MARITIME CYBER SECURITY Archives - Page 22 of 41 - SHIP IP LTD

Pen Test Partners were able to penetrate leading ECDIS models swiftly and easily simulating what real hackers could achieve

In June, Pen Test Partners were tasked with penetrating multiple makes and models of ECDIS and the results in their own words were shocking. The ethical hackers found high level issues in most ECDIS tested.

Pen Test Partners senior partner and ethical hacker Ken Munro said the most significant issue was that most ECDIS ran on very old Microsoft operating systems, including Windows XP, 7 and Windows NT. This means the majority of ECDIS are not supported by Microsoft and thus, do not have regularly updated security.

“It was therefore trivially easy to completely compromise every ECDIS,” said Mr Munro. “Complete control could be gained over the network interfaces and USB,” he told Marine Electronics & Communications.

Even if the host operating system was up-to-date and secure, most ECDIS offered network services that were vulnerable. These were usually present to allow communication with other operational technology on a ship’s bridge.

Pen Test Partners found exposed configuration interfaces over these networks. “We could boot up the ECDIS from a USB key, locate the encrypted passwords for these services, crack them and then reconfigure the ECDIS,” said Mr Munro.

In addition, the penetrators discovered that these passwords were rarely changed and in many cases, the vendors’ documentation made no mention of changing network service passwords, just the host operating system passwords.

They were also able to cause issues with ECDIS models by sending unexpected network traffic. “In some cases, this led to remote-code execution, whereby we could compromise the ECDIS even if the software was up-to-date,” said Mr Munro.

Some ECDIS models had integrated security software, such as antivirus and firewalls. These were effective for what Mr Munro called “low-grade attacks” but made little difference to higher skill attackers. “We found significant security flaws in the ECDIS software itself, which allowed us to bypass the security software,” he explained.

GPS spoofing

Cyber attacks on ECDIS may not be a direct penetration. Mr Munro’s team were also able to reconfigure ECDIS to believe its GPS receiver was at the other end of the vessel, therefore introducing a 300 m offset.

“Then, through further reconfiguration, we changed the profile of the vessel to be 1 km² square, for an offset of 1,000 m,” he said. Even further offsets could be introduced by tampering with the US National Marine Electronics Association 0183 serial data being sent to the ECDIS from the GPS receiver.

“Having compromised the ECDIS, we had control over the serial COM ports through which the GPS communicated its position and could tamper with that position data also,” said Mr Munro. Identical offsets could be introduced to radar, meaning a watch officer could not use that method to check for position discrepancies.

Pen Test Partners also demonstrated that automatic identification system (AIS) information could be tampered with. For example, a hacker could create a 1 km² floating island in a shipping lane. “Every ship ECDIS would be alerted to the phantom blockage and collision potential,” Mr Munro said.

This could cause confusion on ship bridges and potential course alterations that in congested waters could lead to collisions. Hackers could use these techniques to steal money, manipulate ship movements for financial gain or cause vessel groundings or collisions, said Mr Munro.

ECDIS security issues

• Out-of-date software.
• Insecure configuration interfaces.
• Unstable network stacks.
• Vulnerabilities in software.
• GPS spoofing and jamming.
• ENC denial.
• False AIS.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: rivieramm

Executives and staff at the agency responsible for protecting the health of the U.S. domestic maritime industry are vulnerable to cyber hacking that could cause the agency “serious public embarrassment,” a government watchdog has found.

A report made public today (July 26) by the U.S. Department of Transportation Inspector General (DOT OIG) revealed that “malicious attackers” could have obtained records and stolen the identities from 13 executives and staff who recently joined the U.S. Maritime Administration (MarAd), potentially costing the agency $103 million in credit monitoring fees.

The report outlines how OIG auditors were able to gain unauthorized access to MarAd’s network, in part because the agency did not have a government-recommended alert system able to detect intruders. “We also gained access to records containing PII [personally identifiable information], the report states. “While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted.”

The OIG report notes that a DOT official could not explain why employees did not encrypt sensitive information given that the information security awareness training they received included a section on the protection of sensitive information. “This official also could not explain why administrators had not applied least privilege controls to the MarAd service account we accessed,” according to the report.

“The same official acknowledged that users were not following DOT policy and security awareness training to adequately protect passwords. The official informed us that [DOT’s Office of the Secretary] is transitioning to the use of personal identification verification cards for network and facility access. MarAd’s lack of adherence to DOT policy on encryption, use of least privilege, protection of PII, and password storage creates a risk for unauthorized access to MarAd” and other information, the report affirmed.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: freightwaves

Maritime transport is a vital backbone of today’s global and complex supply chains. Unfortunately, the specific vulnerability of maritime supply chains has not been widely researched. This paper by Øyvind Berle, Bjørn Egil Asbjørnslett and James B Rice puts it right and presents a Formal Vulnerability Assessment of a maritime transportation system. This is not the first maritime paper that Asbjørnslett has contributed to on this blog, and he keeps up the good work he started in 2007, when he presented Coping with risk in maritime logistics at ESREL 2007.

Maritime transport – a forgotten part of supply chains?

I guess it is true that maritime transport or sea transport is an overlooked part of supply chains, even on this blog. In my more than 500 posts the word “maritime only occurs in 20 of them. Well, perhaps not so forgotten, but maybe such an obvious part of today’s supply chains that it is not looked at specifically, and just assumed to be part of the wider picture. Considering Norway’s maritime and seafaring tradition, it is not surprising to see Norwegian researchers taking up this particular question. One of the authors, Asbjørnslett,  is part of the Marine System Design research group at the Department of Marine Technology at NTNU in Trondheim, Norway, where he among other topics is involved in research related to risk taxonomies in maritime transport systems, risk assessment in fleet scheduling, and studies of vessel accident data for improved maritime risk assessment.

The invisble risk?

It is interesting to see what starting point the authors use in their introduction, namely the 2008 Global Risk Report by  the World Economic Forum. In my post on Supply Chain Vulnerability – the invisible global risk I highlighted that report, which listed the hyper-optimization of supply chains as one of four emerging threats at that time, and as the authors put it:

[…] risks in long and complex supply chains are obscured by the sheer degree of coupling and interaction between sources, stakeholders and processes within and outside of the system; disruptions are inevitable, management and preparation are therefore difficult […]

Akin to the infamous “Butterfly effect”, even a minor local disruption in my supply chain could have major and global implications not just on the company directly linked to the supply chain, i.e. me, but also on other businesses. Or conversely, some other company’s disruption may affect me severely, even though I in no (business) way am connected to said company.

Issues and questions

With that in mind the authors set out to address these particular issues they found in their preliminary observations:

I1—respondents have an operational focus; in this, they spend their efforts on frequent minor disruptions rather than the larger accidental events.

I2—stakeholders do know that larger events do happen, and they know that these are very costly, yet they do not prepare systematically to restore the system.

I3—maritime transportation stakeholders find their systems unique. As a consequence, they consider that little may be learnt from benchmarking other maritime transportation system’s efforts in improving vulnerability reduction efforts.

I4—there seems to be little visibility throughout the maritime transportation system.

which led them to to propose these research questions:

RQ1—what would be a suitable framework for addressing maritime transportation system vulnerability to disruption risks?

RQ2—which tools and methods are needed for increasing the ability of operators and dependents of maritime transportation to understand disruption risks, to withstand such risk, and to prepare to restore the functionality of the transportation system after a disruption has occurred?

I like this introduction, clearly identifying a direction and purpose of the paper.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: husdal

UPDATED ClassNK, the ship classification organization, has revised its guidelines for bolstering oceangoing vessels’ cybersecurity during their design and construction.

The Tokyo-based non-profit has updated the framework for evaluating and mitigating cyber risks in line with the ISA/IEC 62443 industrial control systems standard and the latest recommendation on cyber resilience for new ships from the International Association of Classification Societies (IACS).

The second edition of the ‘Guidelines for Designing Cyber Security Onboard Ships’, which supersedes the first version published in March 2019, also introduces a ‘CybR-G’ certification and associated audit requirements, according to a press release issued earlier this month.

The guidelines are aimed at anyone responsible for implementing security controls for network-connected, on-board systems.

The recommendations reflect growing concern within the maritime industry that the increasing connectivity of seafaring systems, combined with aging, unmanaged networks, is fuelling a rise in disruptive cyber-attacks against the sector.

Cyber-attacks against the industry’s operational technology (OT) systems have soared by 900% over the last three years, with 2020 set to be another record-breaking year, according to research from Israeli security firm Naval Dome.

Security breaches have crippled operations at a US maritime facility, shipping company MSC, and Iran’s Shahid Rajee port this year.

Control measures framework

The new guidelines state that system integrators must perform a risk assessment on a ship’s on-board systems and propose and implement security controls to remediate risks.

These control measures can include fixing security vulnerabilities, network segmentation, and isolating critical systems in “essential network security zones” that block “unwanted communications”.

The observations of one leading shipping security expert suggest that initiatives to make ships secure by design are long overdue.

“Ships are highly complex OT and IT environments featuring technology from suppliers with a highly varied approach to security,” Ken Munro, founder and partner at UK security outfit Pen Test Partners, told The Daily Swig.

“Integrated bridge systems with unchangeable, simple passwords on network services are not uncommon. Unmanaged remote access by engine and other tech providers is also not uncommon.”

RELATED Maritime telecoms giant patches SQL vulnerability

Integrators are also instructed to diagrammatically map all network connections and evaluate the criticality of all on-board hardware and software.

The CybR-G notation is subject to passing an initial audit, annual audits thereafter, and additional audits when a system is damaged or modified.

First covered by The Daily Swig in 2018, the guidelines and certification scheme, along with separate advice focused on software and cybersecurity management, have emerged from ClassNK’s Cyber Security Approach (PDF), which prescribes a layered approach to cybersecurity.

The most important changes to the guidelines in terms of improving the cybersecurity posture of seafaring vessels are the cybersecurity notation, which was introduced in response to demand from shipowners, and the incorporation of IEC62443 requirements, a spokesperson for ClassNK told The Daily Swig.

“ClassNK envisages ships’ cybersecurity, at the application of information technology utilizing cyberspace on operation technology of ships, as ensuring [that] navigational safety is not hindered by [a lack of] cyber resilience of [the] onboard equipment, onboard network, and cybersecurity management system,” they added.

Skills gap

But Munro, who has previously demonstrated the pitfalls of out-of-band management in the maritime sector and how to take control of a ship’s satellite communications system, feels the guidelines will be undermined by a dearth of maritime-specific cyber skills.

“It’s great to see standards emerging around vessel cybersecurity,” he said. “However, there’s a significant lack of skills in this space, so any assessment is likely to be checklist-based.

READ MORE Spanish state railway company Adif hit by REvil ransomware attack

“We’ve tested vessels fresh out of the yard and found their security to be much better than those in service for a few years, but still not secure enough that we couldn’t compromise them. Checklists won’t find the variety of issues we keep finding – they might resolve casual attacks, but more targeted attackers are likely to succeed.”

He also thinks a checklist-based approach is too simplistic.

“Typically, a ship either meets class society rules or it doesn’t – either ‘in’ or ‘out’ of class,” he explains. “Cyber is more about shades of grey.

“This also presents issues for maritime insurance,” he adds, because “cyber security isn’t binary – a ship is never ‘secure’, so how should the underwriter assess risk meaningfully?

“I don’t think it will be long before we see a ‘cyber’ certified vessel being compromised.”

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: portswigger

Rapid developments in technology have brought on benefits to many industries, including the shipping industry.

With these improvements come increased usage of cyber technologies that are critical and essential to the management and operations of many systems and processes onboard. Not to mention, cyber technologies also keep the crew, cargo and the ship itself safe and secure.

Thanks to the integration of IT (informational technologies) and OT (operational technologies) onboard from these technologies, ships are connected through connectivity and networking to the Internet. While these technologies and systems provide efficiency gains for the maritime industry, they also present various risks to critical processes and systems that are directly linked to the operation of systems that are critical for shipping.

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: adv-polymer

An equipment room containing PLCs and control gear for critical systems was located some distance from the main engine control room but required frequent adjustments via a local HMI.

To avoid leaving the control room, a PC was installed in the equipment room. Teamviewer was used to enable remote access from the control room.

The remote PC bridged between the corporate network and the OT network. The Teamviewer password was on a label above a monitor in the control room, allowing access to the remote PC from the wider Internet.

A vulnerability discovered in the network switches of the OT equipment allowed a shared password to be recovered. With this, it was possible to wipe the configuration of PLCs and switches, stopping all OT systems from functioning.

Scenario 2: Third-party mistakenly allows access to critical serial networks

The load computer was located on the bridge of the vessel. This required network connectivity between two PCs, and to several remote Serial->IP convertors used to read information from ballast tanks.

The third-party vendor used the available network sockets on the bridge to interface to these. The network design of the vessel meant that any unrecognised or unregistered devices were placed in an isolated VLAN.

This allowed the PCs to interact with the Serial->IP convertors. However, network sockets in the passenger space used the same mechanism.

A laptop connected to a network port in the passenger space could therefore inject traffic onto the serial network used for ballast tank readings. Random data injected here prevented the bridge systems reading ballast tank levels, causing multiple alarms and the requirement to take manual dippings until the problem was resolved.

Scenario 3: Remote firmware update causes operational issues

The NOx scrubber system was installed by a third party and contained significant control gear and remote monitoring.

The ship owner provided a dedicated VLAN for the system to communicate over VSAT. It was found that the HMI providing remote connectivity was also attempting to download a firmware and configuration from a remote server using unsecured HTTP.

It was possible to update the firmware of the HMI to a malicious one, and remotely interact with the control gear of the scrubber. The configuration of the PLCs in the scrubber was wiped, preventing control and monitoring of the scrubber. The engines needed to be operated at reduced power to avoid damage to the scrubber system.

Scenario 4: Accessible HMI leaks high-value passwords

An HMI in a HVAC room on the vessel had access to a limited number of screens, only concerning control of the HVAC equipment and monitoring of power systems on the vessel.

By using the “Print” menu, it was possible to break out of the HMI software and access the underlying operating system.

All HMIs used a shared Windows network, including SMB shares. One of the HMIs in the main control room had a file called “passwords.txt” left on this share.

This contained operator and administrator passwords for all the HMIs and PLCs, left from when the vessel was commissioned. These passwords were found to be common across all vessels using that ICMS (Integrated Control and Monitoring System) vendor.

Conclusion

SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

Maritime Vulnerability and Penetration Testing

Source: pentestpartners

With the permission and under the supervision of system manufacturers and owners, Naval Dome’s cyber engineering team hacked into live, in-operation systems used to control a ships’ navigation, radar, engines, pumps and machinery.

While the test ships and their systems were not in any danger, Naval Dome was able to shift the vessel’s reported position and mislead the radar display. Another attack resulted in machinery being disabled, signals to fuel and ballast pumps being over-ridden and steering gear controls manipulated.

Commenting on the first wave of penetration tests, on the ship’s Electronic Chart Display and Information System (ECDIS), Asaf Shefi, Naval Dome’s CTO, the former Head of the Israeli Naval C4I and Cyber Defense Unit, said: “We succeed in penetrating the system simply by sending an email to the Captain’s computer.

“We designed the attack to alter the vessel’s position at a critical point during an intended voyage – during night-time passage through a narrow canal. During the attack, the system’s display looked normal, but it was deceiving the Officer of the Watch. The actual situation was completely different to the one on screen. If the vessel had been operational, it would have almost certainly run aground.”

According to Shefi, the Naval Dome hack was able to alter draught/water depth details in line with the spurious position data displayed on screen.

“The vessel’s crucial parameters – position, heading, depth and speed – were manipulated in a way that the navigation picture made sense and did not arouse suspicion,” he said. “This type of attack can easily penetrate the antivirus and firewalls typically used in the maritime sector.”

Commenting on the ease with which Naval Dome was able to by-pass existing cyber security measures, Shefi explained: “The Captain’s computer is regularly connected to the internet through a satellite link, which is used for chart updates and for general logistic updates. Our attacking file was transferred to the ECDIS in the first chart update. The penetration route was not too complicated: the attacking file identified the Disk-On-Key use for update and installed itself. So once the officer had updated the ECDIS, our attack file immediately installed itself on to the system.”

In a second attack, the test ship’s radar was hit. While the radar is widely considered an impregnable, standalone system, Naval Dome’s team used the local Ethernet Switch Interface – which connects the radar to the ECDIS, Bridge Alert System and Voyage Data Recorder – to hack the system.

“The impact of this controlled attack was quite frightening,” said Shefi. “We succeeded in eliminating radar targets, simply deleting them from the screen. At the same time, the system display showed that the radar was working perfectly, including detection thresholds, which were presented on the radar as perfectly normal.”

A third controlled attack was performed on the Machinery Control System (MCS). In this case, Naval Dome’s team chose to penetrate the system using an infected USB stick placed in an inlet/socket.

“Once we connected to the vessel’s MCS, the virus file ran itself and started to change the functionality of auxiliary systems. The first target was the ballast system and the effects were startling. The display was presented as perfectly normal, while the valves and pumps were disrupted and stopped working. We could have misled all the auxiliary systems controlled by the MCS, including air-conditioning, generators, fuel systems and more.”

Itai Sela, CEO of Israel-headquartered Naval Dome, furthered that the virus infecting ship systems can also be unwittingly transferred by the system manufacturer.

“As manufacturers themselves can be targeted, when they take control of onboard computers to carry out diagnostics or perform software upgrades, they can inadvertently open the gate to a cyber attack and infect other PC-based systems onboard the ship. Our solution can prevent this from happening.”

SHIP IP LTD – Remote internal/external Vulnerability & Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

http://shipip.com/maritime-vulnerability-and-penetration-testing/

The Maritime business is facing huge challenges with managing Cyber Security in their environments. The maritime regulator, International Maritime Organization IMO, has identified these challenges in their efforts to regulate the maritime environment and has updated their regulations and guidelines to include cyber risk management onboard ships mandatory as of 1 January 2021.

Maritime organisations need to assess risks in both traditional information technology(IT) and Operational Technology(OT) environments in order to establish appropriate controls against cyber security incidents. In many cases, IT and OT is managed by different teams without established standards, shared knowledge and minimal collaboration, leaving IT uninformed about the OT technologies on ships and OT uninformed about the cyber threats and risks in traditional IT environments. Deductive Labs has the knowledge and experience that can help bridge the gap between IT and OT, aligning the areas with business goals, operational processes and security requirements.

Deductive Labs provide our customers with professional security services in order to improve their cyber security posture and fulfil current and upcoming requirements and regulations.

We combine our security- and penetration testing methodologies with our 15+ years of security knowledge and experience. Penetration testing methodology based on industry best practices from PTES standard, OWASP Testing Guide. ISO27001, IEC 62443, NIST Cyber Security Framework as information Security frameworks.

SHIP IP LTD – Remote internal/external Vulnerability & Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

http://shipip.com/maritime-vulnerability-and-penetration-testing/

GTMaritime is now offering a penetration testing service free of charge which allows customers to evaluate the ability of their personnel to identify phishing attacks

Hackers are constantly trying to come up with new ruses to outwit software-based protections. For this reason, crew cannot afford to become complacent in the belief that, with a technological safety net in place, everything reaching their inbox is trustworthy and can be taken at face value.

On the contrary, they must remain vigilant: the few malicious messages that do arrive will more likely resemble an authentic request or employ advanced social-engineering techniques, which make them harder to recognise.

Quality ship operators understand this and take a holistic approach to cyber defence. To supplement the work done by technological tools such as GTMailPlus by GTMaritime, they routinely remind staff to stay alert and offer training on what to look out for.

However, it can be difficult to gauge exactly how well these measures are working or to identify areas that would benefit from improvement. In the same way that cyber criminals are constantly refining their techniques, ship operators too must continually adapt.

Last autumn GTMaritime started offering a penetration testing service free of charge to its shipping company customers. The service involves sending a selection of crafted spoof phishing messages to crew to test for alertness and for response. These realistic but ultimately harmless simulated attacks offer an effective way of gathering quantitative evidence on the alertness of the frontline staff most exposed to hoax emails.

By revealing weaknesses in training provision, the free service allows customers to pinpoint where educational resources can be enhanced or redirected, knowledge gaps plugged and awareness raised.

Test results revealed weaknesses

We recently completed a two-round penetration test for an established shipping company. For the initial test the vessel operator sent to sixteen of its captains a spoof message appearing to come from a Port Authority requesting basic identifying information about the vessel and its owner.

Half correctly identified the message as a phishing attempt and ignored it, but half supplied the information asked for. Of the latter group, in no case was the message escalated to management for advice on how to proceed.

The 50-50 split certainly raised pulses at company headquarters, as the spoof email was written in poor English and emanated from a mysteriously unnamed port authority – both common traits that should ring alarm bells. To determine if the same result would be found if more detailed information was requested a second test was employed.

This time the message that supposedly came from a port authority had a personalised subject line that mentioned the target vessel’s name and IMO number. There is mounting evidence of cyber criminals including references to familiar people or organisations, adding a veneer of authenticity that encourages the targeted recipient to lower their guard. The rogue message then asked for a host of sensitive particulars and security details, which if passed on to pirates could jeopardise the safety of vessel and crew.

The response showed a marked improvement over the first test. Eight recipients immediately detected something was amiss and ignored the request. Encouragingly, three were suspicious enough to seek guidance from head office. Although head office personnel were kept in the dark about the test, they reacted correctly, advising vessels not to send any data and also alerted the IT department.

Even so, five vessels still obligingly followed the instructions in the message without properly considering either the safety or commercial ramifications of sensitive information falling into the wrong hands.

Path to enhanced education and procedures

Following the penetration tests GTMaritime supplied the vessel operator with educational materials for both staff and IT personnel. The operator took an enlightened view to the results, seeing them as an opportunity to learn rather than apportion blame. It later shared the full findings in a company-wide security bulletin in the hope that using real data rather than hypothetical scenarios to present the dangers would drive home the need for vigilance.

SHIP IP LTD – Remote internal/external Vulnerability & Penetration Testing

TRUST OUR NETWORK – WE GUARANTEE BEST PRICES!

READ MORE

http://shipip.com/maritime-vulnerability-and-penetration-testing/