PERILS OF A NEW DIMENSION: SOCIALLY ENGINEERED ATTACKS IN MARITIME CYBERSECURITY
March 24, 2021 MARITIME CYBER SECURITY
Maritime digital transformation is in its most rapid and turbulent era. Such a transformation offers substantial advantages and benefits, but with commensurate risks in the cyber domain.
On June 16, 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) that “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.” The same year the IMO developed related guidelines (MSC-FAL.1/Circ.3). While the resolution is a formal acknowledgement of the importance of cybersecurity by the UN agency, the guidelines highlighted that effective cyber risk management should start at the senior management level.
But even smart and elaborate risk management will not be effective until appropriate cyber awareness arises among all those engaged in the maritime world. The human element is the most valuable but also the most vulnerable in maritime cybersecurity. While modern technology affords a measure of protection against direct hacking, social engineering has become the most prevalent vector for cybercrime.
There is a popular opinion that the direct targeting of senior leaders (known as whaling attacks, or CEO fraud), is the most probable scenario for a lucrative cyberattack. In cases of success, offenders can get access to sensitive data or even entire networks and affect many processes within the system. In some cases, attackers could even get options to direct groups of ships. On the other hand, such a “whaling attack” is a complicated process with disputable chances of success. The obligation senior executives have toward cyber risk management is fast becoming a standard assumption. These leaders are becoming more and more aware of these hazards and are better maintaining prudent behavior to reduce cyber risks to themselves personally. Much simpler is the method of attempting to socially engineer other types of maritime workers, who at first sight appear less significant than executives, but who also enjoy broad access to maritime systems and networks.
There are two main groups that can be distinguished as desirable targets. The first group includes crewmembers onboard commercial vessels and naval ships, especially those who have direct access to the ship’s control systems or important elements of shipboard systems, like communications, engines, or cargo handling equipment and storage areas. The second group includes shore-based personnel, including technicians and advisors, third party contractors, especially those who have remote access to seaborne networks and contacts.
There are three critical areas attractive to attackers, including navigational systems and sensors, cargo handling and storage, and propulsion and power. In most cases the latter two elements require direct physical access to effectively access critical systems. In contrast, navigational systems are perhaps among the most advanced networked and digitally accessible systems onboard.
If cyber intruders got access to ECDIS (the Electronic Chart Display and Information System), they would be able to attempt offensive options such as jamming or corrupting signals received from external sensors (GPS, AIS, Radar/ARPA, Navtex), gathering critical hydrographic information, and tampering directly with the Electronic Navigational Chart (ENC). While official ENCs often feature highly protected data, unauthorized access to the ENC’s manual correction option can be disruptive. Hackers could also go for the simpler option of disabling the operating systems of the ECDIS workstations, where in the majority cases this is a commonplace Windows operating system, and not necessarily the latest version. With the highly integrated bridge navigational systems of modern chemical tankers and passenger ships, attackers could even target the ship’s auto-steering algorithm.
Unauthorized access to such an important navigational system can be obtained with malware accepted by equipment operators via their email client and personal social media profiles. Today, with the internet widely available onboard modern commercial vessels, shipboard personnel can freely use their personal mobile devices or laptops for web access and private communications. At the same time, cybersecurity hygiene and best practices are often neglected, and the same personal devices can be used for operational data storage and transfer, including transferring data to and from ECDIS workstations.
Imagine a scenario where a chemical tanker was chosen as a target by a hacking group. Information regarding the vessel’s static and dynamic (course/speed/position) data, crew composition, type and quantity of cargo, destination, captain’s name, and other items of interest could be collected from the web. Attackers could search and exploit the social media networks of crewmembers, preferably the targeted vessel’s bridge team member. The task is made easier by social media networks and websites focused on professional groups and employment.
During the second stage, the stage of evaluation, the opted profile is carefully examined by the offenders for weakpoints. Nowadays, the majority of social media users are registered across several platforms, such as those focused on personal and professional connections, as well as entertainment preferences. Therefore adversaries can gain information not only about the mariner’s place of service but also about their family, hobbies, places visited, and other information that could be relevant to designing a socially engineered attack.
Their objective will be to obtain unsanctioned admittance into the vessel’s systems. The targeted person can either be blackmailed or contacted by a fake profile of a trusted contact with the aim of dispatching malware via the victim’s access. An untrained and unaware navigational officer could install the malicious software to the navigational computer, under the guise of ‘colleague’s friendly tip.’
A socially engineered attack can be made to seem more credible when shore personnel, such as technicians or support desk members, are targeted. With almost the same measures in searching, evaluating, targeting, and hacking, perpetrators can infiltrate and attack even larger groups of ships due to how shore professionals often have access and jurisdiction over many vessels.
More nefarious intentions could include causing a chemical spill, setting a ship on a collision course with a naval ship or a passenger vessel, or damaging critical shore-based infrastructure. In respect of these scenarios, maritime cyber threats should be considered as a matter for the International Ship and Port Facility Security Code (ISPS), and not only the International Safety Management Code (ISM). The ISPS code consolidates various constructive requirements so that it can achieve certain objectives to ensure the security of ships and ports.
There are some important requirements under the ISPS. The security-related information exchanges among the appropriate contracting agencies, both government and private, include collecting and assessing the obtained information and further distributing it. Correspondingly, definitions are included for the relevant communication protocols for vessels and port facilities for uncomplicated exchanges of information. Another important element is attempting to prevent any unauthorized access on a vessel, port facility, or other important restricted areas. Even if unsanctioned entry is not a threat, it is always regarded as a potential danger.
The ISPS also regulates provisions of different options for alarm-raising in case a security-related incident is encountered or potential danger is evaluated. It seems logical enough to apply similar requirements for maritime cybersecurity. There are several main tasks to consider: cybersecurity information collecting, evaluation and exchange between concerned parties; prevention of unauthorized access; malware and spyware installation or transfer; and appropriate training of personnel.
Eventually, regulation should be introduced regarding the human element. Specifically, trainings and exercises should be introduced for vessels’ crew and port facilities’ staff to ensure their awareness with the security plan and that there will be no delay in procedure execution in case of a real threat. Advanced cybersecurity training and education should be encouraged, especially for critical staff like watchkeeping officers or engineers. The purpose of such an education would be to gain knowledge and develop skills in cybersecurity in order to anticipate threats at early stages. Trained personnel should also be ready to prevent unauthorized access to critical equipment and systems and be vigilant for particular malfunctions that could be caused by illicit infiltration. In cases of potential penetration, staff should be skilled enough to insulate affected areas of the system without losing control of the vessel. Their proficiencies should include the ability to manage a transition to emergency manual control and utilizing classic techniques in seamanship and communication.
Maritime security, through cybersecurity, will become a much more complex endeavor. It will require a considered combination of the human element, technical innovation, management procedures, security protocols, and classical maritime know-how. Considering the lack of cyber-awareness among some mariners, a transfer of malware from a personal device to a ship’s navigational system is just a matter of time. The international maritime community should accelerate and strengthen efforts to develop adequate measures to withstand future challenges in the maritime cyber domain.
Leonid Vashchenko is a professional mariner, currently serving as a chief officer on board ocean-going commercial vessels. He holds a Masters Degree in Marine Navigation from the National University “Odessa Maritime Academy,” Ukraine, and is a active member of the Nautical Institute, London. His views are his own and do not necessarily represent the official views or policies of the organization or companies he is employed with.
Source: cimsec