Author: Ewan Robinson, director of maritime communications and solutions provider Yangosat. 

We hacked a ship. The Owner is Liable.

Well, we hacked the communications system of the ship. Technically we have been doing this for a few years.

This time we did it like a “bad guy” would.

We got into the vessel, belonging to a multinational company, and found out everything possible about the system, the setup, the manufacturers information.

This is a very specialised vessel that was alongside in the capitol city of a major European country, carrying out cargo discharge.

We could have broken the system so badly, the vessel would have been back to Sat-C and flag signals.

Any information going through that satcomm would have been able to be collected, checked and used.

As we are Ethical Hackers, we are obliged to act in certain ways. One of them is that we have to tell everyone involved if we did something during testing.

We did. Well, we tried to.

The Owners operators, when we finally managed to get someone in the overworked operations department to listen, didn’t care and ignored us.

The manufacturers didn’t even bother to respond.

All of the test was documented, peer reviewed and otherwise substantiated by trusted persons.

The lawyers are going to have a field day and be very happy.

Ship owners are not.

Owners and operators are being badly supported and advised by these super providers, who use third party engineers, or poorly trained engineers, and leave systems in an exposed state. Equipment manufacturers and developers are so guilty of poor techniques and security that using “industry best practice” is a total contradiction.

Lawyers, P&I and Class are going to be so busy refusing claims in the event of a cyber incident, that the poor owners are not going to know where to turn.

Owners are forced into accepting sub-standard equipment. This equipment cannot be made secure in its current format, and yet the manufacturers and developers, fail to update and secure them.

The providers supply this equipment, along with the bandwidth and engineers who install them, and then incorrectly configure and allow public access to them. The Owner is still liable.

So how were they failed?

We have been presenting at various conferences over the last few years, highlighting how exposed we are as an industry to ‘hackers’ and bad actors.

It normally consisted of a prepared victim vessel, using a system that had been poorly configured by the provider, or the providers appointed/trained engineer, and accessing the equipment onboard, normally the antenna or satcomm system. It’s a quick way to display to an audience just how much we are ‘displaying publicly’.

recently someone asked “what could someone actually do?”

A relevant question we thought, so we tested to see what we could actually do.

As a basic attack, an intruder could lock out all the users from accessing the equipment. They could turn off the satcom, or prevent systems and users onboard gaining access to the internet or to systems onshore or stop onshore reaching the vessel.

OK, so this is annoying and disruptive, costing from a few hundreds to several tens or hundreds  of thousands if the charterer deems “off hire” status due to lack of communications.

Well, that’s quite expensive, potentially.

But what can we learn from the systems we can get at?

A lot.

Given the amount of systems that are exposed to the internet, with poor configuration, it is relatively easy to find a ‘victim’, and to maximise the information gained by using the tools available and exposed by the simplest of mistakes.

Default admin passwords.

There is a need for it, but no excuse for it.

Service Providers, who manage several thousands of vessels, still use engineers who leave default admin usernames and passwords.

So, it’s a fault on one vessel, but it cant really hurt can it?

It can. And it does.

Our target vessel was found.

That took 7 minutes to locate.

It belonged to a very large multinational corporation. The default username and password was still in effect on the VSAT system.

Access was made to the administration area, so all usernames and passwords could be changed. Also available was access to the system by FTP. Even if this had not already been enabled, as we were in the Admin area, we could have enabled it.

This is where major security flaw #1 was found. The FTP access gave access to the entire operating system of the device, not just the FTP area.

Major security flaw #2 was putting a text file in every folder with a map of the entire structure of the operating system.

This allowed for finding and copying the ‘hidden’ password file to our local machine. It was actually encrypted.

2 hours later, it wasn’t.

So now we had all the manufacturers usernames and passwords.

Now we can access the publicly available machines where they have changed the default admin username and password, by using the manufacturers. They have these so the engineers can always get in. Great for business and support, not so for security.

The network connections listed in the antenna setup were then investigated.

The VSAT Modem was accessed, again using default connections on SSH, with publicly available usernames and passwords.

Command line access to the modem was achieved, allowing us to take control and alter the configuration. In effect we could now control the communications in 2 different places.

Such systemic failures, at the developmental and operational level, are going to have huge issues when Cyber 2021 comes into force next year.

Class and P&I will be left wondering who to refuse claims and who to sue for negligence when there are events, while the operators are trusting the providers to implement correctly, and the manufacturers and developers are failing at such basic levels, they will likely be left with the legal responsibility in the first instance.

The lesson of life in todays marine communications environment?

Don’t trust what’s being given to you.

Unless you have had your own trusted IT check what’s gone before, why would you blindly trust a stranger with your vessels now?

The Owner is Liable.

Yangosat is a maritime communications and solutions provider, helping shipowners and providers realise new systems and invigorate existing ones. This article has been reproduced with the author’s permission. 

Terminal operator DP World has become the latest supply chain stakeholder to join the TradeLens blockchain-based digital container logistics platform, jointly developed by Maersk and IBM.

DP World says that it aims to connect all of its 82 marine and inland container terminals, as well as feeder companies and logistics divisions, with TradeLens. In 2019 DP World’s terminals handled 71.2 million TEU containers from around 70,000 vessels.

From the terminal operator’s standpoint, better access to data via the platform will provide improved visibility of container flows across multiple carriers, allowing for more efficient planning at its facilities. The move will also strengthen its own digital offerings via the Digital Freight Alliance, founded by DP World earlier this year to bring together logistics providers using the SeaRates.com, LandRates.com, and AirRates.com platforms.

“Our decision to team up with TradeLens is driven by our vision for intelligent logistics, reducing costs and creating value,” said Sultan Ahmed Bin Sulayem, Group Chairman and Chief Executive Office of DP World.

“DP World is working to deliver integrated supply chain solutions to cargo owners, backed by our global network of ports, terminals, economic zones and inland operations. By working with TradeLens we will accelerate the digitisation of global trade.”

“Modernising the processes by which logistics operate is critical to building more robust and more efficient supply chains which will help economic development and generate more prosperity.”

DP World has already connected Cochin Port in India with TradeLens via API. Plans to collaborate with other DP World business units, including the feeder line Unifeeder, have also been initiated. More than 110 different operators’ ports and terminals are now directly integrated with the blockchain platform.

“It is very encouraging to see the continued adoption of the TradeLens platform among global logistics players as it helps global supply chain customers expand and explore the benefits of digital documentation flows,” said Vincent Clerc, CEO of Ocean and Logistics, Maersk.

“In turn, the broadened geographic scope of the platform provides new opportunities for TradeLens ecosystem participants to innovate and develop digital offerings on the platform.”

Source: https://smartmaritimenetwork.com/2020/05/28/dp-world-joins-tradelens/

Royal IHC (IHC) has been awarded the contract for the engineering and equipment delivery for a new 6,540m³ Trailing Suction Hopper Dredger (TSHD) for Weeks Marine Inc. (Weeks). This is an identical vessel to the MAGDALEN that was delivered in 2017. Part of the contract is the supply of key components as well as the provision of several technical services during the construction process.

The vessel, which will sail under the name R.B. WEEKS, will be built at Eastern Shipbuilding Group’s Allanton Shipyard Panama City, Florida. The new TSHD is designed for beach nourishment and capital dredging works and is highly automated.

IHC is honoured to have been selected by Weeks once again for the vessel design and supply of key components. This repeat order confirms the satisfaction expressed by Weeks about the construction of the MAGDALEN and its performance, and underlines IHC’s proven track record in designing world-class dredging vessels and equipment. Moreover, IHC is very excited and committed to become the partner of choice in a very challenging but promising market, which has all the signs of picking up momentum.

Hans B. Blomberg, Weeks’ Technical Manager Hopper Dredgers, says: “We are excited to be working with Royal IHC again on our sister vessel construction project. IHC’s engineering and hardware supply services will assure that we will once again have a first-class vessel utilising the most modern and innovative technology available on the market.”

His view is shared by Erdinç Açıkel, IHC’s Head of Custom-Built Hopper Dredgers, who adds: “We are proud that Weeks – a long-standing and highly valued customer of ours – has again chosen IHC to be its reliable partner. It underscores the trust that this leading market player in the USA puts in the performance and technology of our engineering and dredging solutions.”

Key components
Like the MADGALEN, the R.B. WEEKS will be equipped with IHC-designed and built equipment, including the complete and highly efficient dredging installation, dredging automation and instrumentation, propulsion and main electrical system. The vessel will again be equipped with IHC’s unique dynamic positioning and tracking (DP/DT) system and eco pump controllers, which will both further enhance its efficiency.

Technical services
IHC will also provide a number of technical services, including the assistance of its qualified engineers for inspection during installation of the delivered equipment at the shipyard, and support during start-up and commissioning of the dredger. The delivery of the R.B. WEEKS is scheduled for early 2023.

Source: https://www.maritimebyholland.com/news/royal-ihc-to-deliver-design-package-and-key-components-for-new-tshd-of-weeks-marine-inc-2/

A consortium of Bouygues, Saipem, and Boskalis has been awarded the contract for design, construction, and installation of 71 concrete Gravity-Based Structures (GBS) which will serve as foundations for the Fécamp offshore wind farm turbines in Normandy, France.

The award was made by Eoliennes Offshore des Hautes Falaises (EOHF), following the launch of the $2,2 billion offshore wind project by EDF Renewables, Enbridge, and wpd on Tuesday.

The contract carries a total value of EUR 552 million (USD 616 million). The contract value split is 40.5% (Bouygues Travaux Publics) 40.5% (Saipem) 19% (Boskalis).

The offshore wind farm will be located between 13 and 22 kilometers off the coast of Fécamp in Normandy. The 71 wind turbines, to be delivered by Siemens Gamesa, will be connected to the gravity-based foundations installed on the seabed at depths between 25 and 30 meters.

Within the consortium, Bouygues, as the leader of the Consortium, and Saipem are tasked with the design, construction, and installation on the seabed of the 71 gravity-based foundations with an individual weight of up to 5,000 tonnes necessary to provide the stability of the 7MW wind turbines. Boskalis is tasked with the design and preparation of the seabed rock foundation prior to GBS installation, and the scour protection and ballasting of the GBS’ after installation on the seabed.

The foundations will be constructed in the Bougainville maritime works yard in the Grand Port Maritime of Le Havre and will be transported by barge to the offshore wind farm site. The works, which will start in the next few days, should be completed by the end of 2022. The commissioning and operational start-up of the wind farm are planned for 2023.

With a total power output of some 500 MW, the Fécamp offshore wind farm should produce the equivalent of the domestic electricity consumption of approximately 770,000 people, representing more than 60% of the inhabitants of the Seine-Maritime department.

Source: https://www.oedigital.com/news/478986-boskalis-bouygues-saipem-jv-to-build-f-camp-owf-gbs

Classification society Korean Register (KR) has signed an MoU with Samsung Heavy Industries (SHI) to conduct a joint study on “Ship Cyber Security Network Construction and Design Safety Evaluation” at the Marine Engineering Research Center of SHI.

Under the MoU, the two organisations have agreed to evaluate the construction and design safety of cyber security networks applicable to new ships. In addition, they will jointly study technologies that can respond to cyber threats faced by ships, by diagnosing ship cyber security vulnerabilities using the cyber security test beds built by SHI.

SHI is recognised for its technological prowess as a result of its cyber security certifications received from major shipping companies based on its proprietary smart ship solution, SVESSEL. It is expected that by combining KR’s classification capability and the smart ship technology of SHI, the resulting synergies will be extremely beneficial to the shipping industry moving forward.

Cyber security risk management will be significantly strengthened in 2021 when the IMO’s resolution “Cyber Risk Management in Safety Management System (MSC.428 (98))” comes into effect. In the lead up to this date, KR and SHI will work together to enhance and support the application and verification of ship cyber security rules.

“Through this partnership and joint research with Samsung Heavy Industries, we will strengthen our ship cybersecurity certification and our technical service capabilities. KR will also continue to increase its cybersecurity technology leadership in the global maritime market using world-class construction technology through our cooperation and close working with shipyards,” said Kim Dae-heon, head of KR’s Digital Technology Center.

Shim Yong-rae, head of the Shipbuilding and Marine Research Institute of SHI, added, “We expect to considerably increase the security capabilities of smart ships through our joint research with KR, which is renowned for its cybersecurity certification technology. In addition, we will continue to deliver ships with the very latest world-class cybersecurity capabilities for our customers.”

Demand for effective cyber security continues to grow. KR established a maritime cyber security management certification system in 2018 and provides certification services for companies and ships, as well as cyber security type approval services for ship networks and automated systems. The maritime cyber security management certification system encompasses the international security standards (ISO 27001 and IEC 62443), the maritime cyber security guidelines of the IMO and the shipping association BIMCO.

Source: https://shipinsight.com/articles/kr-and-samsung-in-cyber-security-agreement

DP World, a leading enabler of global trade, has completed the early stages of integration with TradeLens, a blockchain-based digital container logistics platform, jointly developed by A.P. Moller – Maersk  and IBM.

The collaboration between DP World and the TradeLens platform will help accelerate the digitisation of global supply chains. DP World aims to connect all its 82 marine and inland container terminals, as well as feeder companies and logistics divisions with TradeLens. In 2019 DP World’s terminals handled 71.2 million TEU (twenty-foot equivalent units) containers from around 70,000 vessels.

TradeLens brings together data from the entire global supply chain ecosystem including shippers, port operators and shipping lines. It also aims to modernise manual and paper-based documents, replacing them with blockchain enabled digital solutions.

For DP World the data from its integration with TradeLens will improve operational efficiency with earlier visibility of container flows across multiple carriers. Such visibility includes confirmation of the transport modality that follows the port stay for each container, which in heavy transhipment or rail ports enable better yard planning. It will also expand the capabilities of DP World’s digital platforms created to move online the management of logistics. The DF Alliance, SeaRates, LandRates and AirRates enable shippers to move cargo to and from anywhere at the click of a mouse, across DP World’s network and beyond.

Sultan Ahmed Bin Sulayem, Group Chairman and Chief Executive Office of DP World said:

“Our decision to team up with TradeLens is driven by our vision for intelligent logistics, reducing costs and creating value. DP World is working to deliver integrated supply chain solutions to cargo owners, backed by our global network of ports, terminals, economic zones and inland operations. By working with TradeLens we will accelerate the digitisation of global trade. Modernising the processes by which logistics operate is critical to building more robust and more efficient supply chains which will help economic development and generate more prosperity.”

TradeLens provides visibility across the entire supply chain, from booking to clearance to payments and is built on a wealth of input from the industry including direct integrations with more than 110 ports and terminals, 15+ customs authorities around the world and an increasing number of intermodal providers.

Vincent Clerc, CEO of Ocean and Logistics, A.P. Moller – Maersk, said:

“It is very encouraging to see the continued adoption of the TradeLens platform among global logistics players as it helps global supply chain customers expand and explore the benefits of digital documentation flows. In turn, the broadened geographic scope of the platform provides new opportunities for TradeLens ecosystem participants to innovate and develop digital offerings on the platform.”

Mike White, CEO GTD Solutions and Head of TradeLens, said:

“At its core the TradeLens business model is an open and neutral platform to spur collaboration and digitisation between all parties in the supply chain ecosystem. We are excited to welcome DP World and eagerly await the creation of new potential ways of working for shippers and consignees in global trade. With 4 of the 5 largest global port operators actively engaged with TradeLens, the coverage of the ecosystem continues to expand rapidly.”

DP World has already connected Cochin Port (India) with the TradeLens platform via API technology. Plans to collaborate with other DP World business units, including the feeder line Unifeeder, have also been initiated.

Source: https://seawanderer.org/dp-world-joins-with-tradelens-to-digitise-global-supply-chains