When you think of ships and security, you’re probably thinking of boats attacked at sea by swarthy individuals waving machetes. But while this remains true, there’s also a more insidious way to attack ships – through their software.
Modern vessels are equipped with all kinds of electronics, to ease navigation, assist in manoeuvring and assist in the safety of the ship and its passengers. If these are not appropriately secured, they leave boats and ships vulnerable to attack.
There’s also the challenge as with any industrial IoT (IIoT) of the need to navigate the vessel IT and OT divide and the – even finding staff knowledgeable about both is difficult.
Vincent Ossewaarde is a Security Auditor at Fortytwo Security. He’s also a watersport enthusiast and avid researcher on marine electronics and security in marine systems. I spoke to him before his talk at the upcoming Codemotion Online Tech Conference, which will be held in October 20202. If you want to discover more about Vincent’s and others’ talks, check out the agenda here: free tickets are still available!
From the theory of complex systems to ship security
Vincent graduated from the University of Amsterdam in the theory of complex systems and specifically “systems that exploit a behaviour that’s not programmed into it.” He was provided with a military-grade system built for defence purposes and his research focused on building a simulation system using a particular operating system that was based on sharing resources like RAM and CPU.
He recalls “The system was so well designed, that it’s being built for that using in weapon systems and later sold to a large defence contractor, and they built it into fighter jets and missile systems on ships.
He later met a job applicant for Fortytwo Security who shared his interest in the theory of complex systems and experience with that specific operating system. He recalls:
“He was in charge of the security on this naval vessel that carried all kinds of weapon systems. And he explained that the version and principles were was still present in the systems being used for launching rockets, despite the fact it was built in a time when there was no security in systems. And then he said a really important thing. He said, ‘Well, our security consists of a guy with a gun. Next to the chamber, we have our weapons because we do not connect to any system in the world. I mean, our ship systems are not connected to the internet and they do not have any connection to the outer world. So the guy with the gun at the door is enough for us, what we call physical security.’”
The challenge of ship security
Boats are following the trends of other transportation, equally being served by emerging tech such as IoT and automation, as well as new design principles and modes of energy. As Vincent notes in their use of IoT:
“Ships are equipped to send out statistics such as cargo weight and route planning to the supplier before it enters the port so that they already have the appropriate equipment ready to re-port them.”
Vincent noticed that when he purchased a radar system for his own vessel, it had a radar system that had Wi-Fi connected to it. This connectivity could not be disabled. The company started researching such systems and found many connections between ship systems that were never intended when they were designed, across marine, leisure and commercial vessels:
“These systems have never been changed. They’re still there. And then we started looking at what kind of attack vectors you have on naval systems actually to exploit this kind of behaviour on marine systems. And it opened a box of Pandora of all very badly designed systems and very, all the ancient techniques that are still prevalent.”
There is even software without encryption or authentification. It’s not a matter of when software security was updated, but that it’s not present at all.
Vincent notes that despite the innovation in architecture, design and materials that is deployed into modern ships along with sensors and the internet and other embedded systems, the security is ancient:
“It’s still like a squeaking pirate ship. If you are on the beach, and you look at the water, and you see this big container ship from China, you expect everything to be in order, and you expect everything to be failsafe.
But if you look at the technology, it’s still a technology that’s being put together by duct tape and old and ancient techniques that have never been involved or updated. Because there was never the need to update it. Because there was never the intention to connect it to the outer world.”
The problems are more complex than bad actors
I wondered about the motivation of attacks like attacking a ship’s navigation systems of their ability to identify objects underwater. Vincent asserts, however,
“We like to see the security of a system as simply the idea of a bad actor threatening to cause disruption or damage. There are also elements of threats such as failures, or outages, or incorrect data, or the security of staff being breached because you cannot trust your systems.”
According to Vincent, boats might not even be aware of stealth attacks on their systems. Even the use of location intelligence can be problematic if the AIS (Automatic identification system) is hacked. “Everyone can see where a ship is, and you cannot protect the identity of a ship, because it has to send it out.
If this data has been tampered with so it is now incorrect or invalid; you’ll have issues. Further, because of privacy concerns, people tend to shut off their identification systems. This is not a case of security by obscurity.
Rather, it increases security risks as maritime organisations are depending on this data for identification purposes to see a ship or to make ports safe. If you turn that off, you will have a problem.”
According to Vincent, IT and bridge systems are often poorly configured or maintained. FortyTwo Security has done penetration tests on PLC and industrial switches and due to inadequate security were able to completely take over command of those ships completely and disable their operation, bringing the boat to a complete standpoint.
How easy is it to hack these ship systems?
“Some attacks are really complicated but generally its child’s play. So everyone with a few brain cells and a basic command system can hack these kinds of systems. It’s not so sophisticated because security was not part of their architecture.”
How is the maritime industry responding?
According to Vincent, that question is who is challenging the issue of maritime security. “None of the maritime organisations require ships to conform to a security standard. There is no requirement for pen testing the systems installed on a ship.”
The International Maritime Authority has taken the initiative to raise awareness across the industry on how to tackle risks by promoting a maritime cyber risk management approach. The overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks, something which falls far short of a standard.
“FortyTwo security does audits against the payment card industry (PCI) standard, and we perform and do assessments and systems used in banking. In financial organisations, those organisations are our higher bound. They’re built around a risk perspective.
So they try to address risks that they know, but they also try to address risks that they do not know. They try to find risks that they are still unaware of. But that can materialise in their business because that disrupts their business model.
In an aeroplane, everyone cares because they think well, this aeroplane can fall out of the sky, but in a ship, no one cares. The IMO says, well, it’s the manufacturer’s risk. And the manufacturer said yeah, but our systems are correct.
So it’s the ship’s owner’s problem. And the shipowner says yeah, but we integrate our systems, our system integrator should do it. Then the system integrator says, Oh, we just connect the cables. Try to find a maritime firewall, for example. Well, you might find one or two. But there are no firewalls or security systems for ships. It’s just non-existent.
Fortytwo security works for organizations in the maritime industry. “They act because they see it in their interest to know that it’s correct. But they cannot do anything because they don’t actually own ships.
We’ve talked to a few ship owners, and they see the issue, but they also know that there’s no real easy solution to go for except for retrofitting your ship with all kinds of different systems. Those that want to act are missing the actual tools and knowledge of what to do.”
Vincent will be sharing his company’s findings in a fun and interactive way at the Codemotion Online Tech Conference including a deep dive into the flaws of onboard systems, its attack vectors and a demonstration of their findings.