By Joel Snape, Senior Threat Researcher at Nettitude
October is Cyber Security Awareness Month, which is a great opportunity for companies and individuals to review and improve their cyber security processes and knowledge. At Nettitude, we will be releasing a new blog post every week of Cyber Security Awareness Month on our latest cyber security research, as well as our insights on the latest industry news and trends. We hope you’ll find them helpful, and as always please contact us with any questions.
Advanced cyberattacks are increasingly targeting the maritime industry. Although attacks are often not detected and frequently not reported, there is widespread recognition that the industry is becoming increasingly vulnerable as increased automation and new forms of connectivity are deployed to drive operational efficiencies.
Through Nettitude and Lloyd’s Register’s combined research initiatives, we have conducted extensive threat modelling activities fuelled by the analysis of historic maritime cyber security incidents. In this blog series, we will look at eight increasingly common attack vectors that are being observed across the sector, looking at Piracy, ECDIS Malware, and VDR Tampering. If you haven’t already, please take a look at our first blog post in this series on phishing and physical infiltration of ship equipment. And for full details on these common attack vectors, please see our research report on the topic.
Nettitude has seen some high-profile instances of piracy targeting the M+O sector in recent years. For example, Verizon’s 2016 breach digest included details of a global shipping conglomerate that was experiencing extremely targeted piracy where the pirates had headed directly to specific containers after boarding the vessel. This indicated that the pirates had advance knowledge of what goods were in specific locations on this ship, and Verizon were asked to investigate how that might be happening.
Verizon discovered a web-shell had been uploaded into the shipping company’s CMS which was used to store the bills of lading associated with each of their vessels. This allowed the pirate organisation to remotely access the webserver, run commands and access data which they used to target their attacks. A web-shell is a small piece of code uploaded to a website by a malicious actor. It is usually uploaded by exploiting a vulnerability in the web application (for example unrestricted file uploads) or in the underlying server. Once uploaded, an attacker will use a web-shell to issue commands on the server, usually to start to explore the environment and compromise other more valuable targets.
- ECDIS Malware
Electronic Chart Display and Information System (ECDIS) systems typically run on a version of the Windows operating system, and are typically updated by inserting a USB stick containing new maps or software. There have been many reports of ECDIS systems becoming infected from the use of memory sticks which have been inserted into other machines (e.g. personal laptops) which have malware running on them. In one case, a newbuild ship was prevented from sailing because its ECDIS was infected with malware, and because it was designed for ECDIS-only operations it was not carrying paper charts.
Some statistics indicate that the use of USB distribution as an infection vector for malware has become less common as the usage of USB devices has tended to decrease with faster network connections. However, there are still families out there that spread this way, and there are many cases where computers infected with ‘old’ malware families continue to spread when users connect USB devices to them. To ensure ECDIS integrity, it’s important to ensure that machines used to download updates have up-to-date antivirus software installed and memory sticks and other computing devices used for critical ship components are dedicated to the task and not also used on other machines.
- VDR Tampering
The Voyage Data Recorder (VDR) is responsible for producing an electronic record of sensor data for accident investigation, and is required by the IMO’s SOLAS (Safety of Life at Sea) convention. The integrity of the system is obviously therefore key to ensure that a full and accurate investigation can be carried out. Over the last few years, there have been several examples of VDR data being found to be corrupted or missing when an accident has occurred, and although no conclusive information regarding how this took place has been published, it is reported that in at least one case this was potentially due to a crew-member inserting an infected memory stick into the system. Security research carried out by IOActive has shown that some VDR systems were not only vulnerable to physical tampering, but an attacker with network access could also remotely compromise the device and amend or delete data records.
Understanding the risks faced by your organisation and applying the appropriate risk treatment to ensure the impacts of attacks can be effectively mitigated is key. Almost all marine and offshore organisations currently operate reactively when an incident occurs and the costs, reputation and impacts could be significantly mitigated with some upfront considerations and preparations. Nettitude can provide a range of guidance, assurance services and help to both inform and help you prepare effectively for cyber events within your organisation. Please contact us for more information.
In addition, in order to learn more about the cyberthreats facing today’s marine and offshore organisations, please see our full research report on the topic.