From the Bridge: Cybersecurity risks just part of captain’s job

Nov 27, 2017 by Dorie Cox

From the Bridge: by Dorie Cox

The view from the 128-foot M/V Grand Floridian in the center of the Fort Lauderdale International Boat Show overlooked hundreds of yachts rigged with intricate electronics. For this month’s Triton From the Bridge lunch we gathered 11 captains to learn how they handle these yachts’ potential cybersecurity risks.

Large yachts, like other businesses, try to stay ahead of hacks, spams, viruses, intrusions or otherwise compromised electronics. Yacht captains respond to these threats in the same way they handle a yacht fire, accident or flooding: They focus on prevention and implement solutions when there is a problem.

Each of the captains tries to stay educated, but most have had a cybersecurity incident related to the yacht.

“My experience has been with vendors and contractors being hacked,” a captain said. “Someone duplicating the invoice and following up for payment. They are very slick. It will even have the picture of the vendor and the full thread of all previous correspondence.”

In this case, the vendor called the captain to say he had been hacked. Fortunately, the payment was not sent.

“It never got to that point, but it was headed that way,” the captain said. “I could have paid a rather large invoice to a source that was mimicking as someone else.”

Attendees of The Triton’s From the Bridge luncheon for this month’s issue were, from left, Capt. Stephen Burke of M/Y Sovereign; Capt. Aaron Steenbhom of M/Y Zenith; Capt. Jason Milton; Capt. Kelly Esser of M/Y Cheers 46; Capt. David Nathan, formerly of M/Y Marbella; Capt. Brett Dobbins and Capt. Teri Jacobs of M/Y Heart Beat; Capt. Keith Talasek of M/Y Alessandra III; Capt. Paula Sonnenberg, freelance; Capt. Mark Howard, freelance; and Capt. Jacques Falardeau of M/Y Magic Days. Photo by Dorie Cox

Individual comments are not attributed to encourage candid discussion; attending captains are identified in the  accompanying photograph.

Most of the group had experience with emails from a friend or contact that had been hacked. And there were other common themes.

“We were locked out of our computers in Mexico; someone had tried to log in too many times,” a captain said.

Several yacht credit card numbers had been stolen. One was charged $27,000 and another was hit for $5,000 at Target. One captain switched credit cards after frequent small unauthorized purchases.

Most anyone connected to a computer is exposed to cybersecurity problems. Captains are aware of global incidents, as well as issues that may be tailored to yachts, and implement policies to try to prevent them on board.

“We are proactive,” a captain said. “We try not to log into any open source marina Wi-Fi; that’s usually where the trouble comes into play. The crew are required to use the boat system. And I cut down on opening of attachments and things that are recognizable as problems.”

Another captain protects yacht business by connecting via hardwire instead of wireless or bluetooth, and he requires crew to use their own laptops for personal emails. Several captains protect the owners by separating their access from the yacht business and crew.

“The owner has his own network,” a captain said. “It is important to separate bands and sites to monitor and set controls for everyone. I can block and set timers on the crew.”

By isolating each IP address, which identifies specific users, this captain can monitor and protect crew bandwidth use,  and he can block specific internet sites such as social media. When crew use is too high, this captain has gone to extremes to make a point.

“Sometimes I’ll walk to the rack and turn it off,” he said.

“Crew should be careful with their social media anyway,” another captain said. “Most crew agencies check Facebook and those sites.”

Another captain uses different emails and changes passwords on a regular basis.

Several captains said well-defined crew confidentiality agreements address privacy issues in regard to electronics.

“But it can be contentious,” a captain said. “Crew live and work on board. It is hard to shut everything down.”
Confidentiality agreements vary by yacht, but one common clause is that no pictures of crew on board or pictures of the yacht are allowed for the public, a captain said.

“As captains, we have to define clearly what the owner wants,” he said.

Charter guests present a challenge. Celebrity guests are common on some yachts, and several captains had stories of fans and paparazzi waiting at the dock.

FLIBS 2017

“If it’s a charter, you have to figure out how to handle the guests because they do not have a nondisclosure,” a captain said.

“You can watch TMZ [celebrity news] and see the boats, so I don’t know how you can control that,” another captain said. “They can check online and see who’s on board.”

One yacht owner said to a captain, “If Google can find my name, it doesn’t matter – there’s nothing you can do.”

There are other systems on board that link yachts to the cloud of information. Automatic Identification System (AIS) is required on many yachts to display vessel location through a satellite system. This can include ship name, course and speed, classification, call sign and registration number.

The captains agreed that AIS is vital to navigation, but is typically turned off when not underway. But the system is popular with yacht owners who follow their yacht’s locations through a public website that shares AIS information.

“The boss calls when he’s using it,” a captain said. “I can see you are using a lot of fuel, can you throttle back?”

Another owner was watching the yacht online and called when he saw it had not moved for several hours.

Basically captains don’t have a choice because the system is helpful and often mandated. But there are a few precautions available.

“AIS yachts are allowed to turn it off in dangerous situations,” a captain said.

“There is a stealth mode where the yacht does not broadcast,” another captain explained.

And there is a delay with Marine Traffic, the online private version of AIS. A captain said yachts can pay for premium services to increase security on the program.

Several captains were familiar with a 2013 experiment in which a yacht was taken off course by GPS spoofing.

“I read about that,” a captain said. “There can be transmitters that confuse the signal to navigation.”

Spoofing and loss of power or electronic contact are a couple of reasons why several captains have the crew plot a course on a paper chart.

“I had a crew say, ‘The electronic navigation is down, how are we going to get into port?'” a captain said. “They had no idea.”

“If something looks wrong, they should check,” the first captain said. “It’s important to teach them how to use the charts.”

Many yacht electronic systems are complex and not under crew expertise; that is why two of the yachts have remote information technology companies.

“We have an IT guy in Indiana who controls the boat,” one captain said. He said the technician recommended that the yacht’s satellite service run through the United States instead of other countries so he could better monitor service.

So much of the technology frequently changes, it’s difficult to keep current. A captain recommends people ask for help.

“When techs are on board servicing your sat system, make sure to have the security checked,” this captain said.

Many yachts have monitoring systems and most have camera security systems. Many captains receive messages when the bilge runs or an alarm sounds. One captain logs in and monitors the systems remotely. Another captain recommended that all systems be evaluated by a trusted technology company to confirm systems cannot be compromised.

We asked what the future holds for cybersecurity risks in yachting.

“There’s nothing different in yachting than in other industries,” a captain said.

So, like anyone in business or using personal electronics, the captains seek good technical advice and try to stay alert to what could happen.

“I’ve heard of many different things that can happen, and it doesn’t take long,” a captain said. “I think it’s going to be a concern from here moving forward. All our information is out there anyway.”

“I think in the future there could be a meltdown,” another captain said. “Maybe everyone is hacked all at once.”

“We were in the Bahamas with no communication for two days; the cell towers were down,” another captain said. “We could use our old sat phone but we really could see the limitations.”

“The government can shut down the satellite system, but we have other nations’ satellites to use,” a third captain said.

“Or we can use our Stargazer app,” another captain said with a laugh as he held his phone to the sky.

“Yes, maybe sometime in the future, whether weather- or terror-related, we will have to function without,” a captain said. “But for now, it’s a tool.”

It is a reason to know celestial navigation, and one captain noted yachts still need their compasses.

“If it turns out our power is completely out and everything is down, we can’t make it to shore anyway,” a captain said. “Everything runs on power now.”

“We’ve been careful,” another captain said. “But lucky is probably the real word.”

Dorie Cox is editor of The Triton. Comments on this story are welcome below. Captains who make their living running someone else’s yacht are welcome to join in the conversation. Email Dorie for an invitation to our monthly From the Bridge lunch.

Click to read about spoofing: GPS proves vulnerable in experiment.


About Dorie Cox

Dorie Cox is a writer with Triton News.

View all posts by Dorie Cox →