The present competition for coastal and maritime space triggered by human activities, as well as climate change effects and both natural and manmade hazards, impact coastal and marine environment, resources and ecosystems. The physical characteristics, especially the shallowness and its semi-enclosed nature, make the Adriatic and Ionian Sea even more vulnerable to these threats. This situation points out the compelling need in the Adriatic-Ionian Region for a transnational integrated and efficient planning and management of coastal and marine spaces and uses at macroregional level, able to avoid potential conflicts, create synergies and to secure a sustainable growth whilst allowing the preservation of coastal and marine ecosystems for future generations. Such effort requires fit for purpose knowledge and tools. In full compliance with the Integrated Coastal Zone Management (ICZM) and Maritime Spatial Planning (MSP) principles and policies and supporting concretely the implementation of the EUSAIR Action Plan, PORTODIMARE project aims at creating a common platform (Geoportal) for data, information and decision support tools focused on coastal and marine areas of the Adriatic-Ionian Region. The Geoportal integrates and further develops existing databases, portals and tools developed within previous EU projects by local and national administrations and by other initiatives. Through this approach, most of the available knowledge and resources will be efficiently organized and made accessible through a single virtual space, thus supporting coordinated, regionally / transnationally coherent and transparent decision-making processes, with the perspective of remaining operative and being expanded well beyond the project conclusion. The Geoportal will use, feed and support transnational cooperation networks in all the phases of its creation, from the design, to the development, to its testing phase, enabling public authorities and stakeholders to apply a coordinated, integrated and trans-boundary approach. In this view, PORTODIMARE project will test the use of the Geoportal as a concrete support for the development, in four demonstration areas, of strategies and action plans that couple environmental protection and sustainable development of sea/coast uses, within the regional and transnational framework established by Directive 2014/89/EU and EUSAIR Action Plan. More concretely, the PORTODIMARE Geoportal aims at becoming a daily working tool for decision-makers, public and private managers, practitioners, marine scientists and stakeholders in general, thus promoting and boosting sustainable blue growth in the Adriatic and Ionian Region.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: portodimare

Pen Test Partners were able to penetrate leading ECDIS models swiftly and easily simulating what real hackers could achieve

In June, Pen Test Partners were tasked with penetrating multiple makes and models of ECDIS and the results in their own words were shocking. The ethical hackers found high level issues in most ECDIS tested.

Pen Test Partners senior partner and ethical hacker Ken Munro said the most significant issue was that most ECDIS ran on very old Microsoft operating systems, including Windows XP, 7 and Windows NT. This means the majority of ECDIS are not supported by Microsoft and thus, do not have regularly updated security.

“It was therefore trivially easy to completely compromise every ECDIS,” said Mr Munro. “Complete control could be gained over the network interfaces and USB,” he told Marine Electronics & Communications.

Even if the host operating system was up-to-date and secure, most ECDIS offered network services that were vulnerable. These were usually present to allow communication with other operational technology on a ship’s bridge.

Pen Test Partners found exposed configuration interfaces over these networks. “We could boot up the ECDIS from a USB key, locate the encrypted passwords for these services, crack them and then reconfigure the ECDIS,” said Mr Munro.

In addition, the penetrators discovered that these passwords were rarely changed and in many cases, the vendors’ documentation made no mention of changing network service passwords, just the host operating system passwords.

They were also able to cause issues with ECDIS models by sending unexpected network traffic. “In some cases, this led to remote-code execution, whereby we could compromise the ECDIS even if the software was up-to-date,” said Mr Munro.

Some ECDIS models had integrated security software, such as antivirus and firewalls. These were effective for what Mr Munro called “low-grade attacks” but made little difference to higher skill attackers. “We found significant security flaws in the ECDIS software itself, which allowed us to bypass the security software,” he explained.

GPS spoofing

Cyber attacks on ECDIS may not be a direct penetration. Mr Munro’s team were also able to reconfigure ECDIS to believe its GPS receiver was at the other end of the vessel, therefore introducing a 300 m offset.

“Then, through further reconfiguration, we changed the profile of the vessel to be 1 km² square, for an offset of 1,000 m,” he said. Even further offsets could be introduced by tampering with the US National Marine Electronics Association 0183 serial data being sent to the ECDIS from the GPS receiver.

“Having compromised the ECDIS, we had control over the serial COM ports through which the GPS communicated its position and could tamper with that position data also,” said Mr Munro. Identical offsets could be introduced to radar, meaning a watch officer could not use that method to check for position discrepancies.

Pen Test Partners also demonstrated that automatic identification system (AIS) information could be tampered with. For example, a hacker could create a 1 km² floating island in a shipping lane. “Every ship ECDIS would be alerted to the phantom blockage and collision potential,” Mr Munro said.

This could cause confusion on ship bridges and potential course alterations that in congested waters could lead to collisions. Hackers could use these techniques to steal money, manipulate ship movements for financial gain or cause vessel groundings or collisions, said Mr Munro.

ECDIS security issues

• Out-of-date software.
• Insecure configuration interfaces.
• Unstable network stacks.
• Vulnerabilities in software.
• GPS spoofing and jamming.
• ENC denial.
• False AIS.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: rivieramm

Executives and staff at the agency responsible for protecting the health of the U.S. domestic maritime industry are vulnerable to cyber hacking that could cause the agency “serious public embarrassment,” a government watchdog has found.

A report made public today (July 26) by the U.S. Department of Transportation Inspector General (DOT OIG) revealed that “malicious attackers” could have obtained records and stolen the identities from 13 executives and staff who recently joined the U.S. Maritime Administration (MarAd), potentially costing the agency $103 million in credit monitoring fees.

The report outlines how OIG auditors were able to gain unauthorized access to MarAd’s network, in part because the agency did not have a government-recommended alert system able to detect intruders. “We also gained access to records containing PII [personally identifiable information], the report states. “While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted.”

The OIG report notes that a DOT official could not explain why employees did not encrypt sensitive information given that the information security awareness training they received included a section on the protection of sensitive information. “This official also could not explain why administrators had not applied least privilege controls to the MarAd service account we accessed,” according to the report.

“The same official acknowledged that users were not following DOT policy and security awareness training to adequately protect passwords. The official informed us that [DOT’s Office of the Secretary] is transitioning to the use of personal identification verification cards for network and facility access. MarAd’s lack of adherence to DOT policy on encryption, use of least privilege, protection of PII, and password storage creates a risk for unauthorized access to MarAd” and other information, the report affirmed.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: freightwaves

Maritime transport is a vital backbone of today’s global and complex supply chains. Unfortunately, the specific vulnerability of maritime supply chains has not been widely researched. This paper by Øyvind Berle, Bjørn Egil Asbjørnslett and James B Rice puts it right and presents a Formal Vulnerability Assessment of a maritime transportation system. This is not the first maritime paper that Asbjørnslett has contributed to on this blog, and he keeps up the good work he started in 2007, when he presented Coping with risk in maritime logistics at ESREL 2007.

Maritime transport – a forgotten part of supply chains?

I guess it is true that maritime transport or sea transport is an overlooked part of supply chains, even on this blog. In my more than 500 posts the word “maritime only occurs in 20 of them. Well, perhaps not so forgotten, but maybe such an obvious part of today’s supply chains that it is not looked at specifically, and just assumed to be part of the wider picture. Considering Norway’s maritime and seafaring tradition, it is not surprising to see Norwegian researchers taking up this particular question. One of the authors, Asbjørnslett,  is part of the Marine System Design research group at the Department of Marine Technology at NTNU in Trondheim, Norway, where he among other topics is involved in research related to risk taxonomies in maritime transport systems, risk assessment in fleet scheduling, and studies of vessel accident data for improved maritime risk assessment.

The invisble risk?

It is interesting to see what starting point the authors use in their introduction, namely the 2008 Global Risk Report by  the World Economic Forum. In my post on Supply Chain Vulnerability – the invisible global risk I highlighted that report, which listed the hyper-optimization of supply chains as one of four emerging threats at that time, and as the authors put it:

[…] risks in long and complex supply chains are obscured by the sheer degree of coupling and interaction between sources, stakeholders and processes within and outside of the system; disruptions are inevitable, management and preparation are therefore difficult […]

Akin to the infamous “Butterfly effect”, even a minor local disruption in my supply chain could have major and global implications not just on the company directly linked to the supply chain, i.e. me, but also on other businesses. Or conversely, some other company’s disruption may affect me severely, even though I in no (business) way am connected to said company.

Issues and questions

With that in mind the authors set out to address these particular issues they found in their preliminary observations:

I1—respondents have an operational focus; in this, they spend their efforts on frequent minor disruptions rather than the larger accidental events.

I2—stakeholders do know that larger events do happen, and they know that these are very costly, yet they do not prepare systematically to restore the system.

I3—maritime transportation stakeholders find their systems unique. As a consequence, they consider that little may be learnt from benchmarking other maritime transportation system’s efforts in improving vulnerability reduction efforts.

I4—there seems to be little visibility throughout the maritime transportation system.

which led them to to propose these research questions:

RQ1—what would be a suitable framework for addressing maritime transportation system vulnerability to disruption risks?

RQ2—which tools and methods are needed for increasing the ability of operators and dependents of maritime transportation to understand disruption risks, to withstand such risk, and to prepare to restore the functionality of the transportation system after a disruption has occurred?

I like this introduction, clearly identifying a direction and purpose of the paper.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: husdal

UPDATED ClassNK, the ship classification organization, has revised its guidelines for bolstering oceangoing vessels’ cybersecurity during their design and construction.

The Tokyo-based non-profit has updated the framework for evaluating and mitigating cyber risks in line with the ISA/IEC 62443 industrial control systems standard and the latest recommendation on cyber resilience for new ships from the International Association of Classification Societies (IACS).

The second edition of the ‘Guidelines for Designing Cyber Security Onboard Ships’, which supersedes the first version published in March 2019, also introduces a ‘CybR-G’ certification and associated audit requirements, according to a press release issued earlier this month.

The guidelines are aimed at anyone responsible for implementing security controls for network-connected, on-board systems.

The recommendations reflect growing concern within the maritime industry that the increasing connectivity of seafaring systems, combined with aging, unmanaged networks, is fuelling a rise in disruptive cyber-attacks against the sector.

Cyber-attacks against the industry’s operational technology (OT) systems have soared by 900% over the last three years, with 2020 set to be another record-breaking year, according to research from Israeli security firm Naval Dome.

Security breaches have crippled operations at a US maritime facility, shipping company MSC, and Iran’s Shahid Rajee port this year.

Control measures framework

The new guidelines state that system integrators must perform a risk assessment on a ship’s on-board systems and propose and implement security controls to remediate risks.

These control measures can include fixing security vulnerabilities, network segmentation, and isolating critical systems in “essential network security zones” that block “unwanted communications”.

The observations of one leading shipping security expert suggest that initiatives to make ships secure by design are long overdue.

“Ships are highly complex OT and IT environments featuring technology from suppliers with a highly varied approach to security,” Ken Munro, founder and partner at UK security outfit Pen Test Partners, told The Daily Swig.

“Integrated bridge systems with unchangeable, simple passwords on network services are not uncommon. Unmanaged remote access by engine and other tech providers is also not uncommon.”

RELATED Maritime telecoms giant patches SQL vulnerability

Integrators are also instructed to diagrammatically map all network connections and evaluate the criticality of all on-board hardware and software.

The CybR-G notation is subject to passing an initial audit, annual audits thereafter, and additional audits when a system is damaged or modified.

First covered by The Daily Swig in 2018, the guidelines and certification scheme, along with separate advice focused on software and cybersecurity management, have emerged from ClassNK’s Cyber Security Approach (PDF), which prescribes a layered approach to cybersecurity.

The most important changes to the guidelines in terms of improving the cybersecurity posture of seafaring vessels are the cybersecurity notation, which was introduced in response to demand from shipowners, and the incorporation of IEC62443 requirements, a spokesperson for ClassNK told The Daily Swig.

“ClassNK envisages ships’ cybersecurity, at the application of information technology utilizing cyberspace on operation technology of ships, as ensuring [that] navigational safety is not hindered by [a lack of] cyber resilience of [the] onboard equipment, onboard network, and cybersecurity management system,” they added.

Skills gap

But Munro, who has previously demonstrated the pitfalls of out-of-band management in the maritime sector and how to take control of a ship’s satellite communications system, feels the guidelines will be undermined by a dearth of maritime-specific cyber skills.

“It’s great to see standards emerging around vessel cybersecurity,” he said. “However, there’s a significant lack of skills in this space, so any assessment is likely to be checklist-based.

READ MORE Spanish state railway company Adif hit by REvil ransomware attack

“We’ve tested vessels fresh out of the yard and found their security to be much better than those in service for a few years, but still not secure enough that we couldn’t compromise them. Checklists won’t find the variety of issues we keep finding – they might resolve casual attacks, but more targeted attackers are likely to succeed.”

He also thinks a checklist-based approach is too simplistic.

“Typically, a ship either meets class society rules or it doesn’t – either ‘in’ or ‘out’ of class,” he explains. “Cyber is more about shades of grey.

“This also presents issues for maritime insurance,” he adds, because “cyber security isn’t binary – a ship is never ‘secure’, so how should the underwriter assess risk meaningfully?

“I don’t think it will be long before we see a ‘cyber’ certified vessel being compromised.”

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: portswigger

Rapid developments in technology have brought on benefits to many industries, including the shipping industry.

With these improvements come increased usage of cyber technologies that are critical and essential to the management and operations of many systems and processes onboard. Not to mention, cyber technologies also keep the crew, cargo and the ship itself safe and secure.

Thanks to the integration of IT (informational technologies) and OT (operational technologies) onboard from these technologies, ships are connected through connectivity and networking to the Internet. While these technologies and systems provide efficiency gains for the maritime industry, they also present various risks to critical processes and systems that are directly linked to the operation of systems that are critical for shipping.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: adv-polymer

An equipment room containing PLCs and control gear for critical systems was located some distance from the main engine control room but required frequent adjustments via a local HMI.

To avoid leaving the control room, a PC was installed in the equipment room. Teamviewer was used to enable remote access from the control room.

The remote PC bridged between the corporate network and the OT network. The Teamviewer password was on a label above a monitor in the control room, allowing access to the remote PC from the wider Internet.

A vulnerability discovered in the network switches of the OT equipment allowed a shared password to be recovered. With this, it was possible to wipe the configuration of PLCs and switches, stopping all OT systems from functioning.

Scenario 2: Third-party mistakenly allows access to critical serial networks

The load computer was located on the bridge of the vessel. This required network connectivity between two PCs, and to several remote Serial->IP convertors used to read information from ballast tanks.

The third-party vendor used the available network sockets on the bridge to interface to these. The network design of the vessel meant that any unrecognised or unregistered devices were placed in an isolated VLAN.

This allowed the PCs to interact with the Serial->IP convertors. However, network sockets in the passenger space used the same mechanism.

A laptop connected to a network port in the passenger space could therefore inject traffic onto the serial network used for ballast tank readings. Random data injected here prevented the bridge systems reading ballast tank levels, causing multiple alarms and the requirement to take manual dippings until the problem was resolved.

Scenario 3: Remote firmware update causes operational issues

The NOx scrubber system was installed by a third party and contained significant control gear and remote monitoring.

The ship owner provided a dedicated VLAN for the system to communicate over VSAT. It was found that the HMI providing remote connectivity was also attempting to download a firmware and configuration from a remote server using unsecured HTTP.

It was possible to update the firmware of the HMI to a malicious one, and remotely interact with the control gear of the scrubber. The configuration of the PLCs in the scrubber was wiped, preventing control and monitoring of the scrubber. The engines needed to be operated at reduced power to avoid damage to the scrubber system.

Scenario 4: Accessible HMI leaks high-value passwords

An HMI in a HVAC room on the vessel had access to a limited number of screens, only concerning control of the HVAC equipment and monitoring of power systems on the vessel.

By using the “Print” menu, it was possible to break out of the HMI software and access the underlying operating system.

All HMIs used a shared Windows network, including SMB shares. One of the HMIs in the main control room had a file called “passwords.txt” left on this share.

This contained operator and administrator passwords for all the HMIs and PLCs, left from when the vessel was commissioned. These passwords were found to be common across all vessels using that ICMS (Integrated Control and Monitoring System) vendor.

Conclusion

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: pentestpartners