What is a zero day attack exploit?

Imagine setting sail with your bow doors still open. Or operating with an engine that leaked 50% of its fuel intake. Or if we let the bridge continue to operate with all the windows smashed.

It is of course unthinkable – and nor would we expect the third party maintenance crews who are responsible for fixing the engine or bridge windows to refuse to acknowledge the problem – or take years to get around to fixing the issue on your vessel.

But when we move to the cyber world and look at the marine and offshore sectors this is, more often than not, what we find. Issues or vulnerabilities that exist within the IT/OT systems of ships and offshore assets that have not yet been acknowledged, found or known about by anyone else are called ‘zero days’. If these issues are found, they can be reported, however marine and offshore vendors are not as familiar with what to do with this information or how to get them fixed in a timely manner, when compared to vendors in other industries.

Our challenge can often be hard! Finding the right person who can understand the issue itself, communicating it in real world terms, and conveying the urgency is an uphill task from the outset.

Understanding the issue and assigning someone to fix it is a good start. However, finding a process to get that fix out into the environments where that equipment is still vulnerable and open is a whole new problem in itself that organisations have historically not had to deal with. Often these fixes will be applied at maintenance periods, such as when a vessel is in port. Patches will need to be brought on-board and uploaded to specific equipment through serial cables connected into console ports on the systems, or possibly by USB. Some may have downloadable updates that can be moved around by disk or USB.

The reality is that many systems go unpatched for months and even years due to the time, effort and logistics required to get them regularly patched. In an unconnected world, this may be a risk that can be tolerated – but as the marine and offshore industries become increasingly connected, the risk rises exponentially.

We all know that if we locked the front door on our house and left it unattended for a few years, the place would fall into disrepair. The day we opened the door to move back in would require significant effort to get the services connected and back working, the dust cleared away and any rodents evicted. Repairs would be needed and no doubt the technology would require updating. It would, over time, become an increasingly vulnerable target for vandals and thieves. The same can be said about security vulnerabilities. They are present and while over time they are discovered, unless they are dealt with, they will increasingly pervade our networks and open us to significant risk.

To provide you with a sense of the scale of the problem - over 20,000 vulnerabilities were reported in 2018 and already over 15,000 have been recorded for 2019 and formally registered under the Common Vulnerabilities and Exposures (CVE) disclosure programme run by Mitre.

Finding  ‘zero day’ vulnerabilities in your system

Nettitude conducts a wide range of vulnerability research and penetration testing across products and environments within the marine and offshore industries. This has included sat coms units, VDRs, remote management systems and fleet. As part of this work we often find undiscovered vulnerabilities within platforms, sensors, equipment, web servers, applications and embedded systems/firmware.

These can range from simple issues that can be fixed quickly through to complex flaws that may require a fundamental change in approach for the system in question. Some issues present small impacts upon the security of the environment whilst others can lead to administrative access to core systems or access to highly sensitive configurations, data or ability to alter/affect critical safety controls.

Many organisations have specialised internal teams that look for these issues, including big players like Google (Project Zero) and Microsoft (Microsoft Security Response Center (MSRC)) as well as many other individual security researchers and specialist organisations. Clearly, malicious threat actors and nations states also look for these ‘zero days’ as they can often be used to hack into a network or gain access to a system remotely without the target being any the wiser.

Responsible organisations that develop software will understand that there is no such thing as perfect code, no matter how rigorous their software development assurance processes are. Therefore, it can be assumed that issues will be found. A process to report vulnerabilities and get them investigated and fixed will be in place. A patching process that releases regular updates to their customers along with guidance around any mitigations or fixes that can be applied will be given.

Larger and mature vendors will also provide a bug bounty mechanism to reward anyone finding vulnerabilities and reporting them back. This allows a proactive and mutually beneficial mechanism to ensure issues found are fixed.

What’s needed?

It's a tough one. It’s within this ‘hard to see’ IT/OT networked landscape on board ships, rigs and vessels that we need to apply some changes. But this needs to be considered by all stakeholders: shipbuilders, owner/operators and vendors of systems need to be much more knowledgeable and focused on this.

A lot can be learned from other sectors, as this is a problem that is being addressed. Financial services have been doing this for a long time. Energy and CNI systems, like power stations and utilities, are very familiar with the risks presented by cyber threats - especially within legacy OT environments that may have been commissioned before the internet was even a thing!

Nettitude recommends five calls to action:

1. Vendors of marine and offshore products and systems should be prepared for ‘zero days’ to be found and reported. Vendors need to establish a process to collect, investigate and fix these within a timely manner (60-90 days is a typically expected balance between allowing the issue to remain open and unfixed and informing customers that their networks have these significant risks prevalent within them).
2. Software updates and patches should be released by vendors along with notifications to their client base. They should also develop a process to update their products within the customer’s operational environment. Such a process requires robust testing of the patches and developing a solution that expects and allows this on a regular basis.
3. Shipyards and builders should look for vendors that will support secure configurations and industry best practice behaviours within the equipment they choose and the vendors they work with. Promoting best practice will help drive changes and push standards up.
4. Owners and operators should ensure they have a patching process that is based on risk to their systems. An appropriate patching timeline and process that mitigates the risks faced. For example, critical issues on key systems should be patched as a priority over less critical vulnerabilities on non-critical systems.
5. Assurance testing of critical systems to ensure they are patched and configured securely to mitigate the risk of an unacceptable impact being realised. Regular vulnerability scanning and system penetration testing can all help with providing this visibility and assurance.

The future

IACS have created a set of 12 guidelines[1] that includes patching processes, assurance testing and secure design, build and operation of systems for ships. Following this guidance or other industry advice from Class Societies such as LR, IMO, NIST and others, and building an effective approach to cyber security for your organisation is critical.

[1] http://www.iacs.org.uk/news/12-iacs-recommendations-on-cyber-safety-mark-step-change-in-delivery-of-cyber-resilient-ships/