Remote Access Control and Monitoring
A critical building block for yacht owner IT security
The IT environment aboard large yachts has dramatically changed in the past years. Systems are becoming ever more sophisticated and complex. An integrated bridge (IB) is now standard, while AV and Comms systems are growing complex. Ever greater demands are placed on the network infrastructure, with owners needing 24/7 multiple IT device connection to both on-board and shore based applications and services.
Various subcontractors log in remotely to troubleshoot equipment and to implement upgrades and updates. In the fairly recent past dealing with a fax machine connected to an Inmarsat terminal in the owners on board office was a routine task for the Captain. Given current developments, however, even our highly skilled and trained ETO/IT Officers are at times overwhelmed. Today, shoreside support entailing remote login into the ships most critical and vulnerable systems is standard procedure. Yet few yachts seem to devote much thought to security in such situations.
The possibility that unauthorised individuals or organisations will infiltrate home and office AV systems and misappropriate and remotely control tablets and smart TVs to record audio and video, using device integrated microphones and cameras to spy on people is unfortunately no longer fiction. It has become hard fact. Hacking into systems on board ships is a threat of which we are acutely aware of and against which we all take measures to protect ourselves. But how much attention do we pay to what the service technician does, when he logs on for routine maintenance as part of the service contract with the yacht. Our owners are typically UHNWI and are certainly of interest to just about any intelligence agency worldwide not to mention a plethora of undesirable individuals. Is it not inconceivable that intelligence or criminal agents infiltrate the ranks of our best-known industry service providers. Just how thorough is the background check on individuals hired by these companies?
Another consideration is that vast sums are often charged for these remote support sessions. Unless the ETO is watching what the technician is actually doing, there is no way of later disputing the work hours claimed. Given their normal workload, ETOs seldom have the time to actually monitor the entire process. If the technician updates software that takes multiple hours to upload due to limited bandwidth, is charging the entire time as a remote support session really justifiable?
So how do we deal with these matters?
• How can captains authorise the access?
• How can they determine who is entering the vessel remotely?
• How can they monitor what the service technician is actually accomplishing?
With RACAM the captain, ETO or security office can control the access, ascertain how long access has been used, and monitor exactly what has been done. Transfer of information in and out is fully controlled. Reports can be created at whatever level of detail is desired. This is not only true for remote login sessions but also for direct on-board sessions with the technician being on board.
This is achieved by specific RACAM modules:
•Secure and reliable access, on low bandwidth and high latency connections
•Role-based login handling with two-factor authentication
•Role-based application assignment of any kind of application or IP service on the vessel (Windows, LINUX, router, switches, http/https based service, SSH, Telnet, VNC,X11)
•Video recording of users interaction sessions
•Access notification and reporting
•File transfer control
Extensive related-shore based experience has been accumulated over the last 10 years. Companies that have implemented the system report:
- Technicians spend less time in trial and error experimentation and because they know their work is being recorded are far more focused
- More highly qualified personnel are despatched to deal with the task at hand, and thus less time is devoted to a specific task
- Systems experience less down time whereas documentation of previous mistakes effectively increases accountability
RACAM requirements are rather modest: no shore based hardware, just a small 19” rack mounted LINUX server (physically or virtualised) on the vessel connected to the internet.
What are the costs? Depending on the exact parameters, license and setup consultancy the basic fully functioning system starts at €12,500, plus travel and installation expenses. Crew training is included in this price. Annual service costs run at 20 percent of the license fee.