VPNs on Vessels: the invisible backdoor into your yacht.

Within the yachting world Yachts are built, typically to high specifications and the OEM (Original Equipment Manufacturers) installers do excellent work.  Entertainment, lighting, navigation and support systems are installed and, the testing phase aside, end up working in line with the owners desires.  What owners, Management Companies and Captains are often not aware of however, is that along with the engines, air conditioning or AV/IT equipment, OEMs may also be installing VPNs (Virtual Private Networks) into the vessel.

A VPN is a secure way of connecting to an external network.  It is often used by business travellers to securely login to their companies network whilst they are overseas.  In this sense, it affords them a similar level of convenience to being in the office – access to the same files and with the added guarantee that their connection has not been compromised by the free wifi network they are on for example.

Of course VPNs are typically installed by the organisations which are hosting the networks they connect to.  A company providing VPNs for it’s Sales Brokers for example.  The issue with Superyachts is that in order to provide a flawless level of performance, OEMs are also installing their own VPNs into the yachts where their equipment is installed.

In every instance we have discovered this was always without the awareness of the management company or the Captain.  It was in fact completely covert.  Whilst undoubtedly it was executed with the intention in mind of improving the performance of the systems installed onboard, it compromises the security of any Yacht where this has happened.

By installing the VPN without the Management Company’s awareness OEMs have opened up an open doorway to external parties to access a Yacht.  Normally this access is protected by the OEMs own cyber security systems and there is a level of protection.  However, now you are reliant on a third parties approach to security to protect your assets and reputation.

You are reliant on the integrity of your suppliers security systems and depending on what level they operate at a Cyber Criminal could choose to circumvent a weaker system on a small supplier to a yacht using their VPN to access the yachts own network.  Once they had achieved that, the entire yachts networks would be open to them.  Any level of cyber security that had been implemented would have no effect as the VPN already sits within the network of trusted parties.

These types of incidents this have resulted in a range of outcomes, from Management Companies becoming aware of the vulnerability and addressing it prior to clients being affected, to one vessel whose air conditioning units received a software update whilst underway causing the air-conditioning unit to shut down.  The dampers closed, the engine failed and the engineer managed to escape from the engine room.  The problem was resolved, but for a time the vessel was without power whilst at sea.

Anecdotally, we have heard of OEMs triggering defects within equipment they have installed intentionally, awaiting the desperate phonemail from a Captain under time pressure to prepare the Yacht for an imminent arrival and charging fees to come out and fix the problem.  An isolated incident perhaps?  However whilst anyone has a VPN into your Yacht there is no way to know for sure what effects they may have had.

We recommend talking with your IT manager or ETO of the vessel in the first instance to see if they can resolve the issue.  The best way to guard against any unauthorised access to your vessel or premises is to use a Penetration Tester to probe your cyber defences and to identify any weaknesses that need to be reinforced.