[The excerpts below are from the book Maritime Cybersecurity: A Guide for Leaders and Managers, published in early September.]
[T]hreats should be put into context. The determine [below] exhibits the sunshine configuration of a vessel that you do not need to see steaming in direction of you at night time. Not solely is that this ship coming in direction of you head-on, it suggests that you’re already in very harmful waters, per Rule 27(f) within the Navigation Guidelines.
Whereas this portrayal has a sure ingredient of darkish humor to it, additionally it is analogous to actual life. When a ship is in a minefield, what’s the actual drawback? Is it the specter of hitting a mine, or is it the vulnerability of the ship to the harm brought on by the explosion? Through the early days of the Battle within the Atlantic throughout World Battle II, Germany deployed magnetic mines in opposition to the British. The mines rose from the seafloor once they detected the small change within the Earth’s magnetic area that occurred when a steel-hulled vessel got here inside vary. The British, upon discovering this mechanism, took countermeasures to successfully degauss their warships. This variation eradicated the mine’s means to take advantage of the ship’s magnetic area and, a minimum of briefly, obviated the risk. The vulnerability of the ship to a mine was not eradicated, however the exploit was defeated.
In our on-line world, we are able to’t management the place the mines are, however we are able to management our susceptibility to getting hit by one and the next harm that would end result.
This results in the next normal fact about cybersecurity:
Vulnerabilities Trump Threats Maxim: If you recognize the vulnerabilities (weaknesses), you’ve bought a shot at understanding the threats (the chance that the weaknesses might be exploited and by whom). Plus, you may even be OK should you get the threats all unsuitable. However should you focus totally on the threats, you’re in all probability in bother.
Threats are a hazard from another person that may trigger hurt or harm. We would or won’t be capable to determine a possible risk, however we can not management them. Vulnerabilities are our personal flaws or weaknesses that may be exploited by a risk actor. Certainly, not all vulnerabilities could be exploited. We’re—or ought to be—in a position to determine our vulnerabilities and appropriate them.
Whereas we can not management the threats, we ought to be educated concerning the risk panorama and have an idea of risk actors who may want to do us hurt, however we must always not obsess over the threats whereas planning a cyberdefense. As a substitute, we must always look inward at our personal techniques, hunt down the vulnerabilities, and plug the holes. New threats at all times emerge, however that doesn’t change the strategic significance of fixing our personal vulnerabilities.
Sarcastically, there’s a corollary to this maxim: “Figuring out threats may help get you funding whereas figuring out vulnerabilities in all probability gained’t.” Virtually all cybersecurity professionals have gone to administration to hunt funds for an emergency replace to {hardware} or software program, simply to be instructed that fixing a susceptible system can at all times wait till the following finances cycle. Conversely, when administration sees a memo from IMO or USCG, or a warning from an ISAC/ISAO, that highlights a reputable risk directed at that very same {hardware} or software program, it’s exceptional how shortly the funds turn into accessible.
——————————————————–
A typical however mistaken perception on the management stage of many organizations, each inside the maritime trade and past, is that the duty for defending info property lies inside the know-how ranks. To those that subscribe to that perception, allow us to share the next: Anybody who thinks that know-how can clear up their issues doesn’t perceive know-how or their issues.
Cybersecurity—or, arguably extra correctly, info safety—isn’t merely, and even primarily, the duty of the IT division. Everybody who is available in contact with info in any form has the duty to guard it and, additional, to acknowledge when it’s beneath assault—and take no matter motion is required to defend it, together with reporting suspected assaults to the suitable defensive businesses inside the group. In the end, it’s the duty of a delegated Chief Data Safety Officer (CISO) to handle the cybersecurity posture of a corporation. That posture contains the creation of a way of urgency and consciousness round cyberthreats at each stage of the group.
It is usually essential to acknowledge that IT and cybersecurity professionals have completely different—albeit usually overlapping—talent units. IT professionals maintain networks working and resilient, and present providers and utility to the customers; cybersecurity professionals defend these property.
——————————————————–
[We wrote this book for] the maritime supervisor, govt, or thought chief who understands their enterprise and the maritime transportation system, however isn’t as aware of points and challenges associated to cybersecurity. Our aim is to assist put together administration to be thought and motion leaders associated to cybersecurity within the maritime area. We assume that the reader is aware of their occupation effectively, information that may assist to supply the perception into how cyber impacts their occupation and group.Chapter One (The Maritime Transportation System, MTS) offers a broad, high-level overview of the MTS, the assorted parts inside it that we’re attempting to safe, and the dimensions and scope of the problem. Chapter Two (Cybersecurity Fundamentals) provides phrases, ideas, and the vocabulary required to know the articles that one reads and the conferences that one attends that debate cybersecurity.
The subsequent three chapters describe precise cyber incidents in numerous domains of the MTS and their influence on maritime operations. Chapters Three by 5 tackle cyberattacks on delivery strains and different maritime firms, ports, and shipboard networks, respectively. Chapter Six (Navigation Programs) discusses points regarding International Navigation Satellite tv for pc Programs (GNSS) and Computerized Identification System (AIS) spoofing and jamming, whereas Chapter Seven (Industrial Management and Autonomous Programs) presents cyber-related points and the ever-increasing problem of distant management, semi-autonomous, and fully-autonomous techniques discovering their way into the MTS.
Chapter Eight (Methods for Maritime Cyberdefense) discusses practices that tackle cybersecurity operations within the MTS, together with danger mitigation, coaching, the very actual want for a framework of insurance policies and procedures, and the event and implementation of a strong cybersecurity technique. Chapter 9 provides last conclusions and a abstract.
——————————————————–
Creator’s be aware: This guide is meant to talk to all ranges of members of the MTS, from executives, administrators, and ship masters to managers, crew members, and administrative workers. Our hope is that it informs the reader to the next stage of consciousness in order that they are often extra conscious of the threats and be higher ready — at no matter stage of their job — to guard their info property.
As a result of the sphere is so fast-paced, we even have a Web page — www.MaritimeCybersecurityBook.com — the place we are going to submit further info.
Gary C. Kessler is a Professor of Cybersecurity within the Division of Safety Research & Worldwide Affairs at Embry-Riddle Aeronautical College. He’s additionally the president of Gary Kessler Associates, a coaching, research, and consulting firm in Ormond Seashore, Florida.
Steven D. Shepard is the founding father of Shepard Communications Group in Williston, Vermont, co-founder of the Government Crash Course Firm, and founding father of Shepard Photos.
Source: analyticsread
September 28, 2020 MARITIME CYBER SECURITY
The 01 January 2021 deadline for the implementation of maritime cyber risk management in the Safety Management Systems as per IMO Resolution MSC.428(98) is fast approaching.
Members are reminded of the due date for implementation – the first annual verification of the company’s Document of Compliance after 01 January 2021. While this translates to different target deadlines for each Member and their vessels, it should be recognised that significant preparatory work may be anticipated.
It is also important to acknowledge that the vulnerability of a ship’s systems to a cyber incident continues to be a real threat, as has been experienced in a number of recent high-profile shoreside incidents, such as the “NotPetya” ransomware attack. Whilst that incident did not directly affect vessel operations, the potential vulnerability of on-board systems has been demonstrated by ‘ethical hacking’. Such tests have demonstrated that these attacks, which typically exploit weaknesses in human behaviour, are possible and could result in navigational and control systems being compromised.
In July 2019 the US Coast Guard (USCG) issued a Marine Safety Alert about a cyber incident involving a deep draught vessel on an international voyage and bound for US ports. The vessel reported that it was experiencing a significant cyber incident which affected its shipboard network. A team of experts led by the USCG responded and investigated. It was concluded that although malware had significantly degraded the onboard computer system, essential vessel control systems had not been compromised. The investigation also found that the vessel was operating without effective cyber security measures in place, thereby exposing vulnerabilities of critical vessel control systems. Prior to the incident the security risk presented by the shipboard network was apparently well known to the crew, but this had not been addressed. The USCG stated that it was imperative for the maritime community to adapt to changing technologies and the changing threat landscape by recognising the need for, and implementing basic cyber hygiene measures, thus emphasising the importance of the 2021 cyber security management requirements.
A recently published article on the website of Smart Maritime Network (SMN) explains the vulnerability and ease of access to the communications systems on board vessels where such basic cyber hygiene measures as robust password management was not being implemented.
The Guidelines on CYBER SECURITY ONBOARD SHIPS, produced by BIMCO and supported by a number of maritime stakeholders, is aligned with the MSC resolution and contains recommendations on various processes that should be undertaken for successful implementation of cyber security management.
The NIST (National Institute of Standards and Technology) framework of Identify – Protect – Detect – Respond – Recover sets out the core cyber security activities, the ISM Code and the ISPS Code provides the necessary framework for integration into the company risk management and security protocols and procedures.
The Club has previously recognised the importance of cyber security management on vessel in the loss prevention DVD “Cyber Security – Smart, Safe Shipping”, and Club encourages Members to ensure that early implementation of cyber security management is considered and that the procedures of cyber risk management be seamlessly integrated within the existing safety management system at the earliest opportunity, even where the deadline for implementation is not imminent.
Source: steamshipmutual
The White House hopes to update U.S. government’s approach to its maritime cybersecurity strategy in coming months, according to two senior administration officials.
The Trump administration’s priorities are to enhance and secure the United States’ ability to project power at sea and defend against adversarial cyberattacks, two senior administration officials told reporters during a call Tuesday. The plan involves re-examining the national approach to information sharing and better emphasizing the use of operational technologies in ports, according to one senior administration official.
The two officials on the call declined to reveal any specific information about the administration’s plans, saying more information would soon become available. But hackers have long targeted shipping firms and the maritime supply chain to steal data involving the U.S. government or interrupt cargo operations. Hackers using a strain of ransomware known as Ryuk compromised computer networks at a maritime transportation facility last year, disrupting operations for 30 hours, according to the U.S. Coast Guard. Nation-state hackers also have targeted Americans aboard maritime vessels to trick them into revealing their location or activities.
More recently, the Trump administration has been concerned about a ransomware attack targeting a shipping company, which “affected COVID-19 supply chains in Australia,” one senior administration official said.
“Adversaries frequently interfere with ship or navigation systems by targeting position or navigation systems through spoofing or jamming, causing hazards to shipping,” one senior administration official said.
The announcement comes amid several efforts at the Department of Defense to test readiness against cyberattacks in the maritime domain. The Pentagon’s offensive cyber unit, Cyber Command, simulated a cyberattack last year on a seaport. The Army is also participating in an exercise meant to simulate adversaries targeting U.S. ports this month.
Source: cyberscoop
A live superyacht cyber security event named Don’t Miss the Boat is set to educate superyacht owners and captains on cyber security threats and how to combat them.
The event comes as the IMO prepares to implement new cyber security regulations. By January 2021, yacht owners and operators of vessels over 500GT will need to have incorporated a cyber risk management plan to demonstrate they have addressed security threats on board.
The live event, which will take place at 3pm on September 25, will be held by the 360 Maritime Security alliance. The alliance comprises Infosec Partners, Priavo Security and Halo Group Security which will demonstrate attacks on an existing superyacht legacy security network (the most basic protection) and compare it to an attack against a secure system.
The event will be broadcast from Shepperton Studios in Surrey and streamed on YouTube and Linkedin.
Mark Oakton, security director at Infosec Partners, said the superyacht industry still considers cybercrime “an afterthought”.
“The level of protection on yachts compared to other environments is very low and is especially dangerous in an industry populated with ultra-high net worth individuals,” he said.
“The worst impact is not what actually happens in the attack, it’s the ongoing brand and reputation damage.”
For more information, click here.
Source:boatinternational
The last victim in a long list of cyber-attacks was cruise operator Carnival Corp, who announced on 15 August 2020 that they had suffered from an attack involving files being stolen. According to David Bernstein, chief financial officer for Carnival, the company “detected a ransomware attack that accessed and encrypted a portion of one brands’ information technology systems. The unauthorized access also included the download of certain of our data files.”
It seems that the ransomware attack included unauthorized access to personal data of guests and employees. The incident may become a costly one for the cruise operator, as it may result in potential claims from guests, employees and regulatory agencies.
This was the most recent event in a series of incidents that affected both shipping companies and ports. Since NotPetya caused US$300 million in losses for Maersk, the attacks are increasing at an alarming rate. In 2018, the ports of Barcelona and San Diego fell under attack. Australian shipbuilder Austal was also hit ,and the attack on COSCO took down half of the shipowner’s US network.
Fast forward to 2020, when the shipping company MSC was hit by malware, which resulted in shutting down the shipowner’s Geneva headquarters for five days. According to a US Coast Guard security bulletin, a cargo facility’s operating system was infected with the Ryuk ransomware. Finally, the OT systems at Iran’s Shahid Rajee port were hacked, restricting all infrastructure movements and creating a massive backlog.
Until relatively recently, topics relating to cybersecurity have been the domain of the IT department. However, securing Operational Technology (OT) is becoming critical for maritime and shipping business, since they rely more on smart, cutting-edge technology. (This is especially true for the digitalized maritime sector, as we discussed in a recent post.)
“All new builds are based on software that runs systems within the ship pertaining to safety and security, and also for monitoring of operations,” says former naval officer Chronis Kapalidis, a maritime cybersecurity researcher at HudsonAnalytix and an analyst at Chatham House. “It’s important that cybersecurity across IT and OT becomes part of a new cyber culture. It shouldn’t be something that ship owners are requesting and pushing the vendors for – it should be something vendors have in place to demonstrate their competitive advantage.”
The IMO recognized the need to make sure that these OT systems are secure. In response, it required that all maritime administrators appropriately address the cyber risk of their Safety Management Systems by January 2021.
Addressing these risks begins with knowing your vulnerabilities and being prepared for a constant increase of cyber threats. Paul Ferrillo, partner at Law firm McDermott, Will & Emery said in a recent webinar that all ports and terminals are attractive targets for cyber attackers. “If you have data, you are a target,” he warned. “You will be attacked and breached – you may already be breached, but you may not know it.”
However, cyber threats that threaten to break the maritime operational reliability and delay cargo delivery carry additional risks. “Infected systems can compromise navigation or propulsion, threatening ship safety itself as well as the marine environment,” reads a recent article by ABB.
With cyber-attacks against port operators and shipping companies increasing, “people need to be aware of the threats,” says Scott Dickerson, executive director at Maritime Transportation System ISAC. “It is not just a technology challenge. Some ports do not have a dedicated IT person, so at operational level people need to understand how they are being targeted and make sure they have good cyber hygiene.”
The quantity of information transmitted from ship to shore has increased dramatically thanks to advances in maritime communications and an ever-increasing reliance on technology-enabled on-board systems.
“What is interesting is that many operators believe they have this protected with traditional cybersecurity, but the firewalls and software protecting the IT side, do not protect individual systems on the OT network,” says Jonas Blomqvist, General Manager, Cyber Security, Marine Business at Wärtsilä.
Installing an antivirus platform on a vessel bridge navigation system (ECDIS) could very quickly impair and inhibit system performance, for example.
“Operational networks, in contrast to information networks, are measured by their performance level. Their operation cannot be disconnected and stopped. An emergency state in these systems can usually only be identified following a strike and they will be irreparable and irreversible,” adds Blomqvist.
Taking precautions by installing security systems, such as firewalls and detection systems for denial of services attacks and other malware, is crucial but insufficient. Adopting proactive cybersecurity risk management provides an opportunity for shipping companies to differentiate themselves.
Cyber resilience has emerged over the past years because traditional cybersecurity countermeasures are not sufficient to protect organizations against sophisticated attacks. Preserving both cybersecurity and cyber safety are important because of the potential effect a cyber-attack might have on personnel, the ship, the environment, the company and the cargo.
Cyber resilience programs should be able to identify, assess and manage the cyber risks. They must continuously monitor all mission critical systems to detect anomalies, change and potential cybersecurity incidents before they cause significant damage and disrupt the reliability and safety of operational processes. An incident response management program ensures business continuity and helps the maritime and shipping company to continue to operate despite a cyber-attack.
With cyber-attacks increasing in frequency and severity, supposing that maritime and shipping organizations can defend against every potential attack scenario is just wishful thinking. Organizations need to combine cybersecurity with business resilience to be cyber resilient. As the maritime sector continues its digitalization journey, a safer shipping offering is a competitive strategic advantage.
Source: tripwire
September 28, 2020 MARITIME CYBER SECURITY
Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.
“Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.”
Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails. Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.
With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.
The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies. Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.
Does your cyber team do this? Signup Now
Malicious Email collection 14-17 Sep 2020
| First Seen | Subject Line Used | Malware Detections | Sending Email | Targets |
| Sep 14, 2020 | Re: Bulk Cargo Shipment for saaten-union.de | HackTool:Win64/Mimikatz.A | “Chen Xin” <felix.chen@longsailing.net> | saaten-union.de |
| Sep 14, 2020 | Re: Re: Purchase Purse seiner. Tuna vessel | Trojan:Win32/Woreflint.A!cl | Lei Yang <49fd2d524@064b6638.cf> | de8041c.com |
| Sep 14, 2020 | Fwd:RV and Boat Storage Future Add-on | Trojan-Downloader.VBA.Emotet | “Charles Shajari” <08fc70@7a904f387a30206b9.com> | 42f15e645c23f02ff1dad28eb.com |
| Sep 14, 2020 | RE: Final Permit set – Boat Storage | Trojan-Downloader.VBA.Emotet | “charles shajari” <ce3f7c@8adcef713a5.mk> | 42f15e645c23f02ff1dad28eb.com> |
| Sep 14, 2020 | Fwd:Swain Boat House | TROJ_FRS.VSNW0EI20 | “Brittney Phillips” <ab8c7e66da21af@5808ec15.com> | 27cde66c2a.com |
| Sep 15, 2020 | MV GENCO STAR / ARRIVAL REPORT AT MIRI PORT | W97M/Downloader.dbv | “star@sea-one.com” <majid@hulumtele.com> | kwship.com |
| Sep 15, 2020 | MOL HIROSHIMA – REMINDER Counter-measure for Soot damage to cargo vehicles in MAZDA stock yard-2 | Trojan.W97M.POWLOAD.THIADBO | “FUKUSHIMA, Hajime” <srashidzada@vicc.co> | cidoship.com> |
| Sep 15, 2020 | MV DIVINEGATE / Owners husbandry matter appointment – Yantai Port | Trojan:Win32/Wacatac.C!ml | “Nicholas Chin” <nicholas_chin@epshipping.com.sg> | epshipping.com.sg |
| Sep 15, 2020 | MV. OCEAN LEADER – ARRIVL REPORT AT MIRI | TrojanDownloader:O97M/Emotet.PEE!MTB | “oceanleader@sea-one.com” <storeag@bwrl.in> | kwship.com |
| Sep 15, 2020 | MV KMTC INCHEON – SBP for off Signer – | TrojanDownloader:O97M/Emotet.RKC!MTB | “KMTC INCHEON” <viviana.ramirez@suministroseimpresos.com>
“Lee Won-gun” <wglee@withuskor.com> |
Targets Not Disclosed |
| Sep 15, 2020 | Re: RE: MV KMTC TOKYO – 3/O’s BIO DATA & CRD FORM | TrojanDownloader:O97M/Emotet.RKC!MTB | “CrewYGN” <edp@veeyesfoundry.com> | withuskor.com |
| Sep 15, 2020 | Re: [Operation] – GFO(V090) – Sailing Report at Kashima, Japan – 200316 | TrojanDownloader:O97M/Emotet.CSK!MTB | “GFOREVER” <compras02@casaguerra.com.mx> | skshipping.com |
| Sep 15, 2020 | RE : RE : URGENT!!! 2 x 20ft – SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 // | Trojan-Downloader.MSWord.Agent.buh | “A.P. Moller – Maersk” <noreply@maersk.com> | Targets Not Disclosed |
| Sep 15, 2020 | RE: CMA CGM CHRISTOPHE COLOMB – Bridge | Trojan-Downloader.VBA.Emotet | “CMA CGM CHRISTOPHE COLOMB – Bridge <b0cc76405561ab7f3b1@7689502.com>” <f1d968@55be7fd0a4.za> | eae0ec1d660.com |
| Sep 16, 2020 | MV TBN CALL AT DAFENG port / EPDA | Trojan:Win32/Agenttesla.TB!MTB | “OPS”<ops@esmaritime.com> | royaleg.co.kr |
| Sep 16, 2020 | Re: Re: MV DARYA KIRTHI/YANGZHONG -EPDA | Trojan:Win32/Agenttesla.TB!MTB | “csacjpqsw@cnshipping.com”<csacjpqsw@cnshipping.com> | cnshipping.com |
| Sep 17, 2020 | PRE ARRIVAL FORMS FOR SUBJECT VESSEL | Trojan:Win32/Wacatac.D7!ml | lutfullah.ansary@aplombtechbd.com | pacificpatent.com |
| Sep 17, 2020 | Re: [Operation] – GFO(V093) – Sailing report at Port Elizabeth, South Africa – 200805 | TrojanDownloader:O97M/Emotet.CSK!MTB | “GFOREVER” <finance@centralpoint.team> | skshipping.com |
| Sep 17, 2020 | Various spare parts to M.V. Sunrise Ace through Norton Lilly Inter= | Trojan.W97M.EMOTET.TIOIBELH | “Donald Young” <ag@arzni.com> | amosconnect.com> |
| Sep 17, 2020 | One piece of coupling spare part to be delivered to M.V. Heroic Ac= | TrojanDownloader:O97M/Emotet.RKC!MTB | “Atlas Marine Services” <export@arzni.com> | amosconnect.com |
| Sep 17, 2020 | [PR259 BIO-MEG] OIL AND MARINE / RFQ / Toyo Engineering & | Trojan:Win32/Woreflint.A!cl | nmw_ikram <nmw.ikram@toyo-eng.com> | Targets Not Disclosed |
| Sep 17, 2020 | Re: : PO 646900 – freight charge – New York Power | TrojanDownloader:O97M/Donoff!MSR | <jerome.marionneau@deffeuille.fr> | safeguard-technology.com |
| Sep 17, 2020 | HAPAG ,MSC PAYMENT JOB NO:1419-1421-1422-1524-1525–1541 | TrojanDownloader:O97M/Emotet.CSK!MTB | “Vinod Mudaliar” <c86a7775c664@727aefab.com> | 2010546c.biz |
| Sep 17, 2020 | RE: [Operation] – GFO(V093) – Sailing report from Taixing, China – 200607 | TrojanDownloader:O97M/Emotet.CSK!MTB | “GFOREVER” <contacto@comarlot.com.mx> | skshipping.com |
I
Top 5 Malicious Senders
| Sender | Malware Sent |
| Mr. Astley Huang / MOLSHIP(S)<BR>r | Trojan.W97M.EMOTET.TIOIBELH |
| “A.P. Moller – Maersk” <noreply@maersk.com> | Exploit-GBW!3D4258FDCC47, W97M/Downloader.bjx |
| “GFOREVER” <finance@centralpoint.team> | Trojan.W97M.EMOTET.TIOIBELH |
| “star@sea-one.com” <majid@hulumtele.com> | W97M/Downloader.dbv |
| “oceanleader@sea-one.com” <storeag@bwrl.in> | TrojanDownloader:O97M/Emotet.PEE!MTB |
In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Divinegate” among others. Analysts observed bad actors leveraging “Maersk Kleven” in malicious email subject lines again this week. Actors have used this vessel name multiple times over the past year. Over the past year, this vessel has been observed in over a dozen malicious email subject lines. The sender continues to use the “’A.P. Moller – Maersk’ <noreply[at]Maersk[.]com>” email address in an attempt to trick the users into thinking they are receiving a legitimate email from the shipping company, Maersk.
Analysts observed the malicious subject line “RE: [Operation] – GFO(V093) – Sailing report from Taixing, China – 200607” being used this week. Notably, the phrase “Re: [Operation] – GFO(V093)” is contained in multiple malicious subject lines this week. This subject line mentions the Taixing Port in China, but the other subject lines reference ports in South Africa and Japan.
The email starts off with a generic “Good day” greeting. Typically, this would indicate that the attackers are using a generic spam template for use against multiple targets. However, in this case, there is a specific schedule laid out in the email indicating that this email is referencing a specific vessel/voyage. The message is signed by the “Master of M/V G. Forever Capt. Sin Jong Hwan.” This captain’s signature is listed in all three emails. This indicates that the captain is being impersonated to commit cyber-attacks and may potentially indicate that their account has been taken over by attackers to be used in cyber-attacks.
All these email look very similar and appear to use the voyage schedule as a lure to entice victims to open the malicious attached documents. Although the emails reference ports in different countries, the attachments are all titled with the following filenames written in Japanese:
• からの変更.doc (Changes from.doc)
• 変化-2020_09_16.doc (Change-2020_09_16.doc)
• に修_2020_09_15.doc (Osamu _2020_09_15.doc)
Although each email targets a separate employee at the company, all the emails target employees of SK Shipping, a major South Korean shipping company. The employees’ positions could not be identified using open source and the targeted email addresses do not appear anywhere on the company website.
The company is being targeted by Emotet malware (attached to all three malicious emails). This malware has evolved and become a significant threat to companies as it currently can steal sensitive information and leverage infected devices in attacks against other networks.
These analysis results illustrate how a recipient could be fooled into opening an infected email. Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry. These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain. Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.
The more convincing an email appears, the greater the chance employees will fall for a scam. To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.
It is imperative to:
September 25, 2020 MARITIME CYBER SECURITY
As mentioned the cabin switch appeared to be the key to all our access requirements. From that we could get to the trunk network, and all those TV, VOIP, and Wi-Fi services, a raft of different VLANs that are very interesting to an attacker.
Physically the big problem was that cabin switch was located in the narrow passageway corridor between cabins. In that small space I had to open a panel, open the box it was in then physically unscrew the switch and then connect to it to mess about with it. It meant being in the way of foot traffic.
As only a few of the ship’s crew knew what we were onboard for we really needed to stay incognito. That’s quite a challenge on a vessel with 500 CCTV cameras and plenty of people walking about, we’re getting in their way and getting noticed. The solution to staying under the radar was to do it all from inside our cabin, which was no mean feat.
First we unplugged the ethernet cables from the back of our TV and VOIP phone. We then went to the cabinet in the wall in the passageway, where we bridged directly onto the trunk with those cables. This meant that we had taken our cabin switch out of the network so it was feeding into our cabin via this structured cabling that was already installed. That solved part of the problem.
We then put our own switch into that loop so now we were part of that VLAN trunk, nicely connected to that big loop. It meant we could intercept all of the traffic on the VLANs and we could connect to all of the devices on those VLANs too. While we managed to get the TVs default passwords we couldn’t really do much apart from stopping them working. The VOIP phones also had default passwords, but again we were limited to changing their settings so they didn’t work. The Wi-Fi was quite secure so there wasn’t much we could do to that either.
The CCTV was different though. The CCTV and Video Management System (VMS) connected out to all of the cameras using RTSP, a plain text protocol. The cameras required a properly authenticated login, but we could intercept this and so connect to the cameras- all of the cameras on the ship. Now we could watch all the video feeds from the comfort of our cabin.
After that we reviewed the cabin control system for the lighting, HVAC, door, and water. Most systems like this with hundreds of nodes will connect back to a service. They usually make a connection from the device through to the server, but this one was a different as it worked the other way around.
Here the cabin control server established connections out to the controls in the cabins. While this was unusual it meant we didn’t have to compromise the cabin control server to interact with the cabin controls. We were on the VLAN that they were all on so we could come along with our switch and directly compromise all of the cabin controls. We could turn the lights on and off, we could mess about with the aircon, we could lock people out of their cabins, and we could even open doors on the accessibility cabins- the ones with automated doors.
With all of these areas covered we could negatively affect the passengers, to make them uncomfortable or even cause some distress. This means that they will complain, en masse, and that is going to be very expensive to manage.
The other thing we thought would be amusing would be writing something on the side of the ship using cabin lighting, by turning certain cabin’s lights on or off to create a pattern or word viewable from a distance outside. Some ships have this functionality where through the cabin control system uses them as a sort of grid through which you can write things on the side of the vessel.
The serious issue here is that the switches were physically accessible to us. Of course we had to be in the passageway for physical access but there’s a common attack that we regularly carry out against switches. Most Cisco switches have a password recovery mode. It means that you can reboot the switch, and through its serial console dump the config file.
That config file contains information on existing VLANs, such as hashes or possibly even encrypted versions of the passwords. After dumping a config off one of the cabin control switches (taking two or three minutes) we had the hashed passwords. Once transferred to our cracking rig it took about two days to recover them:
The password here was reasonably good, it wasn’t “cisco” or “ship” for example.
We tried it against the cabin switches but none of them had a network logon. However we could plug in via serial and connect that way but that’s not particularly bad. However, as we’ve got access to this trunk we’ve also got access to those RDPs. We found that one of the RDPs had its management interface left exposed to the trunks that we could access, and that RDP had left the web interface enabled, which is bad.
That username and password we recovered from one cabin switch worked on that single RDP. It appeared that during commissioning that particular single RDP hadn’t fully been commissioned- they hadn’t changed the password. We gained access to that RDP and that allowed us to intercept all of the traffic on that fibre trunk. We weren’t just able to access the things on the cabin switch loops anymore, we could see pretty much everything on the vessel, excluding the ICMS industrial control systems.
These VLAN trunks run all over the ship. You can connect from inside the cabin using the TV and phone cables, get access to many systems as well as sniff to get any plain text auth. So, not using https actually had a serious impact here. One brute forcible password that worked on just one part of the core network allowed us to intercept all of the VLAN trunks. That is a significant compromise.
Now this was just an omission, and it did take quite a lot of effort to get to this point but it was a problem of vulnerability.
If you’ve been on a cruise recently you’ll have seen crew carrying tablet devices. When there’s a muster or safety drill they’ll be taking muster on a tablet. If you order in one of the restaurants it will be on a tablet. If they come to your room with room service they will have a tablet.
This is usually called a Passenger Management System (PMS) and it deals with cabin assignment and access control. As a result it’s linked to access control system, to allow the management of cabin key cards. It also does booking and billing in the restaurant, it does mustering, and it also can hold your passport details for Immigration. It’s core to how the vessel operates.
All the tablets on this vessel used 8021x certificates for the Wi-Fi, and the tablets were actually quite well hardened. We couldn’t get anything off them easily so we couldn’t get those certificates to gain access to the Wi-Fi. We could have spent time doing something to possibly root one of the tablets or gain the credits from somewhere else.
But why go to those lengths when we’ve already got access to every VLAN on the vessel including the VLAN that carries the Wi-Fi traffic from all of the tablets? We can intercept that traffic, which is what we did.
The tablet’s 8021x was implemented by the cruise company as they wanted to layer that layer of security. However the PMS used http so there was no encryption between the tablets and the server. That let us sniff credentials amongst other the network traffic. What we found was an SQL server which was passing its username and password in the plain, across this network. Once we gained access to those VLAN trunks we could get this username and password:
We could then add our own user into the PMS and we could pretty much do what we want. For example, I could book myself into the best restaurant on the ship and not have to pay for it.
The best bit was being able to log in as the captain! We could go to the restaurant, order the most expensive bottle of wine and bill it to the captain. This is a serious impact. The PMS had good Wi-Fi security that was put in place by the cruise company but the PMS vendor used http for the communications, and that just wasn’t secure enough.
We’ve covered those common SQL creds but we’ve not managed to test them on any other ships. It’s possible they could be the same across other ships, meaning we could arrive on board and pretend to be anyone from the crew.. We could wipe details, we could order things in restaurants. I think we comprehensively owned this ship.
These attacks did require detailed knowledge. We had to be on the vessel and we had to have a good level of understanding. One of the problems with a ship is that it’s hard to perform things like intrusion detection remotely. You might be able to sniff traffic but you’ve only got limited amount of bandwidth to send that back to a SoC. On this engagement no-one really noticed us, we dressed smartly and the couple of times that people noticed us opening cabinets and things like that no one said anything. That isn’t always going to be guaranteed though.
Most of the issues we found were introduced by third parties. The cruise company had done a lot to secure those networks but it was third parties putting systems in and making mistakes, and just not doing security properly, that created the problems.
For a ship a Denial of Service is extremely costly. If you can stop a cruise ship leaving its berth (especially in one of the smaller ports where there are only one or two berths) and another ship is waiting to dock, the port can charge huge sums of money. We’re talking tens or hundreds of thousands of dollars per day.
The fallout is that you’ll have passengers complaining, you’re going to possibly have to reschedule flights, maybe get hotels for people, your next cruise may be delayed.
Crashing cruise ships into each other is the stuff of movies, and that’s fine for Hollywood. The real impacts however come from hackers being able to cause your passengers annoyance, discomfort, and distress.
Source: pentestpartners
KR issues world’s first cyber security class notation to HHI for very large LPG carriers
The Korean Register (KR, Chairman & CEO, LEE Hyung-chul) has presented Hyundai Heavy Industries (HHI) with the world’s first Cyber Security (CS Ready) class notation for a very large liquefied petroleum gas (LPG) carrier.
The presentation took place at KR’s Headquarters in Busan on 18 September, in the presence of Hyundai LNG Shipping (HLS, President & CEO, LEE Kyu-bong), Hyundai Heavy Industries (HHI, President & CEO, HAN Young-seuk) and, Korea Shipbuilding & Offshore Engineering (KSOE, CEO, KWON Oh-gap).
Hyundai LNG Shipping is the owner of the very large LPG carrier built by HHI which is scheduled for delivery later this month. KR granted the notation after completing successful document and field inspections, which included Kongsberg Maritime’s ship alarm and monitoring system (AMS) and Hyundai Global Service’s Integrated Smart ship Solution (ISS).
This is the first time the KR cyber security notation has been awarded to a very large LPG carrier, the notation is issued to newbuilding ships that have successfully passed 49 inspection items in a total of 12 categories, including risk and asset management, cyber incident response and recovery.
|
The four companies have been collaborating on joint research and developments for the past eight months, while working to apply and verify KR’s cyber security Rules for newbuilding ships. HHI and KSOE have built a cyber security network encompassing the main systems, conducting risk assessment and vulnerability diagnosis for cyber security threats and KR has carried out and completed cyber security inspections across the network. As part of the comprehensive technological testing, KR conducted its first MITRE ATT&CK [1]* based penetration test to verify the safety of the cyber security system. Mr. LEE Hyung Chul, Chairman and CEO of KR said at the presentation event: “The success of this joint research has enhanced our excellent cyber security technology status around the world. KR will continue to strengthen its global cyber security leadership, and will work to increase its unrivalled expertise and widen its certification capabilities. MR. CHOI Jang-pal, Head of Business Operation Division, HLS said: “We are very pleased to secure the cyber security notation from KR which offers the highest standard of certification capabilities worldwide. Ship cyber security risk management is a top priority, and we will continue to proactively ensure our practices and processes offer the highest level of protection.” “Through our collaboration with KSOE, we will continue to procure preemptive technology and to build smart ships with industry-leading differentiated cyber security systems, in today’s world, we must deliver ships which are fully certified for maritime cyber security,” added Mr. KIM Jae-eul, HHI Executive Vice President, CTO. Newbuilding vessels increasingly need cyber security notation as the application of digital technologies such as advanced automation and integrated control systems become more common, in addition, the International Maritime Organization (IMO) is expected to strengthen its demands for cyber security risk management as from 2021. ENDS [1] * ATT&CK: a model developed by MITRE in the U.S. referring to Adversarial Tactics, Techniques, and Common Knowledge, which presents attack tactics and infiltration techniques as a framework through case analysis of activities after (or before) penetration of cyber attackers. https://attack.mitre.org |
September 25, 2020 MARITIME CYBER SECURITY
The Maritime Transportation System (MTS) in association with the Information Sharing and Analysis Center (ISAC) of United States has issued a warning to all TUG owners that all their connected operations are vulnerable to cyber threats like malware hits, virus infections and state funded hacks.
Readers of Cybersecurity Insiders should notify a fact over here that this is the first of its kind alert issued to all organizations holding tug operations. And the warning was issued when a Maritime facility received a phishing email with a voicemail attached theme that was then alerted to Louisiana InfraGard, an agency related to cyber threat that then alerted MTS- ISAC.
And FYI, the email was shared with an Office 365 eVoiceMail Express themed message imitating a vessel operator.
When the Security analysts from ISAC analyzed the email, they discovered that one of the HTTP requests was not flagged off by any threat detection solution because of sophistication. Also, there was a notable difference in the email content as most of the content line was existing in three different fonts- meaning similar copy & pasted emails were sent to other victims as well- with the IP address geolocated to Germany and marked as spam sender.
Unfortunately, if any of the vessel operators fall prey to such cyber attacks, then they are being requested to quickly report the incident to mtsisac dot org website.
NOTE 1-TUG is a small boat that is used to pull over big ships or large vessels under various circumstances.
NOTE 2- Louisiana InfraGard is a DHS aligned non-profit organization that works by sharing information and intelligence related to hostile acts against North America.
NOTE 3- MTS issued a warning in August thorough a Webinar titled “Where the port security meets Cyber Security”.
Source:cybersecurity
