- During the course of a cyber attack, a hacker can easily capsize an entire ship with relatively low-key skills.
- Critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), tend to be easily compromised.
- Many onboard devices for instance still run Windows XP and Windows NT, and converters rarely have their admin passwords changed.
- Those that do have non-default credentials will likely have such out of date firmware that they’re easily exploited anyway via a standardized messaging system, called NMEA 0183 messages.
- These include autopilot systems, propulsion control, dynamic positioning, engine control, ballast control and digital compasses – needed to steer a ship off-course.
According to an article published by Threat Post, capsizing a ship with a cyber attack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.
Backbone of trade
Maritime transport still contributes in an important way to the world’s economy, with on-time shipments influencing everything from commodities availability and spot pricing to the stability of small countries. Unfortunately, capsizing a ship with a cyber attack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.
With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.).
What could an adversary do with that access?
“If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.
At issue is the fact that critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), tend to be easily compromised; some onboard devices for instance still run Windows XP and Windows NT, and converters rarely have their admin passwords changed.
Those that do have non-default credentials will likely have such out of date firmware that they’re easily exploited anyway: Munro pointed out that many of the Moxa device servers commonly found aboard vessels were recently found to be vulnerable to a firmware downgrade attack that allowed trivial compromise.
“It’s a low-skill attack,” Munro told Threatpost. “Password security and patch management are so poor at sea that compromise does not require significant expertise. There’s a documented case of a kid finding a mobile drilling platform control system using Shodan and clicking buttons to see what happened. I believe they unintentionally took the dynamic positioning system offline.”
These easily hacked devices communicate with a raft of control systems via a standardized messaging system, called NMEA 0183 messaging (it’s a superset of the messaging format that GPS devices use). These include autopilot systems, propulsion control, dynamic positioning, engine control, ballast control and digital compasses – everything that’s needed to steer a ship off-course or cause a catastrophe.
“The messages are usually exchanged using RS485 serial datacomms, either directly or encapsulated over IP networks,” Munro said in a posting. “In some cases, CAN is used as a bridge between IP and serial. Any point where serial meets IP is a point where the hacker can potentially access the messaging system.”
Hoegh Osaka incident
Once the hacker is able to reach the control systems, it would, for instance, be possible to replay the Hoegh Osaka incident, where a car carrier’s ballast tanks weren’t properly filled, which resulted in the ship developing a heavy list during a tight turn out of the port. It narrowly avoided capsizing, thanks only to a favorable wind blowing.
“Modern ballast control systems provide remote monitoring and operation from the bridge, usually running on a PC,” Munro explained. “So, the attacker would simply send the appropriate serial data to the ballast pump controllers, causing them all to pump from port to starboard ballast tanks. That change in trim alone could cause a capsize.”
He added, “If the change in ballast wasn’t enough to sink the vessel by itself, when a list had started to develop, send an NMEA message to the autopilot, commanding a turn to starboard. Or, send a helm message commanding the same turn direction. The list, combined with the change in stability when turning, is likely to cause a capsize.”
Access to control systems
Access to the control systems could be remote or local, depending on the attacker. PTT has done prior research on remote attacks over satcoms, and serial network attacks can be carried out remotely via the satcom connection, or by physically locating the converters.
“Any half-decent attacker can happily abuse these operating systems all day long and still cover their tracks effectively,” Munro said.
Previous research has shown that other concerning attacks are possible as well, such as forcing a ship off-course or causing collisions. The issue with remediating the dismal state of maritime security is a lack of clearly defined responsibility for security, according to the researcher.
Lack of awareness
“It’s a lack of awareness,” he told Threatpost. “Ship owners are rarely the ship operator, charter parties are rarely interested in security. When responsibility and liability for security incidents are unclear, it’s hard to determine who should take control of patching and cyber-risk management. Clarity is urgently required; several organizations such as the [International Maritime Organization] are taking action, though it will take time for processes to change.”
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!