Cyber security is not a new topic in maritime but it is one that refuses to go away writes GNS’s Emma Mark. In fact, its very familiarity has almost become a cliché in certain circles and one could be forgiven for thinking that there really isn’t much more to learn on the subject.
Inmarsat’s latest report further highlights this by proudly stating that the maritime industry is the fastest adopter of the newest connectivity kid on the block; the Internet of Things. And whilst that’s certainly true, a visit to InfoSecurity Europe this month proved without a doubt that there is still much more to be done to understand cyber threats and that we might be more than a little mindful of jumping to the next big thing too soon.
Infosecurity Europe is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme, with over 400 exhibitors showcasing the most relevant information security solutions and products to more than 19,500 information security professionals.
Cyber security dates all the way back to the 1980s; – hard to imagine considering most of us didn’t even own a PC at home and the internet was but a twinkle in Tim Berners-Lee’s eye. Hacking in the 1980s was primarily about pursuit of knowledge, building reputations, a bit of politics, and games – the game of breaking into systems and pulling off pranks. Fast forward to 2010, and the dawn of cyber warfare was well and truly upon us.
In his keynote speech at InfoSecurity, Paul Chichester, Director of Operations at the National Cyber Security Centre (NCSC) explained that “from 2010 onwards, cyber actors were no longer content with just stealing data, they had evolved to become malicious, disruptive and coercive”.
It was this ever-increasing threat led to the birth of the NCSC in 2017, which proved to be fortuitous as the WannaCry virus struck the UK and numerous other countries just a few months later, crippling digital infrastructures around the globe and causing digital carnage. Chichester went on to say that, “When WannaCry happened, it cemented the position of the NCSC as being the single point of contact for the entire country during that cyber-attack”.
But whilst the stakes are undoubtedly getting higher, there are still many in the maritime industry who still cling to the view that it won’t happen to them. Those who have already experienced the impact of cyber crime such as the high-profile attack on Maersk or the three major shipping companies in Singapore we know of that have been victims of ransomware would, I am sure, say the reality is very different.
And whilst having your business hacked and your customer data held to ransom is every ship owner’s worst nightmare, what happens when it’s your vessel that gets hacked? The scepticism towards the ability to hack an ECDIS is palpable – speak to a Master Mariner and the chances are they’ll tell you it just can’t be done in a real-life situation, or maybe in the confines of a white-hat hacking environment tucked away in Silicon Valley but surely not at sea?
Speaking to Consultants and Ethical Hackers Pen Test Partners at InfoSecurity, they confirmed that they had hacked over 20 different ECDIS units and found countless flaws, the most common being outdated operating systems which leaves the ECDIS wide open to infiltration. When working with maritime customers, their goal is to test all of the systems onboard and ashore to demonstrate the potential weaknesses that cyber criminals may locate and use to infiltrate customer data records, financial information or the vessel itself. With the ECDIS receiving sensor feeds from various systems including the AIS, by hacking into the satcoms network of a vessel, you can hack into the ECDIS.
Alternatively, it is possible to exploit the serial networks on board that control the Operation Technology (OT). The ethernet and serial networks are often ‘bridged’ at several points, including the GPS, the satcom terminal, the ECDIS and many other points. OT systems are used to control the steering gear, engines, ballast pumps and lots more. They communicate using NMEA 0183 messages. There is no message authentication, encryption or validation of these messages, they are simply plain text, meaning all that needs to do be done is modify the data.
Whilst GPS spoofing is well known and easy to detect, this level of hacking is virtually impossible to track and is done by quietly injecting small errors to slowly and insidiously force a ship off course.
With just a little time and effort, the Pen Test team also used publicly available AIS data and linked the satcom terminal version details to live GPS position data. In layman’s terms, two public data sets have been linked creating a clickable map where vulnerable ships are highlighted with their real-time position. A vulnerable ship can be classed as a vessel that is sailing on outdated satcom software, and because software updates are posted publicly online, it’s easy to find out if the vessel is an easy target. And if you’re still shaking your head in disbelief, you can see the evidence here.
Satcom terminals on ships are widely available on the public internet due to incorrect set up procedures and often with default passwords which have never been changed, (including Password12345). The irony is that the Facebook and Instagram passwords for the crew are more complex than those that are actually at the heart of critical vessel operations.
And if you’re thinking that you need a degree from MIT to hack a vessel, the specialists I spoke to at InfoSecurity would advise you to think again. Ransomware has evolved into a multibillion dollar business with products now available for purchase off the shelf. All you need to do is personalise a few fields and add in the email addresses of your intended victim.
But if all that seems a bit too much like hard work, ransomware is now available free to anyone that has the inclination to look for it, with a percentage of the profits you make going directly to the cybercriminal that has lovingly coded and sent the software on your behalf.
It’s a lack of basic IT hygiene that appears to be the greatest threat to maritime cyber security, but something so simple to rectify is being ignored because the responsibility is shared. As was noted at numerous junctures during the InfoSecurity event, there is no silver bullet for cyber security and there never will be. Instead of ships officers simply dismissing the very real potential for cyber-attacks, how about instead thinking through several ‘what if’ hacking scenarios and making sure that they can be managed and mitigated. Simply stating ‘we’ll go to manual control’ just isn’t enough when primary and secondary systems are feeding you spurious data.
The best the industry can hope for is to educate both crew and onshore staff and remove the culture of fear so that if an employee experiences a breach, they will alert the appropriate teams and not just hope that the problem will go away by itself. There is a wealth of information available to the shipping community and much of it is free of charge. GNS have produced a cyber security white paper which looks at practicalities of implementing a cyber strategy and the benefits this can bring about. Click on the link below to get started.
Applying a multi-layered approach to the ship and onshore network (combining multiple mitigating security controls to protect resources and data), significantly increases the overarching security of the vessel and the business, keeping data, crew and cargo safe. But first and foremost, instruct your crews on and offshore to remove every default password from every system and put alerts in place to ensure they are changed regularly.
No, cyber security is not a new topic, but it is one that’s here to stay. Unless the industry adopts more of a collaborative approach we increase the risks of bigger and more frequent attacks, with potentially more and more serious results.
As a community, we have a responsibility to protect our crews, vessels and cargo, and with a greater focus on education, integrated solutions and basic IT hygiene we can achieve this. The resources needed to enhance maritime cyber security are all within our reach, but until we stop thinking of this as someone else’s problem we all run the risk of becoming another cyber-attack statistic.