By Graham Sutherland, Senior Vulnerability Researcher
The traditional online attack surface for ships is changing. Gone are the years where vessels were put to sea for months at a time with little or no contact made with the shore, with letters awaiting them at their next arrival port and unpredictable journey times and locations.
Even with the advent of satellite phones, GPS tracking and computer-based navigation, a typical ship will still have a much more limited online presence compared to shore-based organisations. However, this is changing rapidly. As the availability and reliability of internet connections aboard ships improves, it is natural that organisations will seek to leverage this connectivity for the purposes of remote monitoring and diagnostics.
Below, we take a look at the new and enhanced risks posed by remote access communication on board ships and how we can approach a safer way of operating to protect the ship, its assets and the people on board.
What are Remote Access Solutions comprised of?
Generally speaking, remote access solutions are comprised of three primary components: the platform, the gateway, and the agent. The platform is usually a web application and associated infrastructure, which facilitates the user-interface and functionality of the solution. The gateway is a physical device installed on a ship’s network with access to the necessary telemetry data and on-board systems, and the agent is a piece of software installed on that gateway, with which the platform communicates in order to facilitate remote access.
The security benefits of Remote Access Solutions on vessels
Remote access solutions on vessels may offer some benefits to security:
- Offerings in this space usually allow direct access to vessel telemetry, which can be used to track the movements of the vessel over time. This can be useful for geofencing and other security alerting features.
- Logs can be periodically copied from the ship’s systems to a land-based server. Log files can be critical in an incident response (IR) scenario, and may be damaged or removed (either by equipment failure or malice) from the vessel’s systems. Having an external log repository can help ensure availability.
- Initial exploratory incident response may be performed remotely, which is desirable in a scenario where a vessel will not reach port for some time.
- Security patches and software updates may be applied remotely. This is one of the key areas of concern for the security of marine and offshore technologies, due to their unique connectivity challenges.
How are remote communications approached at sea?
The normal approach for secure remote access to another network is to use a VPN. Unfortunately, this approach can be unreliable in a marine context, because a VPN is generally reliant upon a stable network connection and public key infrastructure. These properties make VPN technologies generally unsuitable for remote access applications in this scenario.
Instead, vendors must generally develop communications mechanisms that are asynchronous in nature, then wrap individual application traffic in that mechanism. This is in contrast to the synchronous model of directly sending the command and waiting for a result, which requires that each command have a response come back before the next can be sent. This is not suitable for situations where the remote gateway may not always have connectivity to the internet, such as on-board vessels.
The below diagram illustrates an asynchronous communication mechanism aboard a ship:
Security challenges for developing remote access communications
Developing secure remote access solutions is a challenging task, particularly in an environment where availability concerns are paramount and connectivity is limited. As such, many aspects must be considered when evaluating an approach or vendor offering. Some of these considerations include general application security of the management platform front-end, general application security of agent software, user authentication, user enrollment and deactivation, access control (enforcement, permission granularity, etc.), auditing and logging, communications between the management platform and agent, on-ship communications between the agent and telemetry technologies and ability to update the gateway device and agent software remotely without significant impediment. More on these challenges can be found in the full research article.
It is important to ensure that each of these items are considered and assessed in order to help reduce the likelihood of security vulnerabilities which enable attackers to gain access to ships’ systems.
Nettitude’s recommended approach
One problem with remote access and monitoring is that many of the key systems that are useful to have remote access to, such as engine management, also pose a high risk in case of compromise. A bridging device is required to join the operational technology network to the information technology network, allowing only certain information to pass from the monitoring systems back out to the internet when requested by a legitimate remote access request. This poses a significant risk, however, as compromising this bridge device from the information technology network provides an attacker with unfettered access to the operational technologies network, ultimately giving them complete control over the ship.
Nettitude have a structured approach for securing such bridges which can be found in our full research report.
Remote access and monitoring are an emerging technology in the marine space that potentially offers significant operational benefits. Vendors are facing numerous challenges in the implementation of secure systems in this area, in part due to the wider problem of maintaining a secure network on a moving vessel with limited connectivity and computing resources.
New and existing remote access systems must be fully tested in order to reduce the significant security risks posed by exposing on-ship systems to the internet. This can be achieved by following a rigorous testing methodology that covers the areas and concerns raised in the research report.
Security controls must be implemented when bridging operational technology networks and information technology networks. Failing to do so may introduce significant risks. Again, implementations should be assessed by qualified security professionals in order to provide security assurance.
For more information on this topic, please contact our specialists.