht brokers, ransomware attacks, and theft of sensitive and personal data held on board. As yachting increasingly embraces (and benefits from) technology this is to be expected and only reflects what is happening ashore – and just like elsewhere these are only the attacks we have heard about. Understandably there is a reluctance – and no requirement – to report them. Although the specific targeting of the industry itself is a relatively new development it shows no sign of abating; from the criminals’ perspective, why should it? It is working.

In this article, Malcolm Taylor, Head of Cyber at specialist security consultancy G3, describes why superyachts and the industry around them are vulnerable to attack and why they are being targeted. And next month, Roger Horner and Malcolm will use Roger’s regular Technology Update column to look in more detail at what might be done to minimise the risk.

Who is Behind This Epidemic

Firstly, the most common type of attacker is the simple thief. He (and it is almost always a he) wants a return on his investment – cybercrime is his job and he needs a salary. He will steal money, hold data and systems to ransom, and obtain sensitive data (such as personal photographs) to sell to the tabloids or online, or for use in blackmail. In a sense his is the easiest position to understand – he is simply using his skills to make a living.

Secondly, there is a group of people who like to cause distress and nuisance and for them this is reward enough. They will destroy systems, leak or delete data and cause as much mayhem as possible, apparently for fun. Others in this category may have ideological reasons for their activity; animal rights organisations have begun to use cybercrime to further their agenda, for example, and others have used it for revenge in industrial and personal grievances. The list of “justifications” is seemingly endless and in yachting it is likely that simple envy is enough for some.

Thirdly, and much more unusually, some nation states use their intelligence services to mount cyber attacks. They are highly skilled, well-resourced and thus potentially extremely dangerous. They are normally more interested in defeating terrorism and serious crime than anything else. Some countries – notably China – do use cyber attacks for commercial advantage and it has been widely alleged that Russian government hackers influenced the recent US election. Likewise, those deemed “enemies of the state” could also be targets.

High Value Targets

The attackers described above have honed their skills attacking land-based targets such as banks and other institutions. Why, then, have they moved to yachting? There are a number of reasons, starting with owners and their guests. Owners and guests have almost everything an attacker could wish for; they are by definition wealthy, they have reputations to protect, they crave privacy, and more than a few are political. In the attackers’ own language, owners and guests are “high value targets” or “HVTs”. They represent a good return on an attacker’s investment – they are in fact almost the perfect target.

Technology is Everybody’s Friend

The second reason, closely aligned to the first, is that superyachts are increasingly full of technology; their owners demand it. Entertainment systems, boat management systems, internet and streaming systems are all now commonplace and a basic requirement on board. The benefits they bring are obvious but along with these comes the risk of attack. Any IT system that is not properly protected is vulnerable and in that sense superyachts are no different from anywhere else. There are, though, a number of ways in which yachts are very different and these too make them more vulnerable to attack.

A great part of the appeal of superyachting is the privacy it provides – perhaps especially for people who find every other aspect of their daily life being scrutinised; once on board, the sense of privacy and seclusion is almost complete. That seclusion can, though, bring with it a false sense of security. Just because no-one appears to be looking, and just because of the wide open and empty ocean, it does not mean that the scrutiny is any less intense – it has just turned to scrutiny through the online world instead of the real world. If a yacht is connected to the world then someone, somewhere, can be connected back and their intentions are not always honourable.

Yacht systems are built for performance – that is what owners and Captains demand. Systems need to work first and foremost, and to work on demand as well as they would on shore. Bandwidth, up-time, and an ability to remedy problems remotely are key. In other words, systems on board yachts have not been built for, and configured for, security. This, of course, means they are more vulnerable than their land-based cousins, for whom cyber attacks have been a fact of life for much longer and where security is already a consideration. In a sense, technology on yachts is where technology on land was a few years ago – working well, but vulnerable. That is all perfectly understandable – but it needs to change.

Performance versus Security?

Which is not the same as saying a system can be either secure or it can perform well. It is not a binary choice – it is perfectly possible nowadays to have a system which works superbly but is also configured for maximum security. Of course, making oneself completely secure is actually easy – just don’t use any technology at all (not even an iPhone). More realistically, good technology, properly configured and with the right protections in place (anti-virus, firewalls aligned to each network, updated software and more) is a great start. Couple that with a Captain who leads by example and from the front, and supported by a well-trained and cyber-aware crew operating within clear policies, and you have the beginnings of a much more secure yacht and a much more relaxed owner.

In the mainstream media, cyber crime is sometimes presented as an insurmountable and almost existential threat to every one and every thing. It is often, too, shrouded in a language almost as mysterious to the inexpert as that which makes the technology work in the first place. Finally, defeating it is often portrayed as expensive and complex. None of these things need be true. It is a risk we all increasingly face and something we must learn to adapt to, and to accept. It won’t go away. But with the right advice, and the right and reasonable investment and a little on-going attention, its impact and cost can be minimised. And with that, the ocean will feel empty (ish) once more.