Superyachts: an easy target for modern-day pirates?

The new generation of “superyachts” is booming (even if I do not personally own one), and unsurprisingly they are not escaping the broader digital transformation of the maritime sector. With the financial resources typical of the ultra-luxury market, there are effectively very few limits to the technologies installed on board.

High-bandwidth multi-operator satellite connections, GSM and 4G relays (and beyond), Wi-Fi networks, full-coverage onboard video surveillance, highly sophisticated entertainment systems, alarm systems, state-of-the-art bridge and engine systems, and extensive automation: these vessels are not designed solely for leisure. Many owners and charterers effectively relocate part of their business operations to the yacht. In that sense, the yacht should be viewed as an extension of the company itself—yet often a far more vulnerable one. It may lack many of the cybersecurity safeguards present in corporate environments, and the specific constraints of the maritime environment are sometimes poorly understood by corporate CISOs.

Personal information about the crew, the vessel’s itinerary, its owner, and their habits can therefore be relatively easy to obtain, making it possible to track both the yacht’s movements and the activities of its high-profile guests (AIS does not help in that regard). More importantly, however, what is really at stake is the cybersecurity of the guests themselves—and the business activities that may take place on board.

There are therefore only a few practical ways to quickly improve the security of these yachts:

1. Raise awareness among the crew, the shipowner, and also the clients and passengers about cyber risks and basic security practices.

2. Pay particular attention to cybersecurity protections on these vessels. The two main challenges are protecting privacy and confidential business meetings that may take place on board, and safeguarding the vessel itself to prevent any form of remote takeover. If you follow this blog, you have already seen that some companies now specialize in cybersecurity solutions for yachts.

3. Ideally, train both the crew and the shipowner to detect and respond to incidents—although this obviously requires having the means to detect them in the first place.

Several recent articles have addressed this topic. Two examples are:

• the launch of the training program “Superyacht Cyber Training course” (SYCT) by JWC Superyachts. This training, accredited by the GCHQ, is a specialized version of the course “Maritime Cyber Security Awareness”. It is an online course (with its advantages and drawbacks) that anticipates upcoming IMO guidelines that will apply in 2021, as well as BIMCO recommendations. See the article on superyachtsnews.com.

• another article highlighting the concerns (and therefore a growing level of awareness) among superyacht captains about the risk of remote eavesdropping (in English).

You can also find two earlier posts on this blog related to the topic:

• A presentation at hack.lu 2018 on yacht hacking.
• A talk delivered at Derbycon.