Battleship Wargames: Can Cyberattacks Sink Ships?
by Kim Crawley
During World War II, British civilians were warned that "loose lips sink ships," meaning people should be careful about what they say wherever they go, because the enemy could be listening. Being wary of what you communicate in case it falls upon the wrong ears is a basic information security principle that well predates modern computers.
Cybersecurity belongs under the information security banner, because computers are one of the most common means of information exchange. When World War II was going on, ships weren't at risk of cyber attack. ENIAC is considered by most computer scientists to be the first proper electronic computer, and it wasn't deployed until a few months after the war ended.
But now all kinds of things can be cyber attacked. Your PC, your phone, your datacenter, commercial jets, children's toys, medical devices, motor vehicles - so many of our possessions now contain computers. Ships can also be cyber attacked, so lax cybersecurity now really can "sink ships."
Recent U.S. Coast Guard warnings didn't indicate literal sunken ships, but they highlight the often-overlooked cyber risks that sea vessels now face.
Navel Attack Vector #1: Email Phishing
The first alert, published on May 24th, suggests that crew members on commercial vessels may be subject to spear phishing attacks via email. Yes, very much like the email phishing that office workplaces need to be concerned about. The bulletin said:
"This bulletin is to inform the maritime industry of recent email phishing and malware intrusion attempts that targeted commercial vessels. Cyber adversaries are attempting to gain sensitive information, including the content of an official Notice of Arrival (NOA), using email addresses that pose as an official Port State Control (PSC) authority such as firstname.lastname@example.org. Additionally, the Coast Guard has received reports of malicious software designed to disrupt shipboard computer systems."
Email phishing very often uses email addresses that could fool their targets into thinking that they're trustworthy. One of the most common and easy ways to spoof email addresses are punycode attacks. You probably know that ASCII isn't the only written character system that computers recognize. ASCII can support all of the characters that are necessary to write in English. But many languages use characters that are derived from the Roman alphabet which aren't supported in ASCII, such as Swedish and Maltese.
And many more languages don't use Roman characters at all, like Russian, Chinese, and Arabic. All of those sorts of languages, plus the emoji we all love to use, are supported in Unicode instead. Punycode is a special encoding used to convert Unicode characters to ASCII.
Punycode attacks exploit that function by using characters that look very similar to ASCII characters. I can type "pscgov.org" in pure ASCII. But I can also type "ƿșcꬶov.orꬶ" or "ῤșcgσṿ.σrg," which may look like the same characters in your email client, but they aren't!
You can see how easy it is to spoof email addresses, and how some of those people on commercial vessels may be fooled by cyber attackers. A link in an email, a file attachment, or an embedded graphic can result in a malware infection. And often malware can be a means for cyber attackers to acquire the sort of sensitive information that was referred to in the bulletin.
Navel Attack Vector #2: Lack of Endpoint Protection
The US Coast Guard released another alert on July 8th:
"In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber incident impacting their shipboard network. (The) interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.
Prior to the incident, the security risk presented by the shipboard network was well known among the crew. Although most crewmembers didn't use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business - to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard."
Exposing critical vessel control systems is no laughing matter. The basic security measures encouraged in the alert suggest that my home LAN may have better endpoint security than some of these majestic commercial and institutional sea vessels.
So what did the alert recommend?
- Segment networks. Yes, any internal network that can be subnetted in subnetworks should. Network segmentation is a basic network security principle. Proper segmentation can prevent cyber attacks that affect one part of a network from affecting an entire network.
- Profiles and passwords should be unique to each user, and user accounts shouldn't be shared. That's another basic premise that we all willfully overlook. As far as identity and access management are concerned, unique user accounts are necessary in order to enforce the principle of least privilege. That means no user account should have more privileges within a network than is necessary in order for someone to perform their functions.
- Sharing user accounts is a bad idea. If each user has their own account and keeps their password to themselves, it's much easier to figure out how an entity could have acquired unauthorized access to a system. All users within a network must be carefully monitored and administrative accounts should also only be used when absolutely necessary.
- Be wary of external media. Removable media like USB drives and DVDs can be used to transmit malware or otherwise acquire unauthorized access to a computer system. Cyber attackers will frequently slip malware onto a removable media device and then fool someone who has physical access to a computer system into using it. The most secure computer networks carefully scrutinize all external media before they're mounted into a computer.
- Install basic antivirus software. Yes, all computers, even the ones on ships, should use a decent antivirus. This is surprisingly easy to overlook in an environment with a lax security policy.
- Don't forget to patch. All computer systems should install security patches as soon as they're deployed, as often as possible. Zero-day attacks do happen, but you'd be surprised by how many successful cyber attacks exploit vulnerabilities that have been known for months, or even years.
Navel Attack Vector #3: Default Login Credentials
Even my humble home LAN can be cyber attacked, but it's alarming how many obvious security weaknesses some ship computers may be found to have.
Cybersecurity vulnerabilities on sea vessels have been a concern to many in the industry for a long time now. Default login credentials are a common weakness across many diverse systems. Home consumers may leave these on their wireless routers without understanding the risk this poses. A quick web search can find default usernames and passwords on most common home routers. That's all a cyber attacker may have to do in order to access the WiFi in people's homes and offices with malicious intent.
Default credentials are a problem on ship computer systems too. As the BBC reported a couple years back:
"Experts are finding new ways into ships' systems remotely. One independent cybersecurity researcher, who goes by the pseudonym of x0rz, recently used a tracking app to find open satellite communication systems, VSat, on board vessels. In x0rz's case, the VSat on an actual ship in South American waters had default credentials - the username 'admin' and password '1234' - and so it was easy to access. It would be possible, x0rz believes, to change the software on the VSat to manipulate it."