Why shipping is sailing rough cybersecurity seas
The shipping industry seems to be coming round to the notion that IT security is an issue that needs addressing. The third edition of “Guidelines on Cyber Security Onboard Ships” (PDF), published by a conglomeration of industry groups and shipping interests contains advice for shipping companies.
So far, so good. But the document also contains several examples of incidents that have taken place recently– some at sea in busy shipping lanes– which show the ease with which ingress to and compromise of onboard IT systems can be achieved.
As TechHQ has noted in the past, the IT systems of many ships are antiquated, and data concerning loading and navigation is exchanged from port to ship via plain text documents on USB sticks, deployed utilizing sneakerware. It seems that systems are only updated when the activities of ‘gremlins’ (as one ship’s captain termed the problems) become too troublesome to bear, by which time it’s often too late.
Practices of those involved in IT shipping onboard and in port, and manufacturers of ship-specific IT systems, are reportedly achieving little to ameliorate issues, but are providing the broader IT community with a seemingly endless series of handy examples of the world’s worst cybersecurity fails.
Like many industries last year, shipping had an unpleasant experience with Petya ransomware. A variant, NotPetya caused massive conglomerate Merck to have to wipe and reimage 4,000 servers and 45,000 PC clients at the cost of over $300 million.
And while the financial loss at this scale is appalling, it pales into insignificance when considering the potential losses– purely financial– that a directed incursion into shipping might produce. As this article explains, research by Pen Test Partners showed how simple retyping over data in .csv documents could cause catastrophic cargo loading patterns in container ships.
The guideline document (PDF ) for shipping companies details how ECDISs (electronic chart display and information system) have been compromised by viruses with nearly catastrophic consequences for those onboard, and on other ships plying the busy shipping lanes of the world. ECDISs have also failed after software updates were applied to outdated OSes on onboard systems. In the latter case, the document notes succinctly that “outdated software is prone to failure.”
“A ship with an integrated navigation bridge suffered a failure of nearly all navigation systems at sea, in a high traffic area and reduced visibility. The ship had to navigate by one radar and backup paper charts for two days before arriving in port for repairs. The cause of the failure of all ECDIS computers was determined to be attributed to the outdated operating systems. […] The costs of the delays were extensive and incurred by the shipowner.”
One issue at the heart of many of the cybersecurity problems suffered by ships is their separation for extended periods from internet connectivity while at sea– thus the prevalence of USB thumb drives. But systems are not necessarily designed to ever connect to the internet, although when this does happen it can be the trigger for hidden malware and viruses:
“The worm spread via USB devices into a running process, which executes a program into the memory. This program was designed to communicate with its command and control server to receive its next set of instructions. It could even create files and folders. The company asked cybersecurity professionals to conduct forensic analysis and remediation. It was determined that all servers associated with the equipment were infected and that the virus had been in the system undiscovered for 875 days […] Analysis also proved that this worm operated in the system memory and actively called out to the internet from the server.”
When online, ship-borne systems are especially open to attack as, in many cases, the hardware onboard uses either default credentials or features backdoor accounts.
“A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure. The ransomware encrypted every critical file on the server and as a result, sensitive data were lost, and applications […] were unusable. The incident was reoccurring even after complete restoration of the application server. The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully.”