According to the company, the solution includes host-level protection (endpoint protection) combined with cloud-based cybersecurity capabilities (cloud-based solution). Nothing particularly revolutionary at first glance, but what stands out most is the integration approach: rather than operating in isolated silos, the solution appears to cover both IT and OT systems on board. That is clearly the direction the sector should be moving toward.

This video was recorded during the well-known hack.lu 2018 conference in Luxembourg. In the first part, Stephan Gerling presents his view of maritime information systems and briefly discusses services such as GPS and AIS. He then focuses on ship-to-shore connectivity, particularly satellite communications.

He goes on to demonstrate design vulnerabilities in the control interface of a “naval” router. The management interface connects to the router via FTP, and the credentials and passwords are stored in clear text, making it easy to retrieve the WLAN credentials of the system.

The new generation of “superyachts” is booming (even if I do not personally own one), and unsurprisingly they are not escaping the broader digital transformation of the maritime sector. With the financial resources typical of the ultra-luxury market, there are effectively very few limits to the technologies installed on board.

High-bandwidth multi-operator satellite connections, GSM and 4G relays (and beyond), Wi-Fi networks, full-coverage onboard video surveillance, highly sophisticated entertainment systems, alarm systems, state-of-the-art bridge and engine systems, and extensive automation: these vessels are not designed solely for leisure. Many owners and charterers effectively relocate part of their business operations to the yacht. In that sense, the yacht should be viewed as an extension of the company itself—yet often a far more vulnerable one. It may lack many of the cybersecurity safeguards present in corporate environments, and the specific constraints of the maritime environment are sometimes poorly understood by corporate CISOs.

Presentation delivered during the Derbycon 2018 conference.