Pen Testing Ships. A year in review
Partially driven by the upcoming inclusion of Cyber Security by the IMO (International Maritime Organisation), 2019 was a really busy year for maritime security testing at PTP.
What can we all learn from a year of evaluating the security of ships?
We've been involved in all sorts of ship testing, here are a few examples:
- A Moss Maritime CS55 deep water exploration drilling rig
- A Neo-Panamax container ship
- A re-supply vessel
- A seabed survey vessel
- A brand new cruise ship on its shakedown voyage
To name but a few.
What are the common (in)security themes we keep finding?
There is a distinct lack of understanding and interaction between IT and OT installers/engineers on board and in the yard.
The OT systems are often accessible from the IT systems and vice versa, often through deliberate bypass of security features by those on board, or through poor design / poor password management / weak patch management.
IT and bridge systems are often poorly configured or maintained.
Maritime technology vendors have a 'variable' approach to security. A few offer reasonable security of their products. Most are terrible.
We've even reviewed a maritime-specific security product that was vulnerable in itself, creating new security holes in a vessel rather than fixing them!
Documentation of networks and systems often has little correlation with what is actually on board.
Cruise ships add multiple new layers of technology, increasing the attack surface dramatically.
Hotel systems (IT, booking systems, inventory, guest Wi-Fi, infotainment, CCTV, lighting, phones et al) plus the actual vessel itself (bridge systems, satcoms, navigation, ballast, engine management etc).
We obviously can't name the vessel owners but here's some of the things we discovered and some of the technology and vendors affected:
When is an air-gap not an air-gap?
As you'd probably expect the newer vessels were generally far better documented with security having been a consideration from the outset... two of the vessels were under a year old (the cruise ship was brand spanking new) but on both tests we identified misconfigured systems and VLANs much as you'd expect. But we all make mistakes, that's why we conduct an independent audit, right?
The more vessels we review, the more we see that ship operators genuinely believe there is an air gap between the traditional IT systems and the on-board OT. That is almost never the case. On only one of the fifteen or so vessels I've be on was there a genuine air gap.
Rigs usually have a data historian: things like its position, engine speeds and temperatures, drilling data, oil flow, almost anything that could be described as an Industrial Control System (ICS) pass information to the data historian. Guess what: it bridged both networks (OT and IT) as its HMI (Human Machine Interface) was on the IT network so this provided a bridge across which we were able to compromise the rig pretty much completely.
On the re-supply vessel we found a Voyage Data Recorder which bridged networks, allowing us to effect a very similar compromise...
We've also found dual-homed PCs bridging networks on a large number of vessels again in 2019. Some of these were done intentionally by installers, others clearly accidentally, others deliberately bridged by crew afterwards.