How smart are your crew?

Malicious Insiders – How smart are your crew?

Your crew can hack into your vessel – can you stop them?

How many laptops are on your yacht and what are they doing?

When we discuss crew training with clients, educational courses and seminars around crew awareness of cyber security, phishing and social engineering techniques and anecdotes are normally things clients want to implement straight away, if they have not taken care of it themselves.

But a discussion today with one of our commercial clients revealed that it the crew members themselves who could pose a threat as malicious insiders.  A CSO who’ll we will call Henrik (not his real name) said to me that whilst they lock down all of the USB ports onboard a vessel so that only the Captain, with the authorisation of the head office, may utilise them, what they cannot prevent is the intelligence and tenacity of the crew.

Henrik explained, “If we send out a password protected excel sheet for attention of the Captain, we know that within twenty minutes one of the crew members will have cracked the password and that information will be open source.

There is nothing we can do about it – they’re on the vessel for months at a time and some of them in their downtime have become exceptional with the IT systems.  We do not know what reach some of them have.’

I was surprised – this is the first time we had heard that the crew might pose a threat to the vessel systems.  Of course there is always the theory of the malicious insider and it seemed unlikely to us, perhaps because we had a poor assessment of the intelligence and technical competence of the crews.  Now we were faced with the evidence that we were wrong and that some crew have the technical competence to compromise privileged information on board.

This should not be a surprise.  Online youtube tutorials on hacking are freely available.  Hacking specific software can easily be downloaded and with the uplift in the availability of wifi all the new require is the time and desire to learn.

Statistics show that around the the Top 5 cyber breaches in US Healthcare institutions were caused by malicious insiders. If you are unsure of whether your crew are poking around in networks that they shouldn’t be it might be worth installing monitoring software to see if your systems are being accessed by unauthorised personnel and to see what they are looking at.  In addition a thorough penetration test of your networks is necessary to assess how at risk your systems and data are from malicious insiders.  How far into the yachts network can the crew go once they’re on the crew wifi?