Cyber-Piracy – No longer Skiffs and an AK47, just a laptop and a latte.

I talk to many Clients in Commercial shipping and also within Superyachts about cyber security.  Bulk Carriers, VLCC owners, LNG Carriers, Superyachts, we deal with clients across the spectrum.  What we have found is whilst clients know that they need to respond to the cyber security threat, there is a common level of uncertainty about how to handle the problem.

In this post I discuss how companies can learn the basic knowledge they need for informed decision-making on cyber security;

  • 10 Basics your IT Manager should do now
  • Senior Management Cyber Security Awareness Course
  • Vulnerability Assessment
  • Cyber Security Workshop

In the early days of piracy in the Indian Ocean, the solution was not obvious, the counter measures were not understood and the risks where unknown.  All that was known, was that the risk of inaction was huge.  Owners and managers took the action they felt was necessary.  Some were burnt by unscrupulous security providers, some had their vessels arrested and some struck up strong relationships with reputable suppliers that they still have.

Cyber security could be a similar experience.  It is an opaque but rapidly growing threat, a vacuum of security provision (circa 20% less people available to deal with the threat then required) and a lack of basic knowledge about what needs to be done all militate towards the risk of poor decision making.

At some level clients also feel that the problem does not exist or will not affect them.  They haven’t lost any money, their insurers have not yet excluded cyber risks, and none of their vessels have been compromised.  Yet a cursory glance at the daily news reveals the latest victim of a cyber-attack (today its Tesco Bank on the 7th November 2016).  We can see Cyber crime around us, happening to people we know and affecting institutions we trust and as it spreads it will eventually affect us.

One of the issues with Cyber criminality is that people do not want to suffer damage to their reputation which could negatively impact their business.  Because of this incidents are hushed up and measures are implemented discretely.  Whilst we see this within our own and competitors clients, overall there is a net loss to the industry in terms of reduced awareness of the emerging threat.  We have first hand accounts of cyber criminality happening around the fringes of the Superyacht industry and they are not being disclosed at the public level.

If you have not heard of ransomware then you might want to research it.  If your business is targeted by ransomware it will mean your entire business shuts down overnight because a hacker has encrypted all of the files on your network.  If that happens the FBI recommend you pay the ransom – they have never successfully captured someone perpetrating this type of crime.  As if to reinforce the point, in the timeline between beginning this article and publishing it online there has been another incident of ransomware deployed against an NHS Hospital Trust, forcing them to halt all Operations.

Cyber criminality is growing at an annualised rate of 60% and we know it has reached the Yachting industry. This suggests that if we have seen 10 cyber security breaches in the Superyacht industry in 2016 (there are at least 5 that we are aware of) then we can expect to see 16 next year and about 26 the year after that.

In general people we talk to in the industry know that they need to start taking taking action to protect themselves.  Their question is how they should do this and process they should follow.

The important thing is to take care of the basics today.  By handling the basics you can vastly reduce the number of hackers who can compromise your network.

Our Ten basic actions to take now to put basic security measures in place are:

    1. Conduct an audit of all devices owned by your business or connected to your network to ensure you apply the following measures to all devices identified in the audit.
    2. Using a password manager such as lastpass.com, keepass.info or Dashlane.com
    3. Automating all software updates for any devices on your network, including phones, printers and ipads.
    4. Utilise a robust Firewall & Antivirus
    5. Need to Know Protocols – only let people see what they need to.
    6. Ensure you are using WPA2 wifi protocol and not a WEP password.  The latter is highly insecure.
    7. Enable remote wiping of laptops, iPads and phones including if passwords are entered incorrectly too may times.
    8. Use 2 Factor Authentication for Computer sign in and for email account access
    9. Automate back up and do it on a daily basis at a remote site such as 
    10. Educate employees on all of the above and Phishing, Suspicious emails and Social Engineering Techniques.

With the basic measures in place, you can take a step back and consider what the right level of cyber security may be for you and your business.  A simple approach and basic framework of action targeted at cyber-defence will eliminate most of the threats. 

In the same way that Somali pirates where looking for the easy targets, such as the MT Smyrni, (no security guards, no vessel hardening, steaming Westbound through the Gulf of Aden at the height of Piracy in 2012). Cyber criminals will also be looking for easy prey where they can maximise their return on investment with the minimal risk of having their plans thwarted.  Currently, the risk for cyber criminals of being captured is negligible.  Their main risk is that they might waste their time. 

As a company you want the right level of security, not excessive yet also not too flimsy.  By educating yourself on the basics around cyber-security in the maritime domain you can grasp this knowledge very quickly.

Firstly, attend a GCHQ accredited Cyber Security Awareness Course for Senior Management.  Doing so will give you an impartial view from an experienced cyber security expert on what the threat is, how you can take action against it and who you should start taking those actions.   It is possible to attend a one day course in Bristol, UK or alternatively have the course conducted at your premises.

Secondly, arrange a Vulnerability Assessment with a cyber security specialist to give you a snapshot of where your business stands in relation to;

  • Technology
  • Processes & Procedures
  • Physical Security
  • People

Thirdly, armed with the knowledge of their current position, Senior management can review this information in a cyber security workshop, guided, if they wish, by a Cyber Security expert to channel the discussion, ensuring all cyber security priorities are handled.

The purpose is to agree to establish a security baseline, spell out your objectives and engage with Stakeholders early on to ensure that the whole company is invested in following a security roadmap.

The above is a basic guide to the industry on the adoption of cyber security measures.  If the leaders of a company can educate themselves through training, conduct a Vulnerability Assessment and hold a Cyber Security Internal workshop they will have the information they need to make an informed decision about what solution is right for them.

The measures above are not exhaustive but they are common to all yacht management companies and suppliers.  I am sure that as the younger generation grows up through the industry they will adapt and respond to these threats much more naturally then us.  However, this problem is already here – this is a growing threat and we are the ones that need to act.