The “Safe Ports Protocol”: Yacht Cybersecurity for Marinas, Wi-Fi, and Onboard Networks

There’s a moment that happens on almost every yacht, usually within minutes of a guest stepping onboard:

“What’s the Wi-Fi password?”

And just like that, a high-net-worth device (often full of banking apps, passports, business email, and private photos) is about to join your network—without the guest knowing (or caring) whether that network is segmented, monitored, patched, or held together by hope and an old spreadsheet.

This article is my practical, no-nonsense “Safe Ports Protocol”: a way to create a “Swiss perimeter”—neutral, controlled, and hard to mess with—especially when you’re in a marina using “free” Wi-Fi that’s anything but free.

---

Why yachts get hacked “at anchor” (and why a firewall isn’t enough)

I hear the same line all the time:

“We’ve got a firewall, so we’re fine.”

A firewall is useful—but it’s not a strategy. Because there’s always a human attached to the system, and humans get tired, rushed, distracted, and emotionally triggered. On yachts, those conditions are basically the default setting.

I’ve watched cyber incidents ripple through a crew in ways people don’t expect. If someone gets scammed or hacked, it doesn’t stay “at work.” Crew live in each other’s pockets—eat together, sleep onboard, share the same corridors—so the mental fallout becomes operational fallout. The vibe changes. Performance drops. People withdraw. Mistakes pile up.

And here’s the kicker: the yacht industry is often 5–10 years behind sectors like finance and tech in everyday cyber hygiene. Not because yachties aren’t smart—because yachting is operationally intense, and cybersecurity tends to be treated as a footnote until something burns.

The real attack surface: crew fatigue, trust, and routine

Most successful attacks aren’t Hollywood hacking. They’re social engineering: nudging someone into doing something dumb at exactly the wrong moment.

I’ve seen it at home too. My youngest son was trying to connect his iPad so he could message me, and I received a text: “Hi Dad, I got a new number.” For a second I almost replied like it was normal—until my brain caught up: where would he even get a new number? That emotional trigger is what scammers live for.

Onboard, you have the same emotional levers:

• urgency (“we need this paid today”)
• authority (“captain/manager asked for it”)
• trust (“it’s from our supplier, we’ve used them for years”)
• fatigue (“just click it, we’ll deal with it later”)

Starlink changed the game: faster internet, bigger blast radius

Here’s the weird truth: VSAT used to be one of the best cybersecurity controls yachts had. Not because it was secure—because it was slow, expensive, and painful. That friction discouraged a lot of risky online behavior and made remote attacks less “worth it.”

Now with LEO services like Starlink, yachts have fast, low-latency connectivity almost everywhere. Operationally it’s brilliant. Security-wise, it’s like handing attackers better roads, clearer signs, and a faster car.

---

The Safe Ports Protocol (before, during, after you connect)

This protocol is designed for the exact moment you’re most exposed: in port, surrounded by unknown networks, random devices, suppliers, visitors, shipyard staff—and that seductive “courtesy Wi-Fi.”

Before you connect: the 60-second marina Wi-Fi checklist

When you’re about to join marina Wi-Fi, do this first:

1. Assume the network is hostile
   Even if it has the marina’s name, it could be an “evil twin” hotspot.
2. Confirm the SSID with staff
   Ask the marina office for the exact Wi-Fi name and whether there are multiple networks.
3. Turn off auto-join
   On phones/laptops, disable “auto-join” for public networks so you don’t reconnect silently tomorrow.
4. Use a VPN before doing anything sensitive
   If you’re using a VPN like NordVPN, connect it before logging into anything meaningful. This doesn’t make you invincible, but it dramatically reduces exposure to basic snooping and interception on public networks.
5. Avoid sensitive tasks on marina Wi-Fi
   No banking, no payroll, no owner documents, no password resets. If you must, use your yacht’s secured connection or a trusted cellular hotspot.
6. Update devices when you’re on a safe connection
   Patching on a compromised network is a bad time to start downloading critical updates.

Think of this as your “gangway briefing,” but for data.

While you’re connected: rules for guests, crew, and sensitive logins

Once you’re connected in port, the goal is simple: limit what a compromise can touch.

• Keep guests off crew systems
  Guests should never be on the same network as operational tools, admin portals, or anything tied to navigation or yacht business.
• Treat crew devices as high risk
  People use the same phone for work, banking, social media, crypto apps, messaging, and random links. That’s not a moral judgment—it’s reality.
• MFA everywhere it matters
  If a login supports multi-factor authentication, turn it on. It’s one of the few controls that reliably blocks common account takeovers.
• Never approve surprise login prompts
  If someone gets an MFA push they weren’t expecting, the answer is always “no.”

After you disconnect: what to reset, review, and log

When you leave port or stop using marina Wi-Fi:

• Forget the network (remove it from saved networks)
• Check for odd email forwarding rules
  Attackers love adding forwarding rules so they keep visibility even after you change passwords.
• Scan for suspicious sent items
  If you see missing sent emails or weird messages you didn’t send, treat it as a live incident.
• Log the exposure
  Even a basic note: where, when, which network, which devices. It helps later if you need to reconstruct what happened.

---

Build a “Swiss perimeter” onboard (simple network architecture)

Most yacht networks I see fail for one reason: everything lives together. Guests, crew, streaming, printers, shipyard laptops, and sometimes even sensitive systems.

That’s not a network—it’s an accident waiting to happen.

Three networks, not one: Guest vs Crew vs Navigation/OT

At minimum, you want:

1. Guest Network

• Internet only
• No visibility of onboard devices
• Rate-limited if needed (so Netflix doesn’t become a denial-of-service)

2. Crew/Operations Network

• Work laptops, internal services, business applications
• Controlled access to printers/servers
• Stronger authentication

3. Navigation/OT Network

• The stuff that should never be exposed to casual browsing
• Strictly limited access
• No guest devices, ever

If you take just one action from this whole article, make it segmentation. It’s the easiest way to turn “one mistake” into “a contained mistake.”

Passwords: kill spreadsheets, adopt a real password manager + MFA

This one’s brutally common in yachting: passwords stored in Excel sheets, Word docs, Notes apps, or emails.

I’ve still seen default credentials like admin/admin floating around in 2026. Not everywhere—but often enough that it hurts.

A good baseline:

• pick a password manager for the yacht program
• stop sending passwords via email or WhatsApp
• enforce strong unique passwords + MFA for critical accounts
• remove old handover docs full of credentials

People don’t break security because they’re careless—they break it because the “secure way” is too inconvenient. Fix convenience and you fix behavior.

---

The most common real-world hit: supplier spoofing & invoice fraud

If you want the single most frequent cyber incident I see around yachts, it’s this:

Supplier spoofing and invoice fraud.

Someone impersonates a supplier (or gets inside their email), changes bank details on an invoice, and tries to redirect money.

This happened to me personally: someone got into my email—how, I still don’t know—then changed bank details on an invoice and sent it to our payments company using my tone and formatting. I had no idea because the message trail was cleaned up. It was only caught because the payments company called and asked why details had changed.

That’s how good these attacks have become: they don’t “hack the yacht.” They hack the workflow.

Red flags that your “supplier” isn’t your supplier

Watch for:

• bank details suddenly changing
• urgency + pressure (“must be paid today”)
• subtle domain differences (extra letters, different TLDs)
• odd phrasing that’s almost right
• requests to bypass your usual process

A lightweight verification process that doesn’t slow operations

You don’t need a 40-page policy. You need a habit:

• Never accept new bank details via email alone
• Verify changes via a known phone number (not one in the email)
• Use a two-person check for payments above a threshold
• Keep a supplier “golden record” of verified payment details
• If you must exchange documents, keep them in a secure channel

This is where secure email helps. Tools like Proton Mail can be a practical layer for sensitive operational communications—especially when you’re sending contracts, IDs, or anything that would be weaponized if intercepted.

---

Secure communications with marinas and port authorities

Ports and marinas aren’t always cyber mature. And even if they are, you can’t control who’s sitting on the same network as you.

What to send (and what not to) over standard email

Avoid sending via normal email when possible:

• passports, visas, crew lists with personal data
• owner itineraries and movements
• bank details and payment instructions
• anything you’d hate to see forwarded

If it must be sent:

• encrypt or use a secure provider
• share documents via secure links with expiry
• confirm the recipient channel independently

Practical tools: VPN for port Wi-Fi + encrypted email for ops

If you’re in a marina and need to operate:

• VPN (NordVPN) for internet privacy and safer browsing on public Wi-Fi
• Encrypted email (Proton Mail) for operational comms and sensitive docs

These aren’t magic shields. They’re good defaults that make the lazy attacks fail and force attackers into harder, noisier methods.

---

Incident readiness for yachts (when something will go wrong)

A lot of yachts are brilliant at improvising—because yachting forces it. But you can buy yourself time and calm with simple readiness.

The cold-spare firewall idea (and why it saves charters)

Here’s a scenario I see too often: firewall fails mid-charter.

What happens next is usually a panic choice:

• bypass security so the internet works (high risk), or
• lose connectivity and degrade guest experience (high pain)

A sensible middle ground:

• carry a cold spare firewall
• keep a monthly config backup
• have a documented “swap procedure”

Even if the backup is a few weeks old, you can be “secure and online” again fast—without ripping out your controls.

The minimum viable incident response plan for a captain

You don’t need a war room. You need a short playbook:

• who to call (internal + external IT)
• how to isolate networks
• what systems are critical
• what logs to preserve
• how to communicate to owner/guests without drama

If your crew can run emergency drills, they can run cyber drills.

---

Conclusion

Cybersecurity on yachts isn’t about buying a shiny tool and hoping for the best. It’s about building a culture where people ask better questions, suppliers are held to account, and port connectivity is treated like the risk it is.

If you do nothing else, run the Safe Ports Protocol every time you connect in a marina—and build that “Swiss perimeter” onboard so one bad click doesn’t become a full-boat incident.