With cross-industrial experience, U.K. based cyber security specialist Pen Test Partners works as penetration tester in the maritime world. HANSA talked to Senior Partner Ken Munro about threats, measures and gateways for criminals
What is your main message to the community of ship owners?
Ken Munro: Our main message[ds_preview] is that ship owners and ship managers need to cover at least the basics of their cyber security. Start by asking questions of technology and IT service suppliers. Simple oversights such as not changing admin passwords, having one password per vessel, even allowing memory sticks to be plugged into the network without being checked for malware, are just some common problems we’ve found. The current casual attitude to cyber security is making it easy to hackers to penetrate ship networks. During client testing, we’ve successfully compromised entire fleets of vessels from the public internet. With sufficient expertise, we’ve shown that hackers could remotely control the main engine and steering gear.
Do you know any numbers regarding financial damage caused by cyber attacks in the maritime industry so far?
Munro: Many companies have been affected by a cyber attack. However, most available statistics can be very misleading. For example: the term »cyber attack« can indicate simply detecting and blocking a phishing email, through to a business-limited breach. This unhelpful lack of clarity is perpetuated by security vendors trying to sell hardware and software to uninformed shipping organisations. Unsurprisingly, organisations are very reluctant to reveal the true financial costs but AP Moller-Maersk has admitted to an approximately 300mill. $ loss from the NotPetya »crypter« that it was infected with, having had to reinstall over 4,000 servers, 45,000 PCs, and 2,500 applications.
Do you see a rising awareness?
Munro: The short answer is thankfully yes. Now that there have been several high-profile cyber instances in the shipping industry including COSCO and shipping broker Clarksons, the industry is slowly waking up to the potential perils of burying its head in the sand. That said, there is still far too much scaremongering in the maritime cyber world. Breaches occur with different consequences. The vast majority of incidents are random and untargeted; ransomware and the like. However, criminal hackers are quickly realising that there is money to be made from the maritime sector. Indeed, some years back, it was only a matter of weeks after new technology was installed at the Port of Antwerp when a small number of containers with high value contents started to go missing. That issue was quickly resolved, but it is a great example of hackers taking advantage of security issues.
Is there any difference between shipowners, managers, brokers, service providers etc.?
Munro: The weak spot in shipping has been the very fast transition from offline vessels to the fully connected ship. In the past, security wasn’t an issue owing to very limited connectivity at sea. That’s changed quickly, as operators and crews want »always on« connectivity. Cyber security of the vessel has not kept up with this change, hence the significant increase in »cyber« incidents. We’ve demonstrated how it’s possible to target a vessel and gain access through satcoms, then on to IT networks, then jump on to the serial networks which deal with vessel control. Whilst a sharp eyed officer should notice unusual control responses and hopefully take manual control, confusion, »screen focus« and conflicting data are a common source of accidents.
How do you learn about potential »entrances« for cyber criminals?
Munro: It is our job to find potential points of access in any company’s computer network. Working across different industries, we see common ways which a hacker will employ to break into a computer network either via a phishing e-mail or having knowledge of common admin passwords which, even though companies are advised to change during initial set-up, many do not, which leaves them vulnerable. Software updates too are often left or ignored by companies. It is important that updates are implemented immediately as sometimes they are closing loop-holes in software applications which hackers can exploit.
Where do you see the biggest problems? Stowage plans, HSMS, invoice fraud by hacking, navigation …?
Munro: It is difficult to give a definitive answer to this question as, in the wrong hands, any of these scenarios could be enough to wreak havoc. We have shown how we can take control of a ship’s loading system and potentially make a ship sink by overloading it, we have also shown, through gaining control of a ship’s ECDIS, how a hacker could make the ship’s crew believe that the vessel was in a different position in a port than its actual physical location, which is why one of our cyber tips is that crew should look out of the window once in a while to verify what they are looking at on a screen!
What would be the »easiest« way to enhance cyber security on board, both short- and longterm?
Munro: The easiest steps can be implemented immediately: To change your default/admin passwords on any hardware installed on your network, particularly your sat comm terminal; to make sure you implement any software updates immediately; to secure all USB ports on your network and do not allow anyone to insert a USB stick into a port unless it has been checked for malware first; to check all your Wi-Fi networks – strong encryption, strong Wi-Fi passwords and good Wi-Fi router admin passwords are a must. Crew Wi-Fi for personal use must not connect to anything other than the internet and/or on-board systems (e.g. media streaming) for personal use.
Longer-term measures should include checking that your bridge, engine room, crew, Wi-Fi and business networks on board are logically separated. This is important as if one system is infected it can then be quickly isolated so the virus does not infect any other systems. If all areas are inter-connected you will have a much more serious situation on your hands. As well, a measure could be to teach your crew about cyber security. Resources such as »Be Cyber Aware At Sea« are great for raising awareness and helping your crew avoid inadvertently opening the vessel to compromise. Another measure is to get a simple vessel security audit carried out. Some of the worst vessel vulnerabilities are the easiest to find and fix. Bear in mind that maritime security issues are often systemic: they don’t affect just one ship in your fleet, the same issue can affect them all.
Interview: Michael Meyer
