MARITIME CYBER SECURITY Archives - Page 28 of 40 - SHIP IP LTD

Dryad and cyber partners RedSkyAlliance continue to monitor the stark upward trend in attempted attacks within the maritime sector.

“Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.”

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Does your cyber team do this? Signup Now

Malicious Email collection 14-17 Sep 2020

I

Top 5 Malicious Senders

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MV Divinegate” among others. Analysts observed bad actors leveraging “Maersk Kleven” in malicious email subject lines again this week. Actors have used this vessel name multiple times over the past year. Over the past year, this vessel has been observed in over a dozen malicious email subject lines. The sender continues to use the “’A.P. Moller – Maersk’ <noreply[at]Maersk[.]com>” email address in an attempt to trick the users into thinking they are receiving a legitimate email from the shipping company, Maersk.

Analysts observed the malicious subject line “RE: [Operation] – GFO(V093) – Sailing report from Taixing, China – 200607” being used this week. Notably, the phrase “Re: [Operation] – GFO(V093)” is contained in multiple malicious subject lines this week. This subject line mentions the Taixing Port in China, but the other subject lines reference ports in South Africa and Japan.

The email starts off with a generic “Good day” greeting. Typically, this would indicate that the attackers are using a generic spam template for use against multiple targets. However, in this case, there is a specific schedule laid out in the email indicating that this email is referencing a specific vessel/voyage. The message is signed by the “Master of M/V G. Forever Capt. Sin Jong Hwan.” This captain’s signature is listed in all three emails. This indicates that the captain is being impersonated to commit cyber-attacks and may potentially indicate that their account has been taken over by attackers to be used in cyber-attacks.

All these email look very similar and appear to use the voyage schedule as a lure to entice victims to open the malicious attached documents. Although the emails reference ports in different countries, the attachments are all titled with the following filenames written in Japanese:

• からの変更.doc (Changes from.doc)
• 変化-2020_09_16.doc (Change-2020_09_16.doc)
• に修_2020_09_15.doc (Osamu _2020_09_15.doc)

Although each email targets a separate employee at the company, all the emails target employees of SK Shipping, a major South Korean shipping company. The employees’ positions could not be identified using open source and the targeted email addresses do not appear anywhere on the company website.
The company is being targeted by Emotet malware (attached to all three malicious emails). This malware has evolved and become a significant threat to companies as it currently can steal sensitive information and leverage infected devices in attacks against other networks.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

The more convincing an email appears, the greater the chance employees will fall for a scam.  To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organizational workflows and procedures.

It is imperative to:

• Train all levels of the marine supply chain to realize they are under constant cyber-attack.
• Stress maintaining constant attention to real-world cyber consequences of careless cyber practices or general inattentiveness.
• Provide practical guidance on how to look for a potential phishing attempt.
• Use direct communication to verify emails and supply chain email communication.
• Use Red Sky Alliance RedXray proactive support, our Vessel impersonation information and use the Maritime Black Lists to proactively block cyber attacks from identified malicious actors.

Does your cyber team do this? Signup Now

• Over the past two years, the United States has built an increasingly fruitful security relationship with the Republic of Cyprus. Our two countries have been working to train teams from Mediterranean countries in a variety of security fields. For example, the State Department’s Bureau of International Security and Nonproliferation (ISN) has held a number of training events in the Republic of Cyprus, most notably for Lebanese and Egyptian government officials.
• To expand this cooperation and to support capacity-building in nations where in-country training is impossible, our two countries have agreed to construct a regional border security training hub in the Republic of Cyprus — the Cyprus Center for Land, Open-seas, and Port Security (CYCLOPS).
• CYCLOPS will allow the United States and our partners to provide technical assistance in more areas related to security and safety, including customs and exports control, port and maritime security, and cybersecurity.

• The training facility will include a number of different hands-on training platforms, including a mock land border crossing, passenger screening area, and a mobile cyber security training lab, which will enable regional partners to learn best practices for securing critical infrastructure and to engage in cross border, counterproliferation cyber investigations.

• CYCLOPS will support our efforts to curb the proliferation risks posed by malign regional actors and violent extremist organizations.

• The construction and ongoing support for CYCLOPS is a true partnership. The United States will provide equipment, trainers, and other capacity-building support, while the Republic of Cyprus will contribute land, facilitate travel, and provide trainers.

• Construction of the training facility is expected to begin later this year.Source: state.gov

As mentioned the cabin switch appeared to be the key to all our access requirements. From that we could get to the trunk network, and all those TV, VOIP, and Wi-Fi services, a raft of different VLANs that are very interesting to an attacker.

Physically the big problem was that cabin switch was located in the narrow passageway corridor between cabins. In that small space  I had to open a panel, open the box it was in then physically unscrew the switch and then connect to it to mess about with it. It meant being in the way of foot traffic.

As only a few of the ship’s crew knew what we were onboard for we really needed to stay incognito. That’s quite a challenge on a vessel with 500 CCTV cameras and plenty of people walking about, we’re getting in their way and getting noticed. The solution to staying under the radar was to do it all from inside our cabin, which was no mean feat.

First we unplugged the ethernet cables from the back of our TV and VOIP phone. We then went to the cabinet in the wall in the passageway, where we bridged directly onto the trunk with those cables. This meant that we had taken our cabin switch out of the network so it was feeding into our cabin via this structured cabling that was already installed. That solved part of the problem.

We then put our own switch into that loop so now we were part of that VLAN trunk, nicely connected to that big loop. It meant we could intercept all of the traffic on the VLANs and we could connect to all of the devices on those VLANs too. While we managed to get the TVs default passwords we couldn’t really do much apart from stopping them working. The VOIP phones also had default passwords, but again we were limited to changing their settings so they didn’t work. The Wi-Fi was quite secure so there wasn’t much we could do to that either.

The CCTV was different though. The CCTV and Video Management System (VMS) connected out to all of the cameras using RTSP, a plain text protocol. The cameras required a properly authenticated login, but we could intercept this and so connect to the cameras- all of the cameras on the ship. Now we could watch all the video feeds from the comfort of our cabin.

After that we reviewed the cabin control system for the lighting, HVAC, door, and water. Most systems like this with hundreds of nodes will connect back to a service. They usually make a connection from the device through to the server, but this one was a different as it worked the other way around.

Here the cabin control server established connections out to the controls in the cabins. While this was unusual it meant we didn’t have to compromise the cabin control server to interact with the cabin controls. We were on the VLAN that they were all on so we could come along with our switch and directly compromise all of the cabin controls. We could turn the lights on and off, we could mess about with the aircon, we could lock people out of their cabins, and we could even open doors on the accessibility cabins- the ones with automated doors.

With all of these areas covered we could negatively affect the passengers, to make them uncomfortable or even cause some distress. This means that they will complain, en masse, and that is going to be very expensive to manage.

The other thing we thought would be amusing would be writing something on the side of the ship using cabin lighting, by turning certain cabin’s lights on or off to create a pattern or word viewable from a distance outside. Some ships have this functionality where through the cabin control system uses them as a sort of grid through which you can write things on the side of the vessel.

The serious issue here is that the switches were physically accessible to us. Of course we had to be in the passageway for physical access but there’s a common attack that we regularly carry out against switches. Most Cisco switches have a password recovery mode. It means that you can reboot the switch, and through its serial console dump the config file.

That config file contains information on existing VLANs, such as hashes or possibly even encrypted versions of the passwords. After dumping a config off one of the cabin control switches (taking two or three minutes) we had the hashed passwords. Once transferred to our cracking rig it took about two days to recover them:

The password here was reasonably good, it wasn’t “cisco” or “ship” for example.

We tried it against the cabin switches but none of them had a network logon. However we could plug in via serial and connect that way but that’s not particularly bad. However, as we’ve got access to this trunk we’ve also got access to those RDPs. We found that one of the RDPs had its management interface left exposed to the trunks that we could access, and that RDP had left the web interface enabled, which is bad.

That username and password we recovered from one cabin switch worked on that single RDP. It appeared that during commissioning that particular single RDP hadn’t fully been commissioned- they hadn’t changed the password. We gained access to that RDP and that allowed us to intercept all of the traffic on that fibre trunk. We weren’t just able to access the things on the cabin switch loops anymore, we could see pretty much everything on the vessel, excluding the ICMS industrial control systems.

These VLAN trunks run all over the ship. You can connect from inside the cabin using the TV and phone cables, get access to many systems as well as sniff to get any plain text auth. So, not using https actually had a serious impact here. One brute forcible password that worked on just one part of the core network allowed us to intercept all of the VLAN trunks. That is a significant compromise.

Now this was just an omission, and it did take quite a lot of effort to get to this point but it was a problem of vulnerability.

Issue 4: I Am The Captain Now!

If you’ve been on a cruise recently you’ll have seen crew carrying tablet devices. When there’s a muster or safety drill they’ll be taking muster on a tablet. If you order in one of the restaurants it will be on a tablet. If they come to your room with room service they will have a tablet.

This is usually called a Passenger Management System (PMS) and it deals with cabin assignment and access control. As a result it’s linked to access control system, to allow the management of cabin key cards. It also does booking and billing in the restaurant, it does mustering, and it also can hold your passport details for Immigration. It’s core to how the vessel operates.

All the tablets on this vessel used 8021x certificates for the Wi-Fi, and the tablets were actually quite well hardened. We couldn’t get anything off them easily so we couldn’t get those certificates to gain access to the Wi-Fi. We could have spent time doing something to possibly root one of the tablets or gain the credits from somewhere else.

But why go to those lengths when we’ve already got access to every VLAN on the vessel including the VLAN that carries the Wi-Fi traffic from all of the tablets? We can intercept that traffic, which is what we did.

The tablet’s 8021x was implemented by the cruise company as they wanted to layer that layer of security. However the PMS used http so there was no encryption between the tablets and the server. That let us sniff credentials amongst other the network traffic. What we found was an SQL server which was passing its username and password in the plain, across this network. Once we gained access to those VLAN trunks we could get this username and password:

We could then add our own user into the PMS and we could pretty much do what we want. For example, I could book myself into the best restaurant on the ship and not have to pay for it.

The best bit was being able to log in as the captain! We could go to the restaurant, order the most expensive bottle of wine and bill it to the captain. This is a serious impact. The PMS had good Wi-Fi security that was put in place by the cruise company but the PMS vendor used http for the communications, and that just wasn’t secure enough.

We’ve covered those common SQL creds but we’ve not managed to test them on any other ships. It’s possible they could be the same across other ships, meaning we could arrive on board and pretend to be anyone from the crew.. We could wipe details, we could order things in restaurants. I think we comprehensively owned this ship.

Conclusion

1. The attacks required detailed knowledge
2. It was third-parties who introduced most risks
3. Denial-of-Service is very costly
4. Cruise ships are fun

These attacks did require detailed knowledge. We had to be on the vessel and we had to have a good level of understanding. One of the problems with a ship is that it’s hard to perform things like intrusion detection remotely. You might be able to sniff traffic but you’ve only got limited amount of bandwidth to send that back to a SoC. On this engagement no-one really noticed us, we dressed smartly and the couple of times that people noticed us opening cabinets and things like that no one said anything. That isn’t always going to be guaranteed though.

Most of the issues we found were introduced by third parties. The cruise company had done a lot to secure those networks but it was third parties putting systems in and making mistakes, and just not doing security properly, that created the problems.

For a ship a Denial of Service is extremely costly. If you can stop a cruise ship leaving its berth (especially in one of the smaller ports where there are only one or two berths) and another ship is waiting to dock, the port can charge huge sums of money. We’re talking tens or hundreds of thousands of dollars per day.

The fallout is that you’ll have passengers complaining, you’re going to possibly have to reschedule flights, maybe get hotels for people, your next cruise may be delayed.

Crashing cruise ships into each other is the stuff of movies, and that’s fine for Hollywood. The real impacts however come from hackers being able to cause your passengers annoyance, discomfort, and distress.

Source: pentestpartners

KR issues world’s first cyber security class notation to HHI for very large LPG carriers

The Korean Register (KR, Chairman & CEO, LEE Hyung-chul) has presented Hyundai Heavy Industries (HHI) with the world’s first Cyber Security (CS Ready) class notation for a very large liquefied petroleum gas (LPG) carrier.

The presentation took place at KR’s Headquarters in Busan on 18 September, in the presence of Hyundai LNG Shipping (HLS, President & CEO, LEE Kyu-bong), Hyundai Heavy Industries (HHI, President & CEO, HAN Young-seuk) and, Korea Shipbuilding & Offshore Engineering (KSOE, CEO, KWON Oh-gap).

Hyundai LNG Shipping is the owner of the very large LPG carrier built by HHI which is scheduled for delivery later this month. KR granted the notation after completing successful document and field inspections, which included Kongsberg Maritime’s ship alarm and monitoring system (AMS) and Hyundai Global Service’s Integrated Smart ship Solution (ISS).

This is the first time the KR cyber security notation has been awarded to a very large LPG carrier, the notation is issued to newbuilding ships that have successfully passed 49 inspection items in a total of 12 categories, including risk and asset management, cyber incident response and recovery.

The Maritime Transportation System (MTS) in association with the Information Sharing and Analysis Center (ISAC) of United States has issued a warning to all TUG owners that all their connected operations are vulnerable to cyber threats like malware hits, virus infections and state funded hacks.

Readers of Cybersecurity Insiders should notify a fact over here that this is the first of its kind alert issued to all organizations holding tug operations. And the warning was issued when a Maritime facility received a phishing email with a voicemail attached theme that was then alerted to Louisiana InfraGard, an agency related to cyber threat that then alerted MTS- ISAC.

And FYI, the email was shared with an Office 365 eVoiceMail Express themed message imitating a vessel operator.

When the Security analysts from ISAC analyzed the email, they discovered that one of the HTTP requests was not flagged off by any threat detection solution because of sophistication. Also, there was a notable difference in the email content as most of the content line was existing in three different fonts- meaning similar copy & pasted emails were sent to other victims as well- with the IP address geolocated to Germany and marked as spam sender.

Unfortunately, if any of the vessel operators fall prey to such cyber attacks, then they are being requested to quickly report the incident to mtsisac dot org website.

NOTE 1-TUG is a small boat that is used to pull over big ships or large vessels under various circumstances.

NOTE 2- Louisiana InfraGard is a DHS aligned non-profit organization that works by sharing information and intelligence related to hostile acts against North America.

NOTE 3- MTS issued a warning in August thorough a Webinar titled “Where the port security meets Cyber Security”.

Source:cybersecurity

Development of Autonomous ship technologies in Korea compared to Europe.

It is undeniable that Korea is a leading country in the shipbuilding industry. After Hyundai Heavy industries entered shipbuilding in 1968, Korea got ahead of Japan becoming the 1st in the global shipbuilding industry and rose to the number five spot as a maritime powerhouse. Nonetheless, it is said that the technology development of autonomous ships in Korea is about 5 years behind compared to Europe.

Many companies around the world are working on maritime autonomous surface ships, among which Kongsberg and Rolls-Royce seem to be more ahead of others. As Norway’s Kongsberg Maritime acquired Rolls-Royce Commercial Marine in April 2019, they are now fully integrated and the autonomous shipping projects are being conducted under a new organization.

Korean technological innovation toward autonomous ships

Recently, the Korean government announced $132 million will be spent on developing autonomous sailing technology for six years, to achieve the goal of commercializing oceangoing ships that meet level 3 autonomous navigation defined by the International Maritime Organization (IMO).

To realize a fully unmanned autonomous ship soon, the technology development of autonomous vessels such as intelligent navigation system, instrumental automation systems, communication systems, and land operation management system is required and best combined to allow a vessel to operate safely.

Three big shipbuilders in Korea – Hyundai Heavy Industries, Samsung Heavy Industries, and Daewoo Shipbuilding and Marine Engineering – have already set out to the sector, and their current autonomous ship solutions can reach the first stage of ship autonomy.

However, none of them have yet to reach the stage of remotely controlled ships. Most important about autonomous ships is how to combine maritime ship equipment with information, communication technologies with operational technology ensuring cyber-security and establishing massive infrastructure, where autonomous ships will operate with smart docking systems at ports, other maritime facilities.

What technology is needed and how can it be best combined to allow a vessel to operate autonomously?

The technology needed to make a vessel operate autonomously consists of three main parts, ship control systems, digital connectivity from ships to shores, and onshore infrastructures. The first one concerns what the vessels run autonomously. Subsystems such as sensors, positioning systems, other technologies can detect obstacles on a voyage should reliably, securely function. The data gathered from sensors are jointly collected, what is called sensor fusion, and goes back into the vessels’ autonomous navigation system to make decisions based on it. This is a part of the integration occurring of information, communication technologies and operation technology. Many experts worry that autonomous ships can be hijacked as this system is vulnerable to hacking, putting stakeholders at risk.

The autonomous navigation of vessels is similar to self-driving cars in terms of scanning surrounding and detecting obstacles using vehicle sensors like camera, radar, and lidar. However, it is also different than a self-driving vehicle in that every vessel in a certain size is tracked. monitored under the Automatic Identification System (AIS), an automatic system using transceivers on ships, which provides much more information for ship autonomous navigation systems than is available to cars. Vessels sailing on the open oceans also go slower than cars.

For an autonomous ship to auto berth and cross, many sensors on the ships which interact with the main system can allow the ship to dock without crews on board. Even when a ship on this technology, however, is fully operated without crews, it should be connected to a control station, where humans would remotely monitor the ships and their sensors and should be able to take control manually for security as well. Moreover, full autonomy is not the first stage, we would reach middle levels of automation before going fully unmanned.

The Korean government is supporting the project for maritime transport, where a vessel can be controlled remotely when the crew on board first. Even this partial automation can help reduce costs and ease the burden of maritime companies in shortage of laborers. The labor shortage has been a known issue in the shipping industry as it is hard to find qualified employees. So, automation, whether full or partial, can help fill the gap of shortage.

However, this probably means that the technology requires new workers to become more qualified. Although a study of the social impact shows that workers could lose their jobs in several maritime areas due to automation, new jobs can simultaneously be created such as controlling MASS remotely due to there being a control center.

What will be the potential threats for owners and operators of autonomous vessel in the future?

As the benefits of autonomous vessels are multiple and tempting, a variety of organizations, private or public, within the maritime industry have turned toward autonomy to address impediments associated with ship transportation. Progresses in machine learning, ship sensors, and related technologies are not only making the autonomy of ships increasingly feasible but economically attractive. Autonomous vessels are expected to reduce operating expenditures since costs with their crews, all human support facilities, systems, and storage removed.

However, despite these cost-effective advantages, potential threats associated with cyber-attacks must not be neglected. The risks and vulnerabilities linked to autonomous shipping should be anticipated and properly managed with the related technologies advancing. Increased interconnectivity between vessels and onshore infrastructure also increases potential cyber-attacks on ships. Therefore, it is essential to weigh the cyber-risk contours to rank and mitigate any vulnerabilities. As Operational Technology (OT) systems are increasingly automated, the maritime industry has already witnessed cyber-security incidents which led to ships going off their course.

While the existing ships rely on separate systems for managing OT functionality such as bridge, propulsion, and power control, these systems seem to reach the end of life with new technologies adopted. Maritime company owners and operators have been getting OT systems locally and remotely connected via satellite communications and the internet, leading ultimately to a convergence of IT and OT. Sensors on equipment onboard ships transfer data through communication technology (CT). These new integrated technologies are a double-edged sword, which can enable autonomous systems to operate smoothly but put also the growing automation at a greater risk.

To tackle growing concerns about security threats, IMO has a deadline of 1st January 2021 for Maritime Cyber Risk Management to be addressed in ships’ Safety Management Systems. The main focus of the cyber-security program is to put measures in place to protect both OT and IT. It is estimated that cyber-attacks on the maritime industry operation technology (OT) systems have dramatically increased over the last three years.

As these cyber-attacks can have economic impacts and ripple effects on port infrastructures, it might not be easy for vulnerable ports to be fully recovered through insurance policies after OT systems are attacked. The network connecting traffic controls, cranes, vessel berth systems, and cargo handling systems are currently under threat and will be more venerable to cyberattacks especially after fully or partially autonomous vessels emerge in ports. To make matters worse, unlike IT systems, OT systems are more vulnerable to threat as they don’t have a dashboard which allows operators to monitor the condition of all connected systems. The maritime industry progressing towards more digitalization and increasing the reliance on networked and autonomous systems, more numerous vulnerabilities will keep emerging

Unless systems on vessels are properly managed, a large loophole of new cyber-security for hackers to break into can spring up intimidating. With the maritime industry and its digital exposure getting similar to industrial systems and OT, maritime companies must go faster into the direction of protecting their systems and provide a reliable and safe operating environment from a security perspective. Proactive measures must be developed and applied to OT systems since maintaining effective cybersecurity isn’t just an IT issue but is a fundamental operational imperative.

How Korea respond to maritime security challenges

In preparation for IMO’s Maritime Safety Committee’s resolution “Cyber Risk Management in Safety Management System (MSC.428 (98))” to come into effect, Korean Register of Shipping (KR) has been working together with major shipbuilders to enhance and support the application and verification of ship cybersecurity rules. KR signed a memorandum of understating (MoU) with Hyundai LNG Shipping to conduct joint research on the application, verification, and development of Guideline for Maritime Cyber Security last year. It also signed MoU with Samsung Heavy Industries (SHI) to conduct a joint study on the “Ship Cyber Security Network Construction and Design Safety Evaluation this year.

KR seems to be leading a maritime digital transformation in Korea. It established its own maritime cyber security certification system providing a cyber security certification service for maritime companies. KR has been known for its extensive work on cyber security measures working on big data platforms and e-certificate systems with industry. Moreover, the Korean Register aims to deliver 10 practical digital technologies before the end of 2020.

Source: maritimekr

Cyber security is a major concern for vessels at sea today. The impact of unauthorized, and even authorized, access to ships’ systems can be catastrophic, potentially resulting in reputational, financial and environmental damage, robbery, piracy or simply malicious interference. These are all distinct risks for an unprotected vessel.

Consider potential cyber risks

Not all threats, of course, may be immediately obvious. While an attack on the main propulsion system that causes the vessel to drift without control will be picked up immediately, navigation and positioning systems can be manipulated to show misleading information, inadvertently guiding the ship into trouble.

As the industry slowly approaches truly autonomous shipping, increased reliance on automated systems heightens concerns about security. Vital systems need to be accessible by authorized personnel but protected against any interference. For this reason, type approval processes for systems designed to protect potentially vulnerable components and systems need to consider how the risks of access, both authorized and unauthorized, can be alleviated.

In its type approval process DNV GL identifies four different security level capabilities in line with the IEC 62443 standard. Security Level (SL) 1, the most basic one, provides protection against casual or coincidental violations. Levels 2 to 4 cover increasingly strict protection levels against intentional violation, depending on sophistication of means and the likely level of resources, motivation and skills of potential offenders. Security Level 4 protects against a highly motivated, highly sophisticated attack.

Maritime cyber security specialist Naval Dome has been working with DNV GL, with both organizations sharing knowledge and expertise to improve security requirements for the maritime industry in general and Naval Dome’s own systems in particular. One of the problems identified was that technicians and manufacturers were able to access on-board systems without the knowledge and approval of the crew, which meant they could potentially infect the systems unintentionally.

Therefore a two-step authorization process was needed for which new algorithms had to be developed to prevent remote access without authorization by a vessel’s senior leadership team. To protect the system it is imperative to verify that the person trying to gain access has the necessary authorization and that every action this person takes is recorded in a secure log to mitigate the risk of an internal attack.

Ram Krishnan, CTO at Naval Dome, explains: “In order to protect against marine cyber threats, Naval Dome has developed a solution that is unique among all other cyber threat solutions, because it is designed to protect from the inside-out. We use our software to protect the system itself, thus blocking the two main vectors of attack – external and internal, since the protection is done on the endpoint (PC/HMI).”

One of DNV GL’s original type approval requirements was that once security logs were saved to disk, they could no longer be changed. However, Naval Dome and DNV GL found that this was not necessarily the most secure way of keeping this data safe. Naval Dome therefore devised a new cloud-based solution in which files and logs can be encrypted and saved for 15 years.

The type approval process

The type approval process starts with an assessment of the equipment and its documentation, including installation and operation manuals, applying DNV GL’s stringent and challenging evaluation principles. This often results in revisions before the next phase, product evaluation and test procedure, can begin.

This first phase can be quite a challenge for vendors. Documentation typically requires revision, which can mean it has to go back and forth a number of times until both parties are satisfied with the outcome. This phase also requires vendors to draft test procedure documents which are then sent to the classification society for revision and approval.

Once all of these files have been assessed and revised as necessary, the process moves on to physical testing. If the vendor opts to have systems tested at DNV GL facilities, the vendor will set up the equipment and test protocols before the testing is carried out. In the case of Naval Dome, software was set up on an ECDIS system at the DNV GL facility in Trondheim. However, vendors also have the option to have independent third-party testing performed by DNV GL experts at their own premises.

In order to protect against marine cyber threats, Naval Dome has developed a solution that is unique among all other cyber threat solutions, because it is designed to protect from the inside-out.
Ram Krishnan ,CTO

The tests

DNV GL’s test procedures are based on marinized versions of the international standards ISA/IEC 62443-4-2 and IEC 61162-460 which comprise seven chapters and cover increasingly stringent levels of security requirements. The tests ensure that cyber security equipment is sufficiently robust to prevent penetration attempts while also assessing aspects such as encryption strength. The process covers:

• Human user identification and authentication
• Unique identification and authentication
• Multifactor authentication for all interfaces
• Access privileges
• Software process and device identification and authentication
• User control and functionality
• System integrity
• Data confidentiality
• Restriction to data flows
• Response time to cyber events
• Network/system segmentation
• Monitoring of events
• Resource availability
• The cyber security software must allow the protected application to run without interference

“The tests are important as they can reveal outdated encryption algorithms which the vendor would need to update,” says Dr Mate J Csorba, Global Service Line Leader at DNV GL Digital Solutions.

The tests include remote access, ensuring that ship systems are accessible to vendors’ technicians and authorized on-board staff, but that protocols are in place to prevent malicious access.

“What we are assessing is the security capability of the product. We check the capability and integrity of features such as firewalling and the configuration of the system,” says Csorba.

Depending on the level of security a system is being type-approved for, the number of requirements in each of the seven chapters will differ. The higher the level, the stricter and greater the number of requirements.

The Naval Dome system proved highly effective in DNV GL’s one-week type approval tests. The testing covered the security of the operational system protected by the Naval Dome solution as well as potential interference with vessel systems. “During testing it was not possible to hack, or take control of, vessel systems, and ultimately the ship. The two-step authorization process as well as network and Wi-Fi access security were tested without being able to compromise the protected marine system,” said Ram.

Security concerns

According to DNV GL, few ships are sailing with adequate security systems. “If all ships were sailing with SL1, that would be better than having no security at all, but sadly they are not,” says Csorba.

Without adequate protection, systems on existing vessels are exposed to threats every time data is transferred from shore to ship, or even when crews or technicians do something as straightforward and routine as updating software, including charts and notices to mariners, directly from a CD, a USB drive or technician’s device.

Systems on older ships can be upgraded but will be difficult to bring fully up to date without retrofitting new systems. DNV GL believes that at least SL3 should be specified for newbuilds. According to the definition, SL3 provides “protection against intentional violation using sophisticated means, extended resources, IACS specific skills and moderate motivation”.

To achieve this level of cyber security protection ‒ or the optimum SL4, which offers similar safeguards to those under SL3 with the addition of high offender motivation equipment ‒ vendors need to fully understand the international standards and participate in appropriate workshops with the type approval organization. These help the vendor gain a full understanding of the type approval regulations and requirements, and the approval authority to understand the equipment. Then both parties can jointly determine the security level the vendor or supplier should achieve.

DNV GL and Naval Dome, currently the only specialists capable of offering an SL4 cyber security solution, were able to demonstrate how relatively simple it is to attack live ship systems. The demonstrations have shown that in the absence of adequate cyber protection, the reported ship position can be shifted and the radar display misled. Similarly, the testing experts were able to turn machinery on and off or disable it, and to override fuel control, steering and ballast systems.

These penetration tests allowed Naval Dome to develop a cyber security product that can protect against all kinds of attacks and meet the SL4 standard. The critical factor in certifying cyber security software at this level is to enable shipping and off-shore facilities to implement cyber security quickly and easily without having to re-certify hardware currently in place. Naval Dome’s cyber security software is loaded onto the existing equipment providing cyber security protection immediately.

DNV GL was one of the first classification societies to recognize the growing threat resulting from increased digitalization in shipping and other industries. Its cyber security type approval was introduced in 2017, with the cyber security class notation “Cyber Secure” added the following year.

The Cyber Secure notation has three qualifiers: Cyber Secure (Basic), corresponding to SL1 and intended primarily for existing ships; Cyber Secure (Advanced) for newbuilds, which corresponds to SL3 with specific adaptations for maritime systems; and Cyber Secure (+), which covers additional systems not included in the scope of the other two qualifiers but which can be combined with either of them.

Cyber Secure notations by default cover ten systems: propulsion, steering, watertight integrity, fire safety, ballast, thrusters (other than main propulsion), auxiliary systems, communications, navigation and power generation. Other systems can be addressed under the “+” qualifier subject to risk assessments. Under all parts of the notation, a cyber security management system is required for every ship.
Source: DNV GL